Authors
2026 has started off swiftly for privacy enforcement in California – on January 28, 2026, Data Privacy Day, California Attorney General Rob Bonta announced the state is launching an investigative sweep into “surveillance pricing,” aimed at businesses with “significant online presence” in the retail, grocery, and hotel sectors. Bonta warns that relying on personal data to set individualized prices may violate the California Consumer Privacy Act’s (CCPA) purpose limitation and transparency requirements.
The sweep
The announcement notes that Bonta’s investigatory letters will seek details on (i) how the targeted companies use consumers’ shopping and browsing history, location, demographics, and inferential data to set prices, (ii) their policies and disclosures regarding personalized pricing, (iii) any pricing experiments undertaken by the companies, and (iv) measures the companies have taken to comply with algorithmic pricing, competition, and civil rights laws. Bonta emphasized that consumers have a right to know if their data affects what they pay and that undisclosed, unexpected uses of data can breach California law.
What is surveillance pricing?
The announcement situates surveillance pricing within broader regulatory concerns, which have increasingly been focused on the consumer impact of surveillance pricing methods. The practice can be invisible to consumers and lead to different prices for the same goods or services. Recent scrutiny includes the FTC’s information requests and research, and a Consumer Reports investigation indicating sizable price differences among the users of certain e-commerce sites, after which some e-commerce companies ended technology enabling differential pricing. The sweep continues California’s CCPA enforcement track, following prior actions involving streaming services, loyalty programs, and location data, as well as sweeps involving retailers and grocers.
Surveillance pricing can involve partially automated pricing changes through the use of algorithms to set individualized prices based on non-personal information as well as consumers’ personal information, including characteristics, preferences, and behavioral data such as location, demographics, browsing patterns, and shopping history. The use of surveillance pricing could lead to differences in product prices depending on the data collected and used, but it can also be used to offer personalized and targeted discounts and offers to consumers, as well as overlap with traditional targeted advertising activities, such as advertising specific products at different price points. Regulatory concerns around surveillance pricing include the potential exploitation of consumers by charging higher prices based on their need and desire for certain products and services, as well as the risk of pricing discrimination, where prices are modified based on protected characteristics such as race, gender, or national origin.
Surveillance pricing also raises common regulatory privacy concerns, including misuse of sensitive personal information, large-scale and high-volume data collection, the impact of inaccuracies in data, lack of transparency in the use of personal information for dynamic pricing, harm to competition, and the use of scrutinized data collection mechanisms, such as data scraping. Trends in legislation have focused on transparency in practices, as well as highlighting existing or new restrictions on the use of certain sensitive personal information.
CCPA purpose limitation
The announcement also serves as a reminder to companies doing business in California that the California Privacy Protection Agency (CPPA) and Bonta’s office continue to highlight the importance of the data minimization and purpose limitation requirements of the CCPA. The relevant provision of the CCPA, 1798.100(c), states:
“A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”
This means that a consumer may not expect that personal information collected when a consumer purchases a pair of shoes in San Francisco may be repurposed to determine travel pricing when that same consumer is looking to plan a trip to Seattle for a weekend away. That said, many businesses have developed strategies to avoid using personal information for surveillance pricing by developing practices to de-identify and aggregate the data relied upon in certain models. But it seems that Bonta’s office may be challenging that concept with this sweep. Other companies continue to leverage traditional dynamic pricing methods, which use non-personal data to determine pricing.
Stacking up Bonta’s activity
While Bonta’s announcement comes on Data Privacy Day, his office and the CPPA have been busy on many other days of the year. One could say every day is Privacy Day in California. Previous announcements and settlements have involved a variety of regulatory focus areas, including enforcement of consumer rights, data brokers, notices of financial incentives, industry practices (such as connected cars), and employee privacy.
- In late 2025, Bonta announced a major settlement ($1.5 million) with a mobile gaming company resolving claims that it failed to provide compliant opt-out tools and improperly shared data of users – including minors aged 13-15 – without the required consent.
- A previous 2025 settlement required a streaming service provider to pay ($530,000) for inadequate privacy protections, including alleged failures to make opt-out options clear and to protect children’s data under state law.
- In December 2025, the CPPA fined a marketing firm ($56,600) for failing to register as a data broker. The CPPA stated that the broker sold personal information to third parties for valuable consideration when it disclosed or made available personal information to clients as part of its audience modeling, consumer profiles, and custom audience services, specifying that “a sale is a sale,” regardless of whether those sales are provided in a bundle with advertising and marketing services it may provide to its clients.
Bottom line: California is intensifying CCPA enforcement around individualized pricing and expects businesses to ensure transparent, lawful, and consumer aligned data practices, and businesses should take all necessary steps to ensure compliance and minimize risk.
Our privacy team key members include Sarah Bruno, Monique Bhargava, Tyler Thompson, Rob Newman, and Idara Udofia.
Client Alert 2026-021