Golden State Update: California Targets “Surveillance Pricing”
Blog Connect on Tech

As quickly as the federal government has deregulated consumer privacy, state regulators and legislators across the United States are doubling down on consumer protection and regulating how businesses use data.

Two key developments in 2026 signal California has prioritized “surveillance pricing”—the use of consumer data to set personalized, individualized prices for goods and services. First, California’s Attorney General announced in January that existing consumer privacy laws will be applied to surveillance pricing. The following month, legislators reintroduced a bill that would ban surveillance pricing by retailers.

California Attorney General Expands CCPA to Investigate “Surveillance Pricing”

On January 28, 2025, California Attorney General Rob Bonta announced an investigative sweep focused on businesses that use consumers’ personal data to implement targeted, individualized pricing. Depending on the jurisdiction, “surveillance pricing” is also referred to as “algorithmic pricing,” “targeted pricing,” “data-driven pricing,” or “individualized pricing.” Personal information used by businesses to conduct data-driven pricing may include browsing or purchase history, location data, and demographic characteristics. Many businesses incorporate data collected from online tracking technologies such as cookies and tags to inform their individualized pricing models. Although there have been legislative attempts to regulate surveillance pricing, there is no California law currently that directly regulates surveillance pricing. The AG claims that surveillance pricing without proper disclosures could violate the California Consumer Privacy Act’s “purpose limitation” principle.

As part of this new initiative, the California Department of Justice has issued inquiry letters to businesses with significant online operations in the retail, grocery, and hospitality sectors. The letters request information regarding how businesses use consumers’ shopping and internet browsing history, location, demographics, inferential, or other data to set the prices of goods or services, what consumer-facing disclosures are provided, and whether any pricing experiments have been conducted using consumer data.

“Practices like surveillance pricing may undermine consumer trust, unfairly raise prices, and when conducted without proper disclosure or beyond reasonable expectations, may violate California law” said Attorney General Bonta. The AG’s statement claims that surveillance pricing without proper disclosures would violate the CCPA’s “purpose limitation” principle, under which the use of consumer data is limited to what is reasonably expected by consumers. This most likely refers to section 7002(b) of the California Code of Regulations, which provides that “[t]he purpose(s) for which [] personal information was collected or processed shall be consistent with the reasonable expectations of the consumer(s) whose personal information is collected or processed.” The regulations provide that a consumer’s reasonable expectations depend on the relationship between the consumer and the business, the nature of the information to be collected, the source and method of collection, and the specificity and explicitness of disclosures made to the consumer about how their information will be used.

For example, a consumer who visits a retailer’s website may reasonably expect the site to use their browsing data for product recommendations or basic site functionality. However, the AG considers that using the same browsing data to determine the price offered to a consumer would be outside the scope of that consumer’s reasonable expectations, at least “when conducted without proper disclosure.”

The AG’s statement did not clarify whether online tracking technologies used to support surveillance pricing would be subject to the CCPA’s consumer opt-out right, but did provide that “surveillance pricing practices may trigger obligations under [CCPA].” It is unclear whether the AG considers these obligations to extend beyond notice requirements to include opt-out rights. Currently, the law only requires opt-out rights for transfers of information to third parties in exchange for valuable consideration or for purposes of “cross-context behavioral advertising.” Depending on the configuration of the technology and data sharing practices, cookies and pixels that only collect information from activity on the business’s own website for purposes of determining a price would arguably not be supporting “cross-context” tracking. However, if this information were combined with information collected on the consumer from other sources to construct a pricing profile, a regulator could consider the tracking technologies to be within the scope of CCPA’s opt-out requirements.

This novel interpretation means businesses should consider updating their privacy disclosures if they use personal information to determine pricing to mitigate any argument that data-driven pricing exceeded a consumer’s reasonable expectation about the use of their personal information.

California Legislature Renews Surveillance Pricing Ban

On February 20, 2026—the deadline to introduce bills before the California legislature—Assemblymember Chris Ward introduced AB 2564, which would ban “surveillance pricing” by “retailers.” AB 2564 follows the failed AB 446 from the previous legislative session, which originally sought to ban surveillance pricing for all businesses, not just retailers. AB 2564 defines surveillance pricing to mean “offering or setting a customized price for a good for a specific consumer or group of consumers, based, in whole or in part, on personally identifiable information collected through electronic surveillance technology.”

The bill in turn defines “electronic surveillance technology” to include “technological methods, systems, or tools, including, but not limited to, sensors, cameras, device tracking, or biometric monitoring, that are capable of gathering personally identifiable information about a consumer’s behavior, characteristics, location, or other personal attributes, whether in physical or digital environments.” Critically, the application to “device tracking” about “behavior” in “digital environments” permits a reading that using information collected through website cookies, tags, and other online tracking technologies for individualized pricing would be subject to AB 2564’s restriction. The bill also provides that the restrictions extend to information about consumers acquired from third parties, such as data brokers.

The bill’s definition of “retailer” is borrowed from the category under the state Revenue and Taxation Code, which broadly captures most commercial sellers of tangible personal property, subject to certain exceptions. AB 2564 also includes a “cost-justification carve-out” that permits price differences attributable to actual cost differentials in serving different consumers, such as variations in shipping, storage, or logistics costs, so long as those differences reflect genuine cost structures rather than data-driven assessments of individual willingness to pay. Loyalty programs and discounts are also permitted, as long as they are purchasable by all consumers or based on criteria that any consumer could potentially fulfill.

What Businesses Should Do Now:

In light of the Attorney General’s sweep and potential for broader legislative action, businesses should consider taking the following steps:

• Update privacy disclosures. Ensure consumer-facing privacy notices clearly disclose when and how personal information is used for individualized pricing such that a reasonable consumer would understand that their information will be used for this purpose.
• Identify data driven pricing-related technologies and data flows. Review whether any tracking technologies—such as cookies, tags, pixels, or other tools—or transfers of personal information to third parties support individualized pricing. Assess whether these technologies and data flows should be subject to opt-out requests as “sales” or “sharing” of personal information with third parties. In the event that AB 2564 or a similar bill passes into law, retailers should be prepared to disable these tools and data flows for California residents.
• Refresh data maps and governance practices. Given the Attorney General’s broad interpretation of the CCPA’s purpose limitation principle and the rapid deployment of new AI-enabled technologies, companies should update their data maps to better understand how data is collected, used, and shared. Identified use cases should then be carefully and accurately reflected in privacy disclosures.