Enforcement Landscape Heightens Risk Around Surveillance Pricing in California and at the Federal Level

This alert outlines the legal risks businesses face and recommended steps to mitigate exposure.

Enforcement Focus: California AG Targets Surveillance Pricing Under the CCPA
On Data Privacy Day 2026, Attorney General Rob Bonta announced a statewide sweep examining whether companies are using consumers’ personal data—including browsing history, shopping patterns, location, demographics and inferential profiles—to determine individualized prices. The AG warned that such practices may violate the CCPA when they exceed consumers’ reasonable expectations or lack proper disclosure.

Regulators emphasized that:

• Surveillance pricing may trigger CCPA purpose‑limitation violations, which restrict processing to purposes that are “reasonably necessary and proportionate” to what consumers expect.
• Using personal data for individualized price discrimination, without clear disclosure, “may undermine consumer trust, unfairly raise prices,” and “violate California law.”
• The AG is demanding detailed documentation on how companies use personal data to set prices, including any pricing experiments, disclosures and internal policies.
• At the Fourth Annual Privacy Summit for the California Lawyers Association in Los Angeles on February 19, 2026, some regulators noted that state Unfair or Deceptive Acts or Practices statutes may apply to surveillance pricing. The California AG has brought past enforcement actions under the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200 et seq.) for privacy-based violations. (See, e.g., “Attorney General Bonta Announces $93 Million Settlement Regarding Google’s Location-Privacy Practices.”)

Practical Takeaways
Companies should inventory and evaluate whether their personalized pricing models rely on processing that (i) has not been adequately disclosed, (ii) lacks a clear nexus to the original purpose of data collection, or (iii) deviates from reasonable consumer expectations.

Federal Trade Commission (FTC) Review
The FTC has also focused on surveillance pricing.

In July 2024, the FTC launched its Surveillance Pricing 6(b) study to “catalog the types of data that companies use to fuel their algorithms and where that data is sourced” and “enhance the agency’s understanding of what industries … are using these pricing technologies.” In lay terms, the FTC seeks to reveal the impacts surveillance pricing has on consumers by arming them with more information on who can track their data and how their data is tracked.

What Does This Mean for Businesses?
As noted by the FTC, Section 6(b), 15 U.S.C. Sec. 46(b), empowers the Commission to

• require an entity to file “‘annual or special … reports or answers in writing to specific questions’” to provide information about the entity’s ‘organization, business, conduct, practices, management, and relation to other corporations, partnerships, and individuals[,]” and
• “conduct wide-ranging studies that do not have a specific law-enforcement purpose” and publicize their findings if they serve a public interest, subject to trade secret and/or confidential or privileged information, under 15 U.S.C. Sec. 46(f). (Emphasis added.)

In other words, businesses could be subject to these types of investigations even if they are not suspected of doing something “illegal”—simply to educate the consumer on how their data is being used for the benefit of the business.

The Test-Run: Grocery Stores
While the FTC identified many different types of consumer-facing businesses using “surveillance data”—like apparel retailers, health and beauty retailers, home goods and furnishing stores, convenience stores, building and hardware stores, and general merchandise retailers such as department or discount stores—one industry has particular attention: grocery stores.

Two U.S. Senators, Jeff Merkley (D-OR) and Ben Ray Luján (D-NM), recently introduced the “Stop Price Gouging in Grocery Stores Act of 2026” (introduced February 12, 2026). The act seeks to “prohibit retail food stores from price gouging and engaging in surveillance-based price setting practices” and reduce use of biometric data, unless the consumers are informed in writing and the biometric data is not sold to or shared with any third party.

If violated, the Act empowers the FTC to subject the grocery store to “penalties” for “unfair or deceptive acts or practices” and “unfair methods of competition.” In addition, the state AG or private citizens may bring a civil action if the interest of the resident(s) is “threatened or adversely affected by [a] violation[.]” Monetary penalties for such a violation include the greater of either (i) the actual monetary damages incurred or (ii) $3,000 per violation. If the violation was “willful or knowing,” the court may increase the award to three times the amount otherwise available.  

Not the Only Legislation: Algorithmic Pricing and Wage-Setting Bills
Other legislation, like H.R. 4640, “Stop AI Price Gouging and Wage Fixing Act of 2025,” introduced by House Representatives Greg Casar (D-TX) and Rashida Tlaib (D-MI) in July 2025, will eliminate surveillance price and wage setting. In a price-setting context, this broadens the above grocery store bill to apply to any product- or service-based business which tailors prices based on individual consumer habits. It additionally applies to wage-setting unless the employer “can demonstrate that the automated decision system uses only data regarding the city or State where the individual worker works and the cost of living in that city or State.”

Just a few months later, in December 2025, Sen. Ruben Gallego (D-AZ) introduced S. 3387, “One Fair Price Act of 2025,” to “prohibit certain uses of automated decision systems to inform individualized prices, and for other purposes.” (Emphasis added.) Specifically, the bill concludes that air carriers—including foreign air carriers—and ticket agents shall not engage in surveillance pricing.

Overall Consequences
Surveillance-based price setting is defined broadly as the “offering, setting, or informing a customized price for an item for a specific consumer or group of consumers, based, in whole or in part, on personal information collected through electronic surveillance technology, including such information gathered, purchased, or otherwise acquired.”

• While the consumer will need to prove some “damage” to be afforded relief, a customer may argue they were damaged if, but for that unique price, they would have made the purchase, thus broadening potential exposure for businesses.
• In other words, it effectively forces the business to show that the customer was not damaged because of a unique price offered to them, based on the personal data collected.

New issues arise with purchasing applications, particularly as businesses attempt to keep up with the evolving technological landscape.

Overlapping Antitrust Risk: California’s 2026 Algorithmic Pricing Framework (AB 325)
Surveillance pricing exists alongside California’s newly enhanced antitrust regime, which directly targets common or shared pricing algorithms.

Effective January 1, 2026, AB 325 amended California’s antitrust statute, the Cartwright Act, to provide that:

• It is unlawful to use or distribute a “common pricing algorithm” as part of a contract, combination or conspiracy to restrain trade.
• It is unlawful to coerce another firm into adopting algorithm‑recommended prices or commercial terms.
• A “common pricing algorithm” includes any tool used by two or more firms that uses competitor data to recommend, align, stabilize or otherwise influence pricing.

(For more information, see our prior article and client alert: “How Calif. Law Cracks Down On Algorithmic Price-Fixing,” Law360, and “California Establishes New Criminal and Civil Liability Targeting Shared Pricing Algorithms and ‘Coercion.’”)

Relevance to Surveillance Pricing
Antitrust risk is highest when pricing tools make it easier for competitors to move prices in the same direction, especially when they rely on shared vendors, pooled data or other features that reduce independent pricing decisions. Although AB 325 focuses on the use or distribution of “competitor data,” the broader enforcement concerns overlap with surveillance pricing:

• Both practices rely on broad, algorithmically driven data processing.
• Both may reduce competition or produce discriminatory outcomes.
• Both can violate California law even without written/explicit agreement or consumer awareness.

Companies that use vendor‑supplied pricing tools—particularly those involving pooled datasets—should assess whether their systems implicate the Cartwright Act as amended by AB 325.

Pending Legislation: AB 446 Would Explicitly Ban Surveillance Pricing
Although not yet enacted, AB 446 would impose a categorical ban on surveillance pricing, defining it as:

Offering or setting a customized price increase for a good or service for a specific consumer or group of consumers based, in whole or in part, on personally identifiable information collected through electronic surveillance technology.

If adopted in 2026, AB 446 would:

• prohibit individualized pricing based on surveillance‑derived personal information;
• authorize civil penalties, injunctive relief and attorneys’ fees;
• declare waivers of the statute void as against public policy; and
• create a private right of action for injunctive relief.

While the bill remains under debate, its existence further reinforces the direction of California policymaking.

Compliance Implications for 2026 
These recent efforts by the California AG, FTC and legislation in Congress and the California Legislature underscore the increased scrutiny for the use of surveillance pricing and related tools.

Clients—particularly those operating in California—should reassess their pricing, data and algorithmic practices with the following risks in mind:

• CCPA Exposure. Surveillance pricing may violate:

• purpose-limitation standards, which limit how businesses use personal information to align with the uses reasonably expected by consumers;^[1]
• transparency and notice duties, which require businesses to explain what data they collect, how they use it and whether it is disclosed;^[2]
• restrictions on secondary use of personal data; and
• rules governing “sale” or “sharing” of personal information, which require businesses to give consumers a way to opt out of certain disclosures of their personal information to third parties.
• Antitrust Exposure. Inventory pricing systems that involve:

• shared algorithms,
• pooled datasets, and
• competitor‑derived data, which can pose heightened risk under the Cartwright Act and AB 325’s new provisions.

These features can raise risk when they make it easier for competing companies to use the same inputs or follow similar pricing recommendations, rather than setting prices independently. (For an overview of these concepts, how they can arise in vendor pricing tools and the risks involved, see Pillsbury’s prior coverage, “California’s Aggressive State Antitrust Enforcement Efforts Continue to Grow”; “New California Law Cracks Down on Algorithmic Price Fixing”; and “California Toughens Penalties for Cartwright Act Violations.”)

Recommended Risk‑Mitigation Actions

• Conduct a Pricing Algorithm Audit. Identify how personal data feeds into pricing, whether it is disclosed to consumers, and whether consumer expectations align with actual use.
• Revise Privacy Notices and Disclosures. Ensure explicit disclosure of any reliance on personalized or algorithmically determined pricing.
• Establish Clear Purpose‑Limitation Controls. Evaluate whether data processing tied to pricing is “reasonably necessary and proportionate” under CCPA standards.
• Isolate or Remove Competitor‑Derived Data. Avoid pooling data from multiple market actors that could trigger Cartwright Act liability.
• Assess Vendor Tools for Shared‑Algorithm Risks. Review contracts, data flows and whether algorithmic tools are used by multiple competitors.
• Prepare for Regulatory Inquiries. Maintain internal documentation on pricing logic, data sources and consumer notice frameworks.

Conclusion
California, among other enforcers, has entered 2026 with a dual‑front enforcement strategy: privacy regulators (such as California AG and California Privacy Protection Agency (CalPrivacy)) targeting surveillance‑based individualized pricing, and antitrust regulators targeting algorithmic tools that may coordinate pricing. Companies operating in California should expect increased scrutiny, expand compliance controls and prepare for investigations into how personal information and algorithmic systems influence price setting.

^{[1]   For example, Cal. Civil Code § 1798.100(c): “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”}

^{[2]   See, e.g., Cal. Civ. Code § 1798.100(b) (notice at collection); id. § 1798.130(a)(5) (privacy policy).}