What Retailers Need to Know About Surveillance Pricing

Companies that use customer data to adjust the prices shoppers see, whether online or in-store, should know that regulators are paying attention and the legal landscape is changing fast. "Surveillance pricing" — the practice of using consumers' personal data to set targeted, individualized prices for a product or service — introduces legal risks for both online and brick-and-mortar retailers.

Surveillance pricing sits at the intersection of consumer protection, privacy, artificial intelligence, and antitrust law and policy. For retailers, the compliance picture is becoming more complex by the month. Here are the updates to watch.

California is Actively Investigating Surveillance Pricing

On Jan. 27, 2026, California Attorney General Rob Bonta announced an investigative sweep targeting companies that engage in surveillance pricing. The sweep is grounded in the California Consumer Privacy Act (CCPA), and the attorney general's office is taking the position that surveillance pricing may violate the following CCPA requirements:

1. The obligation to provide transparent notice about how personal information is used.
2. The rule that companies may only use personal information for purposes consistent with consumers' reasonable expectations.

According to the announcement, the retail, grocery, and hotel sectors are the main targets of the investigative sweep. As part of the sweep, the California Department of Justice is sending letters to companies requesting information about their pricing practices. This is a significant development because it represents one of the first times a regulator has used a comprehensive privacy law to go after personalized pricing.

New York Law Requires Disclosure of Pricing Algorithms

Since Nov. 10, 2025, New York's Algorithmic Pricing Disclosure Act has required companies using personalized pricing algorithms to provide clear and conspicuous notice to consumers. If an algorithm uses a customer's personal data to set the price they see, the following statement must be displayed prominently alongside the price: "THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA." Certain exceptions apply, but the mandate generally applies to any company offering goods or services to New York consumers.

New York is not alone. Across the country, state legislatures have introduced bills aimed at regulating surveillance pricing. Some would require disclosures similar to New York's law while others would ban the practice outright. Several jurisdictions have passed or are actively considering laws that target personalized pricing in specific sectors, such as groceries, event tickets, and rent-setting.

What Retailers Should Do Now

The broad and evolving interpretation of what constitutes "algorithmic pricing" means that routine price variations could draw regulatory attention. Retailers should consider the following practical steps:

• Review current pricing models and identify any variables that are tied to consumer personal data. This includes any models supported by third parties. Many retailers may not realize the extent to which third-party tools, platforms, or in-store technologies are incorporating personal data into pricing decisions on their behalf.
• Internally document the reasoning behind pricing models. Being able to clearly explain how and why prices change — and whether personal data is a factor — will be critical if a regulator comes knocking.
• Update privacy policies and consumer-facing disclosures to ensure transparency around pricing decisions and compliance with disclosure obligations in relevant jurisdictions.
• Audit any surveillance pricing tools to confirm they're operating within the set parameters. The rules in this area are changing quickly, and a compliance strategy that worked last quarter may need to be revisited today.

Retailers should keep an eye on this regulatory trend and be prepared to adjust their practices as needed to achieve and maintain compliance.

Erin Doyle is a partner in Arnall Golden Gregory LLP’s Privacy & Cybersecurity practice, where she advises organizations on rapidly evolving data privacy, cybersecurity, and consumer protection regulations.