On January 27, 2026, California Attorney General Rob Bonta used Data Privacy Day to spotlight emerging concerns about how businesses use consumer data — in particular, whether personal information is being leveraged to set individualized prices for goods and services and whether companies are complying with the California Consumer Privacy Act (CCPA). The announcement marks an important moment in the continued evolution of privacy enforcement in the state, underscoring both the breadth of the CCPA’s scope and the Attorney General’s commitment to holding companies accountable for data practices that may surprise or disadvantage consumers.
Surveillance Pricing Under Scrutiny
Attorney General Bonta’s office has initiated an investigative sweep focused on business practices commonly described as “surveillance pricing.” Under this model, companies use data such as consumers’ browsing histories, location information, demographic attributes, or other inferences drawn from digital interactions to set individualized prices for products or services. The concern is that consumers purchasing the same item at the same time from the same business could be offered different prices based on their personal data — a dynamic that has drawn both regulatory scrutiny and academic attention.
The Department of Justice’s press release explains that Californians have a right to understand how their personal information is being used, including whether businesses are using that data to influence pricing decisions. If such practices are conducted without proper disclosure or outside consumers’ reasonable expectations, they may run afoul of California law.
CCPA’s Purpose Limitation and Consumer Expectations
At the center of the Attorney General’s statement is the CCPA’s purpose limitation principle. Under the CCPA, businesses that collect personal information from California residents must use it only for purposes that are consistent with what consumers would reasonably expect based on the business’s disclosures and practices.
Personalized pricing using data in ways not transparently disclosed prior to collection may fall outside those expectations. For example, if a retailer’s privacy policy states that data will be used to improve customer service but does not disclose its use for tailored pricing analytics, consumers might have grounds to challenge that use under the CCPA. This reflects a broader enforcement trend in both state and federal privacy law, where regulators are emphasizing transparency and the alignment of data uses with disclosed purposes.
Industry Focus and Information Requests
The letters sent by the California Department of Justice are targeting businesses with a substantial online presence in several sectors, including retail, grocery, and hotel services. These sectors often collect large amounts of personal data through mobile apps, websites, loyalty programs, and online browsing behavior — making them natural candidates for both surveillance pricing systems and CCPA compliance reviews. The request for information that accompanied these letters is multifaceted. It asks companies to disclose:
- How consumer personal information is used to determine prices.
- Public disclosures and internal policies regarding individualized pricing.
- Any experiments or tests involving data-driven pricing algorithms.
- Measures taken to align pricing practices with competition law, algorithmic fairness, and civil rights safeguards.
This line of inquiry reflects a broader enforcement philosophy in California: privacy rights must be meaningful, understandable, and not subject to hidden technical implementations that consumers cannot easily detect or challenge.
Consumer Trust and Transparency
In announcing the sweep, Attorney General Bonta emphasized the connection between data practices and consumer trust. “Practices like surveillance pricing may undermine consumer trust, unfairly raise prices, and when conducted without proper disclosure or beyond reasonable expectations, may violate California law,” he stated.
This focus on trust aligns with the evolving enforcement landscape in privacy law. Beyond mere regulatory compliance, enforcement now increasingly considers how data practices affect consumer perceptions of fairness and transparency. Surveillance pricing, by its nature, operates behind the scenes and can be invisible to consumers unless explicitly disclosed — a factor that concerns privacy advocates and regulators alike.
CCPA Enforcement History and Broader Context
While this announcement is timely, it fits within a broader series of enforcement actions by the Attorney General’s office involving the California Consumer Privacy Act. For example, prior investigative sweeps under Bonta’s tenure have focused on privacy compliance of mobile applications, location data industries, loyalty programs, and online tracking mechanisms that affect opt-out rights.
In recent years, settlements announced by the California Attorney General have addressed a range of compliance issues. These include violations related to failure to honor opt-out requests across mobile gaming apps and improper use of tracking technologies on health information websites. These actions demonstrate sustained attention to how actual business practices measure up against statutory requirements.
Surveillance Pricing in Industry and Regulatory Debate
Concerns about surveillance pricing are not unique to California. Federal regulators, such as the Federal Trade Commission (FTC), have in the past sought information about how retailers use data to set prices, highlighting similar issues around transparency and fairness. News reports on grocery delivery platforms have shown significant price variations for the same products among different users, drawing public attention to pricing algorithms and their potential to disadvantage certain consumer groups.
The California inquiry thus reflects both a national trend and a State policy interest in ensuring that data-driven business models do not produce hidden, discriminatory, or opaque outcomes that violate consumers’ privacy rights or reasonable expectations.
What Businesses Should Do
Businesses subject to the CCPA — which applies to many companies that collect or process personal information for commercial purposes — should take this announcement as a signal to review and, if necessary, strengthen their compliance programs.
At a minimum, companies should:
- Ensure privacy notices accurately and comprehensively disclose all categories of personal information collected, and all purposes for which that information is used.
- Review algorithmic pricing systems to determine whether they rely on consumer data in ways that are inconsistent with disclosures or consumer expectations.
- Document internal policies and decision-making about pricing strategies, including assessments of whether those strategies implicate privacy obligations.
- Be prepared to respond to regulatory inquiries with transparent, well-organized evidence of compliance.
Attorney General Bonta’s Data Privacy Day announcement
Attorney General Bonta’s Data Privacy Day announcement underscores California’s continued leadership in privacy enforcement. By focusing on surveillance pricing and CCPA compliance, the Department of Justice is signaling that privacy law enforcement will extend beyond more traditional domains — such as data breaches or opt-out mechanics — into areas where data use intersects with consumer financial outcomes and fairness.
As privacy law enforcement becomes more sophisticated, businesses will need to match that sophistication in their compliance programs, ensuring not only legal adherence but transparent practices that align with consumer expectations and statutory principles.
