On Tuesday, Maryland Governor Wes Moore signed the Protection From Predatory Pricing Act (HB 895) into law, making Maryland the first US state to prohibit surveillance-based dynamic pricing in grocery stores. The local press has covered it as a consumer-affordability story — AARP applauding, Senate Republicans calling it a solution in search of a problem, debate about whether grocery chains are even doing the practice yet.
That framing misses what the bill actually is. The Protection From Predatory Pricing Act is a privacy regulation written in the language of commerce. Its operative mechanism is restricting how retailers can use personal information to set prices, not what prices they can set. It lands in a year when the FTC has spent eighteen months investigating “surveillance pricing” practices nationally, when Maryland has been the most active state in the country on commercial-data restrictions, and when the line between “personalized retail experience” and “differential pricing based on personal data” has become legally consequential for the first time.
For privacy and compliance professionals, this is a meaningful development worth understanding in some depth — not because most readers run a grocery chain, but because the legal architecture Maryland has just established is going to spread.
What the Law Actually Does
The Protection From Predatory Pricing Act prohibits grocery retailers operating in Maryland from using a consumer’s personal information to set or adjust the price the consumer is charged in real time. The statutory framing — “surveillance-based” dynamic pricing — is deliberate, and it draws a line that retailers and their compliance teams need to read carefully.
What the law does not prohibit:
- Generally applicable pricing changes that affect all consumers equally, including time-of-day pricing, day-of-week pricing, or pricing changes driven by supply, demand, weather, or inventory.
- Posted promotional pricing, member-tier pricing, or coupon-based discounts available to any consumer who meets the disclosed criteria.
- Loyalty program discounts that apply uniformly to enrolled members.
What the law does prohibit:
- Adjusting an individual consumer’s price in real time based on personal information collected about that consumer, whether through loyalty programs, mobile apps, geolocation tracking, browsing history, demographic inference, payment-method profiling, or any other surveillance mechanism.
- Using machine-learning or algorithmic systems that ingest personal information to produce per-consumer prices.
- Combining first-party customer data with third-party data sources to derive prices that vary across consumers receiving the same goods at the same store at the same time.
The legal mechanism is privacy: the law restricts what kinds of personal-information-derived inputs may flow into the pricing engine. It is not an anti-discrimination law in the traditional protected-class sense, although it touches that area. It is not a price-control law in the rate-regulation sense. It sits in a third category that did not really exist in US state legislation until this week.
Why “Surveillance Pricing” Became a Privacy Issue
The phrase “surveillance pricing” entered the regulatory vocabulary in July 2024, when the Federal Trade Commission issued Section 6(b) orders to eight companies — including Mastercard, Revionics, Bloomreach, JPMorgan Chase, Task Software, PROS, Accenture, and McKinsey — directing them to disclose how their products and services enable retailers to adjust prices based on consumer data. The FTC’s January 2025 staff perspective described the practice as one in which “consumers may be paying more or less for the exact same product based on intimate details of their lives.”
Three structural concerns drove that investigation, and they map directly onto Maryland’s law.
First, the data inputs. Modern surveillance pricing systems can ingest hundreds of data points per consumer, including precise geolocation, dwell time on product pages, prior purchase history, household composition inferences, payment instrument metadata, and signals derived from third-party data brokers. Each input is, by itself, a relatively ordinary data flow. The combination is a profile sufficient to produce per-consumer prices.
Second, the inference layer. The data does not have to be sensitive on its face to produce sensitive outcomes. A model that uses neutral inputs to infer price sensitivity will, in practice, infer it disproportionately along correlated lines — income, age, neighborhood demographics, household needs. The output is differential pricing that tracks protected-class characteristics without ever requiring the model to ingest a protected-class variable. This is the same algorithmic-discrimination problem that has been litigated in lending, insurance, and employment, now applied to retail pricing.
Third, the consumer’s inability to detect or contest the pricing. Unlike a posted price, a surveilled price is invisible to the consumer in the comparative sense. A shopper does not see what the next person paid. They see only the price they themselves were quoted, with no way to evaluate whether it reflects market conditions or reflects a model’s read on them.
Maryland’s bill — and the FTC’s investigation — treats these three structural concerns as fundamentally a privacy problem. The proposed remedy is not to require disclosure of the pricing model (the disclosure-based approach the airline and hotel industries have lived with for decades) but to restrict the personal-information inputs the model is permitted to use.
This Is the Maryland Pattern
The Protection From Predatory Pricing Act is not Maryland’s only recent move in this direction. Earlier in April, Maryland enacted HB 711, which expands the state’s consumer privacy law to treat inferred sensitive data as sensitive personal information regardless of how it was derived. Together, the two laws represent a state regulatory posture that is significantly more aggressive than the Virginia-template state privacy laws elsewhere in the country.
The thread connecting them is Maryland’s willingness to regulate commercial uses of personal data inferences, not just commercial collection of personal data. HB 711 says that if you use personal information to infer something sensitive about a person, you are subject to the same restrictions as if you had collected the sensitive attribute directly. HB 895 says that if you use personal information to infer something about a person’s price sensitivity, you may not use that inference to set their grocery bill in real time.
This is the same regulatory move applied to two different commercial domains. And once a state has shown a willingness to draw that line in one domain, it is structurally easier to draw it in the next one.
What might come next from Maryland or from states following the Maryland model:
- Surveillance-based dynamic pricing in retail more broadly (apparel, electronics, online marketplaces).
- Surveillance-based dynamic pricing in transportation (ride-share, delivery, public-transit-adjacent services).
- Surveillance-based premium-setting in insurance products that already operate near the line of permissible underwriting.
- Surveillance-based interest-rate or fee-setting in consumer financial services.
Each of these domains has industry-specific complications — Robinson-Patman in retail, state insurance commissioners in insurance, the CFPB and federal banking regulators in finance — but Maryland has supplied a legal template that can be adapted.
The Federal Picture
A short note on the federal context, because it shapes how this all plays out.
The FTC’s surveillance pricing investigation is open and active. Whether it produces formal enforcement, rulemaking, or referral to Congress will depend on factors well beyond the scope of this article. What is clear is that the federal government has not preempted state action in this area, and the state-by-state regulatory pathway is the active one. Maryland is the first to legislate. Others — California’s privacy agency has flagged surveillance pricing in its enforcement priorities, and Washington’s Attorney General has expressed concern publicly — are positioned to follow.
There is a separate antitrust and Robinson-Patman Act conversation about whether differential pricing in retail violates federal price-discrimination rules. Robinson-Patman has been largely dormant for decades, but the FTC has signaled renewed interest. None of this preempts Maryland’s law; it operates in parallel.
The constitutional questions around HB 895 are real but limited. A First Amendment commercial speech challenge is possible but unlikely to succeed against a regulation of the input data rather than the output speech. A dormant Commerce Clause challenge is possible against any state law affecting interstate commerce, but the law’s grocery-store scope makes that argument harder. A federal preemption argument exists in principle but has no clear federal vehicle to attach to. Litigation will come; it is unlikely to slow the law’s August 1, 2026 effective date.
What Compliance Teams at Affected Retailers Should Do
The law applies to grocery retailers operating in Maryland. The immediate compliance population is small. The strategic compliance population — every retailer, every loyalty platform, every retail-pricing technology vendor that operates anywhere near the surveillance-pricing line — is much larger, because Maryland will not be the last state.
A short, action-oriented list.
Audit your pricing engine for personal-information inputs. Identify every signal flowing into price-setting, whether direct (geolocation, loyalty-program data, prior-purchase history) or derived (household-composition inferences, price-sensitivity scores, propensity models). Distinguish inputs that are personal-information-derived from inputs that are not (general supply, demand, inventory, time, weather). The first category is what Maryland has restricted.
Map your loyalty program’s interaction with pricing. Many loyalty programs already deliver personalized offers and per-member discounts that are nominally consent-based. The line between “personalized loyalty discount” and “surveillance-based dynamic price” is meaningful in the new regime. The disclosure, opt-in, and opt-out mechanics around any per-member pricing functionality need to be re-examined.
Examine third-party data sources. Inputs flowing in from data brokers, ad-tech platforms, or aggregator partners are the most likely to produce inferred sensitive attributes that the law’s inference logic captures. The vendor governance work here overlaps significantly with the inferred-sensitive-data audit Maryland’s HB 711 requires for any retailer with Maryland customers.
Review your in-store technology stack. Smart shelves, mobile-app-driven price tags, point-of-sale personalization, beacon-based geofencing, and similar in-store technologies often have surveillance-pricing capability whether or not it is being used. Document what is enabled, what is disabled, and what would have to change for the system to be Maryland-compliant by the effective date.
Update internal documentation. RoPA entries, DPIA library, privacy notice, customer-facing pricing disclosures, and the lawful-basis analysis for any data flow that touches pricing all need to be reviewed against the new regime. Treat this as a documentation update, not just an operational change.
Talk to your pricing and analytics teams now. This is the conversation that has to happen before legal counsel can give a clean opinion on Maryland exposure. It is also the conversation that has historically not happened in many retail compliance functions, because pricing has lived in commercial operations and privacy has lived elsewhere.
What This Tells Us About Where Privacy Regulation Is Going
Three signals from this week’s signing that go well past Maryland.
The end of “personalization is just better service.” For the past decade, personalization has been an unalloyed marketing virtue. Maryland has now drawn a regulatory line that says some uses of personalization — specifically, uses that translate into per-consumer pricing in real time — are not just disclosable, they are prohibited. That line is going to migrate to other forms of personalization that affect consumer outcomes (offers, eligibility, content access).
The rise of input-restriction laws. Most US privacy laws to date operate on disclosure, consent, and right-to-delete. Maryland’s pricing law operates on a different mechanism: it restricts what personal information may be used as an input to a particular commercial decision. That is a structurally more interventionist model, and it is the same model that the AI Act, the Colorado AI Act, and the emerging algorithmic accountability laws all use. Expect to see more of it in privacy contexts.
The convergence of privacy law and consumer protection. The Protection From Predatory Pricing Act sits at the intersection of three legal regimes — privacy, consumer protection, and antitrust — that have historically operated in separate channels. The structural problem (algorithmic differential pricing on personal data inputs) is the same in each, but the regulatory tools are different. Maryland is reaching across all three. Other states will too.
Protection From Predatory Pricing Act
The Protection From Predatory Pricing Act is a small law in operational scope and a meaningful one in regulatory direction. It is the first US statute to take the position that some uses of personal data are commercially impermissible regardless of consent — that the line is drawn at the use, not at the disclosure. That position has been visible in EU law for years (Article 22 GDPR, the AI Act, the inference-based protections of Article 9). It has not been visible in US state law in this form until now.
Senate Republicans in Maryland are technically correct that the practice the law restricts is not yet widespread in grocery stores. They are missing the point. The law is not really about today’s pricing practices; it is about the architecture that retailers, ad-tech vendors, and pricing-technology providers were building toward. Maryland has just made some of that architecture illegal in its territory, and the legal template now exists for any other state to do the same.
For privacy and compliance leads, the right read is the same read that has applied to most Maryland legislation in the past two years: this is where the regulatory direction is heading, and it is heading there faster than most retail compliance programs are organized to handle.
