60+ Bills. 33 States. And They're Just Getting Started.
State legislatures are moving with remarkable speed on surveillance pricing. Over 60 pricing-related bills are currently on the table, with over 100 price transparency bills introduced across 33 states in 2025 alone. The momentum is accelerating in 2026, driven by a politically potent narrative that connects data privacy concerns to kitchen-table affordability. Crucially, this is a consumer sentiment story, not a misconduct story, and well-run operators with clean data practices are squarely in the frame alongside bad actors.
Three approaches have emerged, and the most immediately consequential one runs directly through your existing compliance infrastructure.
First, and most immediately consequential for fintechs and data companies: California is moving toward enforcement under existing privacy law. California Attorney General Rob Bonta announced an investigative sweep on Data Privacy Day 2026, targeting businesses using consumer data for individualized pricing, framing the practice as a potential violation of the California Consumer Privacy Act (CCPA). Your company has almost certainly already built a CCPA compliance program. This enforcement theory runs directly through it. And because CCPA is the template for dozens of other state privacy laws, any state with a purpose-limitation provision in its privacy statute could follow the same playbook at any time.
Second: the outright bans. New York Attorney General Letitia James is backing the “One Fair Price Package,” which would prohibit personalized algorithmic pricing based on consumer data and create a private right of action. Tennessee's SB 1807 would similarly prohibit personalized algorithmic pricing, with an anticipated effective date in July 2026.
Third: There are the disclosure-based approaches. New York's Algorithmic Pricing Disclosure Act, enacted in November 2025, requires companies to disclose when algorithms and personal data are used to set prices, though it faces a legal challenge.
Cohort Pricing Doesn't Save You. They Thought of That.
The most important feature of the surveillance pricing bills, and the one that creates risk for companies well beyond retail, is their breadth. California's AB 446 defines surveillance pricing as “offering or setting a customized price for a good or service for a specific consumer or group of consumers, based, in whole or in part, on covered information collected through electronic surveillance technology.” The federal Stop AI Price Gouging and Wage Fixing Act defines “surveillance data” as data related to “personal information, genetic information, behavior, or biometrics of the individual or a group, band, class, or tier in which the individual belongs.”
The inclusion of “group of consumers” is not accidental. It forecloses the most obvious compliance strategy: shifting from individual-level pricing to cohort-based pricing. A company that segments consumers into behavioral clusters and prices at the segment level still violates these statutes if the segmentation derives from surveillance data like browsing history, purchase patterns, location, demographics, or inferred characteristics. A lender that segments applicants by inferred financial stress and prices loan products accordingly is doing exactly what these statutes contemplate, even if no individual-level flag is ever set.
The exemptions are narrow. Permissible pricing differences are limited to those based solely on the cost of provision, discounts offered to publicly defined groups (veterans, seniors, and students) with disclosed eligibility criteria, and loyalty programs that consumers affirmatively enroll in. Even the loyalty program exemption has strict limits: Under the federal bill, surveillance data collected through a loyalty program may be used “solely to offer or administer the discount or reward and is not used for any other purpose, including profiling, targeted advertising, or individualized price setting.”
This restriction deserves its own moment of attention. The dual use of loyalty program data (program administration on one hand and behavioral profiling and ad retargeting on the other) is not an edge case. It is standard industry practice, and in many cases, it is the primary reason those programs exist at all. The on-book value of loyalty program data assets could be materially impaired if this approach is adopted. We have seen cases where loyalty program data is worth more than the liquidation value of the company itself. If that is true of your business, this exemption is not a safe harbor. It is a direct threat to the asset.
Law Targets the Last Mile. The Enforcement Theory Covers the Whole Pipeline.
The surveillance pricing bills target the moment a price is offered. But the infrastructure that produces that price is a multi-party pipeline: raw data collection by fintechs and data aggregators, enrichment and profiling by analytics companies, model development and scoring, and price determination by the retailer or service provider. The statutes are aimed at the last step, but the enforcement theories (and, increasingly, the statutory text) reach upstream.
California's AB 2564 explicitly covers data “gathered, purchased, or otherwise acquired from a third party. That's the entire supply chain. A fintech building consumer behavioral profiles, such as spending velocity, category-level purchase patterns, income inference, or financial stress indicators, may sell those profiles to clients who use them in pricing decisions. Under the California attorney general’s enforcement theory, the fintech is therefore a participant in the surveillance pricing ecosystem.
Here Is the Argument That Should Concern You Most.
The CCPA's purpose limitation principle limits how consumer data is used to only those purposes for which it was collected and/or for which the consumer provided consent. The theory: When a consumer connected a bank account, consented to data sharing with a financial app, or enrolled in a service, account aggregation, budgeting, and credit assessment were what they signed up for. Not a behavioral profile used to set what they pay for hotel rooms, insurance, or groceries. That is not an unreasonable expectation from a consumer. It just happens to conflict with how the data-driven economy actually functions. Under CCPA's framework, repurposing data beyond consumers' reasonable expectations is a violation regardless of whether the fintech itself sets the price. This analysis applies to four core fintech activities:
- Selling data to a credit reporting agency that then resells it for non-Fair Credit Reporting Act (FCRA) purposes: The FCRA exemption in state privacy laws covers data used for FCRA-authorized purposes, but it does not cover downstream analytics, profiling, or data that merely transits the bureau system before being shared with third parties for non-FCRA uses.
- Building consumer behavioral models for predictive analytics: The profiles themselves are pricing intelligence. Selling them to entities that set prices makes the model-builder part of the pricing chain full stop.
- Fraud prevention data that doubles as profiling data: Where the same data lake feeds both fraud detection and behavioral analytics, and the two use cases are not architecturally separated, the “fraud prevention” justification cannot shield the entirety of the data processing.
- Training data for machine learning models: When a fintech provides data to train or fine-tune someone else's model, the downstream uses are difficult to control, and “pricing optimization” is an entirely foreseeable downstream application.
Let’s Talk Enforcement. This Is Bipartisan, Which Is the Part You Should Worry About.
The political incentives driving surveillance pricing enforcement should not be underestimated. “Surveillance pricing” is a phrase that connects data privacy to the cost of living, and that combination is potent across partisan lines. You do not need to be a grocer, a hotelier, or a car dealer to receive a CCPA civil investigative demand. You need to have sold data that ended up in a pricing model.
California's attorney general has launched a formal investigative sweep targeting retail, grocery, and hospitality, but the enforcement theory, CCPA purpose limitation, is sector-agnostic and applies to any entity in the data chain. Letitia James has backed legislation with a private right of action, creating plaintiff-side litigation risk. Maryland Governor Wes Moore has made banning dynamic pricing a legislative priority. And similar purpose limitation principles exist in the privacy laws of at least 15 other states, providing a ready-made enforcement toolkit for any state attorney general, republican or democrat, seeking to address consumer concerns about data-driven pricing. If you are quietly assuming this is a blue-state enforcement story, stop. Republican attorney generals have exactly the same toolkit and the same constituent pressure to use it.
The combination of broad statutory definitions, narrow exemptions, upstream supply-chain exposure, and politically motivated enforcement creates a risk environment that companies in the data and analytics ecosystem must take seriously. This applies even if their products are not the ones currently in the legislative crosshairs.
What to Do Now.
1. Audit your data supply agreements for downstream pricing use cases: Review every agreement under which your data or analytics products are provided to third parties. Identify whether any downstream client uses your output in a pricing application and whether your agreements contractually permit, prohibit, or are simply silent on that use. Silence is not protection.
2. Conduct an architectural separation analysis: Map your data infrastructure to determine whether fraud and compliance data lakes share pipelines with behavioral analytics outputs. Where they do, and where those analytics could constitute pricing intelligence, architectural separation (not just policy separation) may be necessary. “We use it for fraud prevention” is not a defense if the same data simultaneously feeds a behavioral profile.
3. Stress-test your consent language: Review the disclosures and consent language your end users saw at the point of data collection. Apply the purpose limitation standard: Would a reasonable consumer, reading that language, have understood that their data could be used to determine what they pay for unrelated goods or services? If the answer is uncertain, the exposure is real.
4. Address contractual risk allocation with downstream clients: If a downstream client uses your data product in a pricing application and receives a civil investigative demand or faces private litigation, what do your data supply agreements say about indemnification, cooperation obligations, and liability caps? This is the contract negotiation that most fintech data agreements have not had yet.
5. Monitor the California attorney general’s investigative sweep: The enforcement outcomes will establish the operational meaning of “purpose limitation” in the pricing context, and they will move fast. The sweep is already underway.
6. Reassess the scope of your FCRA exemptions: Do not assume FCRA coverage is as broad as your compliance program suggests, particularly where data transits bureau infrastructure before being shared for non-FCRA analytics. The exemption covers FCRA-authorized uses, not the full downstream journey of the data.
Surveillance pricing legislation was designed to protect consumers from algorithms that know too much. The irony is that the companies who built those algorithms (and sold the data that fed them) are the ones most exposed to what comes next. The retailers are already lawyering up. The fintechs and data companies powering their pricing engines should be doing the same.