A price should be universal. You walk into a store, you see a number, and that number is the same number your neighbor sees, your coworker sees, the person behind you in line sees. That principle — arguably one of the foundational assumptions of modern consumer commerce — is now under active legislative protection in New York, and the implications reach far beyond Albany.
On June 5, 2026, the New York State Legislature passed a bill prohibiting businesses from using personal data to algorithmically set individualized prices for individual customers. The practice, known as surveillance pricing or dynamic personalized pricing, involves feeding consumer data — purchase history, location, browsing behavior, device type, and more — into pricing algorithms that determine the maximum a specific person will pay and charges them accordingly. Governor Kathy Hochul has until the end of 2026 to sign or veto the bill.
If she signs it, New York becomes the first state in the country to explicitly ban the practice. And if history is any guide — California’s CCPA in 2018, Vermont’s data broker law that same year, Colorado’s AI Act in 2021 — what New York does first, a dozen other states do within two to three legislative cycles.
This is not a niche consumer protection story. It is a significant moment in the emerging regulatory framework governing how algorithms interact with personal data in commercial contexts, and every business that touches consumer data in the pricing process needs to understand what just happened and what is likely coming next.
What Does the New York Surveillance Pricing Bill Actually Prohibit?
The bill targets a specific and increasingly common commercial practice: using an individual consumer’s personal data as an input in a pricing algorithm that produces a price tailored to that individual. The core prohibition is not on dynamic pricing broadly — prices can still fluctuate based on supply, demand, time of day, or market conditions. What the bill prohibits is the use of personal data to determine what a specific person is willing to pay and then charging that person accordingly.
The practical distinction matters enormously for compliance purposes:
- Permitted: Prices that change based on market conditions, inventory levels, time-based demand, or geographic region as a whole
- Permitted: Loyalty program discounts where a customer affirmatively enrolls and receives discounts based on their own purchase history — provided no additional personal data categories are used
- Permitted: Credit assessment by financial institutions evaluating loan terms based on creditworthiness
- Prohibited: Using behavioral data, location data, device data, browsing history, demographic inferences, or any other personal data to identify what a given consumer will pay at maximum and setting a price accordingly
- Prohibited: Using personal data to trigger a targeted discount after a consumer places an item in a cart — the “abandoned cart” dynamic pricing scenario is explicitly addressed
The enforcement authority rests with the New York Attorney General’s office, which was a primary driver of the legislation. The penalty structure is graduated: a first violation carries a fine of up to $5,000 plus restitution to affected consumers; each subsequent violation carries a penalty of up to $20,000. Given that surveillance pricing operates at scale — potentially millions of individualized pricing decisions per day — the exposure for a non-compliant business is not theoretical.
Insurance companies are exempted from the bill’s coverage. Banks retain the ability to assess credit before extending loan terms or financial products.
The Loyalty Program Question: Where the Compliance Line Gets Complicated
The most contested compliance territory in the bill’s text involves loyalty programs, and the tension between the legislature’s intent and the business community’s concerns is genuinely worth examining rather than dismissing.
The bill permits loyalty discounts when a customer affirmatively enrolls in a program and receives discounts based on their own past purchase history — and when no other personal data is used. The AG’s office has stated that “just for you” coupons based on frequently purchased items would be permitted under this framework.
Business groups, including the Food Industry Alliance of New York State and the Business Council — the state’s largest business lobby — argue the bill’s requirement that discounts be offered “uniformly” to all eligible customers creates ambiguity that could effectively end personalized loyalty programs as currently designed. Their concern is not hypothetical: most modern loyalty programs layer behavioral inference on top of purchase history, using data signals beyond what a customer has directly purchased to generate personalized offers.
The compliance implication for businesses operating loyalty programs is clear: any program that uses data inputs beyond direct, affirmatively enrolled purchase history to generate individualized pricing or discounts is at risk under this bill’s framework. The question of whether a given loyalty architecture crosses that line is one that will almost certainly be answered first through AG enforcement guidance and ultimately through litigation.
For compliance officers and privacy counsel advising retail, e-commerce, and subscription businesses, the near-term action item is a loyalty program data audit: map every data input that feeds into your pricing and discount logic, identify which inputs constitute “personal data” under New York’s definition, and assess whether those inputs are confined to affirmatively enrolled purchase history or extend beyond it.
The Bill That Didn’t Pass: Electronic Shelf Labels and What Their Defeat Tells Us
The surveillance pricing bill was not the only data-adjacent legislation moving through Albany in this session. A companion bill that would have banned electronic shelf labels (ESLs) — the small digital displays replacing traditional paper price tags on grocery store shelves — passed the Senate twice but never received an Assembly vote, effectively dying for the session.
The ESL bill’s failure is instructive for understanding both the political limits of the current regulatory moment and the direction of future legislation.
Electronic shelf labels are in active use at major retail chains including Walmart and Aldi. They allow stores to update prices instantly across an entire store floor without the labor cost of manually reprinting and replacing paper tags. Labor unions — particularly the United Food and Commercial Workers International Union — pushed hard for the ban, arguing on two grounds: that ESLs enable instant price changes that facilitate surveillance pricing in practice, and that the technology displaces union workers whose jobs involve managing physical shelf labels.
Retailers and business groups pushed back with equal force, parking a truck outside the state Capitol with a digital billboard comparing paper price tags to carrier pigeons and telegraphs. Their core argument: ESLs are a logistical efficiency tool, not a pricing manipulation tool, and banning them would impose significant operational costs without meaningful consumer protection benefit.
The Assembly’s decision not to vote on the ESL bill reflects a deliberate choice to separate the two issues — and that separation is significant. The legislature decided that the harm it was willing to act on in 2026 is the use of personal data in pricing algorithms, not the underlying technology of how prices are displayed. ESLs without personal data inputs are, under this legislative logic, a neutral tool. ESLs connected to a surveillance pricing system would be implicated by the bill that did pass.
For the businesses that sell and deploy ESL technology, this outcome is a partial reprieve — but the Senate passing the ESL ban twice signals that the issue has not been resolved, only deferred. A future session, particularly one following any high-profile incident of rapid price changes timed to consumer demand spikes, could revisit the question with more political momentum.
Why New York Is the Bellwether That Matters
State privacy and consumer protection legislation does not spread uniformly. It spreads through bellwether states — states with large economies, active legislative environments, and AGs willing to enforce — whose laws become the practical compliance standard that national businesses adopt, which in turn normalizes the framework for subsequent state legislation.
California plays this role in data privacy. New York plays this role in financial regulation, consumer protection, and increasingly in data governance. The state’s size — the fourth-largest economy in the country — means that a law applying to businesses operating in New York effectively applies to most businesses of national scale. The compliance infrastructure built for New York becomes, by default, the national baseline.
The surveillance pricing bill fits a clear pattern of emerging algorithmic accountability legislation that has been building across multiple states and at the federal level:
- Colorado SB 205 (2021): Required insurers to audit algorithms for proxy discrimination — one of the first algorithmic accountability laws in the country
- California’s CPRA automated decision-making regulations: The California Privacy Protection Agency’s ADMT (automated decision-making technology) rules, finalized in 2025, require businesses to provide opt-out rights for certain profiling and automated decisions affecting consumers, including price-affecting decisions
- FTC surveillance pricing inquiry (2024): The Federal Trade Commission issued orders to eight major retailers and pricing algorithm firms demanding information about their surveillance pricing practices — a clear signal of federal enforcement interest even absent a federal law
- EU AI Act (2024): The European Union’s AI Act classifies certain high-impact algorithmic systems, including those affecting individual pricing in ways that exploit personal characteristics, as high-risk systems subject to conformity assessments
New York’s bill, if signed, does not exist in isolation. It is the most direct statutory prohibition in the United States so far, and it will function as a drafting template for legislation in states that follow. The penalty structure, the loyalty program carve-out framework, the exemption categories — all of these will be copied, modified, and debated in other state capitals as the issue spreads.
Which States Are Most Likely to Follow New York?
Based on current legislative activity and the pattern of privacy and algorithmic accountability law adoption, the states most likely to introduce surveillance pricing legislation in 2027–2028 sessions include:
- California: The CPPA’s ADMT regulations already create adjacent obligations. A standalone surveillance pricing statute modeled on New York’s bill would fit naturally into California’s existing privacy infrastructure and has obvious political support in Sacramento.
- Illinois: Illinois has the most aggressive consumer biometric privacy law in the country (BIPA) and an AG’s office with a demonstrated appetite for technology-related enforcement. Algorithmic pricing legislation would be consistent with Illinois’s regulatory posture.
- Washington: Washington’s My Health MY Data Act (2023) demonstrated the state’s willingness to regulate novel data uses aggressively. A surveillance pricing bill would fit the same legislative logic.
- Massachusetts: Massachusetts has repeatedly introduced comprehensive privacy legislation; algorithmic pricing is a natural addition to that agenda.
- Minnesota: Minnesota enacted a comprehensive consumer data privacy law in 2024 and has an active consumer protection enforcement environment.
Federal legislation is a longer shot in the current political environment, but the FTC’s 2024 inquiry into surveillance pricing means the administrative enforcement groundwork exists regardless of whether Congress acts.
Don’t Surveil… Stay Compliant
Whether the New York bill is signed into law or not, the regulatory trajectory is clear enough that waiting for final enactment to begin compliance preparation is the wrong posture. The businesses most at risk are those that have integrated personal data — whether sourced internally or purchased from data brokers — into any system that produces individualized pricing outputs.
Step 1: Audit Your Pricing Architecture
Map every input that feeds into your pricing logic. Separate inputs that constitute market-level signals (supply, demand, time, geography as a general factor) from inputs that constitute individual-level personal data signals (purchase history, behavioral inferences, location at the individual level, device type, demographic inferences). If personal data inputs exist in your pricing stack, you have a surveillance pricing exposure.
Step 2: Audit Your Loyalty Program Data Flows
Identify every data type used to generate personalized discounts or offers within your loyalty program. Confirm whether your program requires affirmative consumer enrollment. Confirm whether discount generation relies solely on the enrolled consumer’s own purchase history or pulls in additional personal data signals. Document the legal basis for each data input.
Step 3: Review Your Data Broker and Third-Party Data Relationships
Surveillance pricing systems frequently rely on data purchased from data brokers to enrich individual consumer profiles. If your pricing or discount systems ingest third-party data about individual consumers, those data flows need to be evaluated both under this bill and under the growing patchwork of state data broker laws. Purchasing personal data from a broker and feeding it into a pricing algorithm is precisely the use case this legislation is designed to capture.
Step 4: Assess Your AG Exposure
The New York AG’s office is the enforcement authority and was a primary advocate for this bill — which means enforcement is not a hypothetical. Businesses with significant New York consumer bases should assess their current pricing practices against the bill’s framework and document their compliance analysis before the law takes effect.
Step 5: Monitor Other State Legislatures
Set up monitoring for surveillance pricing legislation in California, Illinois, Washington, Massachusetts, and Minnesota. The drafting templates are now available; the legislative cycles in these states are predictable. A compliance program built for New York can be adapted for subsequent states at significantly lower cost than building from scratch under enforcement pressure.
Algorithmic Accountability Is the Next Privacy Frontier
Surveillance pricing legislation is one expression of a broader legislative trend that privacy professionals need to track as its own distinct regulatory category: algorithmic accountability. The question these laws are asking is not just “what data did you collect?” — the core question of first-generation privacy regulation — but “what did the algorithm do with that data, and was it fair?”
That question has enormous implications for businesses that have built commercial infrastructure on the assumption that algorithmic outputs are commercially neutral as long as the underlying data collection was disclosed. New York’s bill challenges that assumption directly: the disclosure that you collect data does not, under this framework, authorize you to use that data to extract maximum individual prices from consumers who never understood that was what consent meant.
The compliance professional’s job in this environment is not just to ensure data is collected lawfully and stored securely. It is to ensure that the downstream algorithmic uses of that data are mapped, documented, and defensible against an increasingly specific set of statutory prohibitions. Surveillance pricing is the first major category to receive that treatment. It will not be the last.
Captain Compliance helps businesses navigate the full stack of data governance obligations — from data broker registration and consumer rights compliance to algorithmic accountability and AI governance. If your pricing, loyalty, or recommendation systems involve personal data, our team can help you assess your exposure before regulators do it for you.
