On January 28, 2026, coinciding with California’s annual “Data Privacy Day,” California Attorney General Rob Bonta announced a new investigative sweep focused on businesses that use consumers’ personal information to set targeted, individualized prices (“surveillance pricing”). The California Department of Justice is issuing letters to prominent companies in the retail, grocery, and hotel sectors seeking detailed information on how consumer data is leveraged to determine pricing.
Surveillance pricing occurs when businesses use personal data, such as shopping and browsing history, demographics, location, or other inferential data, to set unique prices for goods or services for individual consumers. This can result in different consumers being offered different prices for the same product at the same time, often without disclosure.
Bonta cautioned that surveillance pricing, when conducted without proper disclosure or in ways beyond reasonable consumer expectations, may violate the California Consumer Privacy Act (CCPA) under its “purpose limitation” principle. The law limits the use of personal information to purposes consistent with consumers’ reasonable expectations. Practices that involve undisclosed or unexpected repurposing of consumer data may trigger enforcement.
The AG’s inquiry letters seek:
Prior CCPA enforcement sweeps have resulted in settlements arising from data practices, including with Sephora and Healthline Media. More generally, these actions underscore the state’s ongoing focus on evolving data-driven business practices across multiple industries.
Although the current sweep is centered on surveillance pricing in retail, grocery, and hospitality, the AG’s public statements make clear that enforcement is driven by the nature of the data use, not the sector. The CCPA’s purpose-limitation and reasonable-expectations principles have been construed to apply broadly, and other uses of personal information that significantly influence economic terms for consumers, including practices like differential discounts or subscription tiers that are outside traditional “pricing,” could come under scrutiny.
For technology providers and digital platforms, this could include certain monetization models or product configurations that rely on behavioral or inferred data to vary offers, terms, or access. The sweep therefore suggests that California may continue to extend its enforcement focus to diverse, data-driven practices across industries.
While U.S. regulators have not yet brought a major enforcement action against surveillance pricing practices, the California AG’s recent sweep signals the first step in what may culminate in enforcements. State AG enforcement often follows a clear pattern: regulators first study and warn, then impose disclosure mandates, and finally attach financial penalties once the practice is normalized as unlawful.
Beyond California, New York recently launched the New York Algorithmic Pricing Disclosure Act (effective November 2025). New York is the first U.S. jurisdiction to directly attach civil penalties to surveillance pricing, which are up to $1,000 per violation. This is the first U.S. law where financial penalties attach directly to data-driven pricing practices, not just data collection. New York’s law does not require proof of consumer harm. The law mandates that any price determined by an algorithm must include the following disclosure: “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA.”