Dynamic Pricing in the Crosshairs: California Launches Sweep; New York’s Algorithmic Pricing Disclosure in Effect

Recent state regulatory activity on surveillance pricing for consumer goods creates a heightened urgency for businesses engaged in algorithmic pricing based on consumer’s personal data. Companies considering deploying or currently engaged in surveillance pricing should review their data collection and processes for compliance with both privacy and consumer protection regulations immediately.

California’s Department of Justice Launches Sweep on Surveillance Pricing

California’s Attorney General, Rob Bonta, announced on Jan. 27¹ the launch of a surveillance pricing sweep focused on the practice of charging different prices to consumers online based on targeted data. The stated concern is the possibility that surveillance pricing may violate California’s Consumer Privacy Act (CCPA) by using consumer data in a manner that exceeds purposes consistent with a consumer’s reasonable expectations. Based on the announcement, the California Department of Justice appears to be initially concentrating on the grocery, travel, and retail sectors.

California’s enforcement sweep follows New York’s enactment of the nation’s first algorithmic pricing disclosure law. Together, these developments signal that state regulators are moving swiftly to address surveillance pricing through both disclosure mandates and direct enforcement action.

New York Algorithmic Pricing Disclosure Act: Clear Disclosures Mandated

New York’s Algorithmic Pricing Disclosure Act (the Act) took effect on Nov. 10, 2025, requiring businesses that use consumer’s personal data to set prices via algorithms to provide a clear disclosure to consumers.

Key Requirements

The Act requires non-exempt businesses to display a conspicuous statement at or near the price offered that informs consumers when the price shown to them has been set by an algorithm using their personal data. The Act requires the disclosure to read, “This price was set by an algorithm using your personal data.” The Act defines “personal data” broadly to include any data that identifies or could reasonably be linked to a specific consumer or device. Civil penalties can reach up to $1,000 per violation.

Unlike New York’s Deceptive Acts and Practices Law, codified at N.Y. Gen. Bus. Law § 349, the Act does not feature a private right of action but is enforceable by the Attorney General, who must first issue a cease‑and‑desist letter and provide a cure period. The Act does not require proof of consumer injury and does not expressly limit other civil or criminal liability, potentially enabling additional consumer protection claims. The Attorney General has urged consumers to report suspected violations.²

Carve-outs and Penalties

The Act includes some carve-outs, including for insurers, certain financial institutions subject to federal privacy laws, and subscription‑based pricing that offers lower prices to existing customers. Additionally, certain ride-share fares calculated solely using standardized trip factors (e.g., mileage and trip duration) may fall outside the disclosure requirement.

Anticipated Regulatory Trends

New York’s Act is the first of its kind in the United States. Other states, including California, Colorado, Illinois, and Minnesota, have introduced similar bills that are still under legislative consideration. Sen. Kirsten Gillibrand of New York has introduced a bill to ban dynamic pricing federally.³ With other states considering similar measures, businesses using personalized pricing should prepare for a patchwork of disclosure regimes and evolving enforcement risk.

Notably, in 2024 the FTC conducted a survey of eight companies’ practices regarding surveillance pricing. Public comment on these practices closed in 2025, and it is possible the FTC will take further action on surveillance pricing in 2026.

Practical Steps for Businesses

Businesses that dynamically or individually set prices using algorithms informed by personal data should map pricing models, document variables and data inputs, and determine whether their practices trigger the disclosure obligation. Where applicable, these businesses should implement clear, conspicuous disclosures at or near each personalized price presentation, align checkout and mobile flows accordingly, and maintain records substantiating representations about how prices are generated. Companies should confirm that consumer data informing algorithms is legally sourced with permissions where necessary. Companies should assess exemptions thoughtfully and monitor enforcement posture and guidance from regulators.

Typically, regulatory sweeps are initiated by sending inquiry letters with a 30‑day response deadline. Surveillance pricing reviews, however, are particularly data‑intensive and often require significant time to investigate and respond to thoughtfully.

For questions or assistance with determining whether your business may be required to make a disclosure pursuant to law, please contact the authors of this article.

¹ See https://oag.ca.gov/news/press-releases/data-privacy-day-attorney-general-bonta-focuses-surveillance-pricing-compliance.
² See https://ag.ny.gov/press-release/2025/attorney-general-james-warns-new-yorkers-about-algorithmic-pricing-new-law-takes.
³ See https://www.gillibrand.senate.gov/news/press/release/gillibrand-introduces-bill-to-crack-down-on-surveillance-pricing/.