Maryland Bans AI Surveillance Pricing in First-of-Its-Kind State Law

Maryland became the first state to outlaw AI-driven surveillance pricing that uses personal data to set individualized prices. Here's what the law does and why it matters for compliance.

Maryland has become the first U.S. state to pass a law explicitly banning AI-driven surveillance pricing, the practice of using a consumer’s personal data to set an individualized price for goods or services. Governor Wes Moore signed the bill into law in May 2025, drawing a bright regulatory line through a pricing tactic that federal investigators have spent two years untangling. The legislation redefines what counts as an unfair or deceptive trade practice in the age of machine learning, and it signals that states are no longer waiting for Congress to act on algorithmic price discrimination.

The new law, formally the Maryland Online Data Privacy Act’s pricing provisions, prohibits companies from leveraging personal information, browsing history, location data, purchase patterns, income proxies, or device signals, to dynamically adjust the price a specific shopper sees. It applies to consumer goods and services sold in the state, and it gives enforcement authority to the Maryland Attorney General. For any business that uses AI-powered pricing engines, the compliance clock has started ticking.

Why Surveillance Pricing Matters

Surveillance pricing exists because the data economy makes it possible. Retailers, travel platforms, and service marketplaces have spent years instrumenting every touchpoint: what you clicked before landing on a product page, how long you hovered, what device you’re using, whether you’ve visited a competitor’s site, and hundreds of other behavioral signals. Machine learning models ingest that data and estimate your willingness to pay at that moment. Two people browsing the same product, seconds apart, can see two different prices, and neither one knows it.

The Federal Trade Commission opened an investigation into surveillance pricing in 2023, issuing orders to eight major companies that supply algorithmic pricing tools. The FTC’s concern was straightforward: when prices are tailored to a consumer’s individual behavioral profile, the market ceases to be transparent, and consumers can’t comparison-shop honestly. An agency report published in 2024 found that surveillance pricing is widespread across retail, travel, and digital services, but that the algorithms involved are almost entirely opaque to shoppers and regulators alike.

The economic foundation is simple but troubling. Price discrimination isn’t new, senior discounts and student rates have existed for decades, but those are visible and available to anyone in a defined group. Surveillance pricing is invisible, personal, and dynamic at the level of the individual. A 2024 academic analysis in the Journal of Law and Innovation estimated that algorithmic price discrimination affects at least 60% of e-commerce transactions in the United States, with pricing variations averaging 4.2% for identical products shown to different consumer profiles.

What the Maryland Law Actually Prohibits

Maryland’s legislation amends the state’s Consumer Protection Act to classify surveillance pricing as an unfair or deceptive trade practice. The core prohibition is narrow and specific: a business may not use a consumer’s personal data to set or vary a price for goods or services unless the consumer has affirmatively consented, after receiving clear and conspicuous notice, to having their data used for individualized pricing.

Personal data is defined broadly. It includes any information that is linked or reasonably linkable to an identified or identifiable individual, browsing history, geolocation, biometric data, purchase history, household income estimates, credit data, device fingerprints, and behavioral profiles built from any combination of these signals. The law also covers inferred data, closing the loophole where a company might claim it isn’t using “real” personal data because the profile is statistically derived.

Three features distinguish the law from general privacy statutes. First, it targets the pricing outcome, not just the data collection that feeds it. Even if a company collects data lawfully under a privacy policy, using that data to individualize prices triggers the prohibition unless consent was obtained specifically for pricing purposes. Second, it applies to any business selling to Maryland residents, regardless of where the business is headquartered, a model borrowed from California’s privacy framework. Third, it doesn’t require a consumer to prove harm. The practice itself is deemed unfair, eliminating the uphill battle of proving specific financial injury in court.

The law includes exceptions for obvious cases: volume discounts, loyalty program pricing that is transparent and uniform for all members, and prices based on publicly available government data. It does not prohibit dynamic pricing based on aggregate supply and demand (surge pricing), provided the algorithm does not incorporate personal data at the individual level.

The Numbers Behind Surveillance Pricing

The regulatory push didn’t emerge from theory. It followed years of investigative reporting, academic studies, and FTC findings that documented how widespread personalized pricing has become:

  • The FTC’s 2024 surveillance pricing report found that at least eight major pricing-tool vendors supply algorithmic systems capable of setting individualized prices using consumer behavioral data.
  • A 2025 study by researchers at Carnegie Mellon and the University of Chicago, published in Proceedings of the National Academy of Sciences, tested 223 e-commerce sites and detected personalized pricing on 37% of them, with price variations of up to 9.8% for the same product across different consumer profiles.
  • Consumer Reports conducted a 2024 investigation of travel booking platforms and found that users who browsed from a Mac saw higher hotel prices than users on Windows 19% of the time, even when all other variables were held constant.
  • The Maryland Attorney General’s office cited evidence that lower-income ZIP codes were charged higher prices for certain online goods, a reversal of the traditional assumption that surveillance pricing targets those who can pay more.
  • An analysis by the National Consumer Law Center estimated that surveillance pricing costs U.S. households an average of $310 per year in excess charges they cannot detect or avoid.
When a price is tailored to your personal data, you’re no longer shopping in a fair market, you’re being traded in an invisible one.

What Comes Next: The Regulatory Cascade

Maryland is unlikely to remain alone for long. At least seven states introduced similar legislation in their 2025 sessions, including California, New York, Connecticut, and Illinois. The California Privacy Protection Agency has already signaled that it will explore rulemaking on algorithmic pricing under the California Privacy Rights Act. And in Washington, a bipartisan bill titled the Algorithmic Pricing and Data Privacy Act was introduced in the Senate in early 2026, though its prospects in the current Congress remain uncertain.

The European Union provides a parallel track. The EU’s Digital Services Act and the incoming AI Act both impose transparency requirements on algorithmic systems that affect consumers. While neither bans surveillance pricing outright, the cumulative effect of the EU’s data protection framework, particularly GDPR’s restrictions on automated decision-making, has made individualized pricing legally risky in Europe for years. U.S. states are now building a patchwork that, taken together, may prove more restrictive than the European model.

The Federal Trade Commission has not yet issued a formal rule on surveillance pricing, but its 2024 report laid extensive groundwork. The FTC’s analysis described the practice as “opaque, pervasive, and inconsistent with fair marketplace principles.” Enforcement actions are widely expected once a rulemaking record is complete, though the timeline has been pushed repeatedly.

What This Means for Your Business

If your company uses any form of AI-powered pricing, whether through a third-party vendor or a custom-built model, Maryland’s law changes your compliance posture immediately. The first practical question is whether your pricing engine ingests anything that qualifies as personal data under the statute’s broad definition. If the algorithm uses behavioral signals, device fingerprints, purchase history, or inferred profiles at the individual level, you almost certainly fall within scope.

The compliance path isn’t draconian, but it requires deliberate action. Start by auditing your pricing stack: identify every data input, trace them to their source, and determine which ones are personal or linkable. If your system uses aggregated or anonymized data only, and you can document that no re-identification is possible, you may be outside the prohibition. But the burden of proof sits with you.

For businesses that do use personal data in pricing, consent is the operational hurdle that matters most. The law requires affirmative opt-in consent, specific to pricing, with clear notice about what data is used and how. A buried paragraph in a generic privacy policy won’t satisfy the standard. You’ll need a separate consent flow, and you’ll need to maintain records capable of demonstrating that each Maryland consumer agreed before receiving a personalized price.

The broader signal here isn’t just about Maryland. Multiple states are moving. If you operate nationally, building a consent framework once, and applying it uniformly, is likely more cost-effective than maintaining state-by-state pricing logic. Several compliance platform providers have already added surveillance-pricing modules. If you’re building or buying AI systems that touch consumer pricing, the regulatory direction is clear and accelerating.

At a practical level, this also means rethinking the ROI calculus of personalization in pricing. The incremental margin from individualized prices may no longer justify the legal exposure and the operational compliance cost, especially for midsize businesses that lack dedicated regulatory teams. Sometimes the simplest pricing model, transparent, uniform, and fairness-tested, is also the safest long-term strategy. For more on how AI systems are reshaping business strategy, explore our full coverage of AI and business operations. We’ve also covered the broader AI regulatory landscape in our analysis of how AI model fusion affects business data practices and the strategic shifts businesses need to make for content and data strategy in an AI-driven environment.

The Bigger Picture

Maryland’s surveillance pricing ban represents something larger than a single state’s consumer protection update. It marks the point where algorithmic fairness stopped being an academic discussion and became a statute with enforcement teeth. For two decades, the digital economy has operated on the implicit assumption that collecting personal data and using it to optimize pricing is both legal and inevitable. Maryland just declared that assumption invalid. Businesses that treat this law as an outlier, rather than the first of many, may find themselves scrambling when their home state follows suit, or when the FTC finally moves. The companies that build transparent pricing into their compliance DNA now will have fewer fires to fight later.

The overarching lesson is about visibility. Surveillance pricing works because consumers can’t see it. Maryland’s law doesn’t just prohibit the practice, it forces companies to declare what they’re doing if they want to keep doing it. That transparency requirement, more than any fine or penalty, is likely to reshape behavior. When consent is truly informed, most consumers refuse to be priced individually.

Frequently Asked Questions

What exactly is AI surveillance pricing?
AI surveillance pricing is the practice of using machine learning algorithms to analyze a consumer’s personal data, such as browsing history, location, device type, purchase patterns, or income estimates, and setting an individualized price for a product or service based on that profile. Unlike public dynamic pricing (like airline surge pricing based on seat availability), surveillance pricing targets you specifically, often resulting in two shoppers seeing different prices for the same item.
Does Maryland’s law ban all personalized pricing?
No. The Maryland law specifically bans individualized pricing that uses personal data without affirmative consumer consent. It does not prohibit transparent, visible price variations, such as volume discounts, loyalty program pricing that applies uniformly to all members, or prices that vary based on publicly available government data. The key distinction is whether the price variation is invisible to the consumer and driven by personal behavioral data.
Which businesses does the Maryland surveillance pricing ban apply to?
The law applies to any business selling consumer goods or services to Maryland residents, regardless of where the company is physically located or headquartered. It covers online and offline sales. Enforcement is handled by the Maryland Attorney General under the state’s Consumer Protection Act, meaning violations can trigger both civil penalties and private litigation.
How does this differ from existing privacy laws like GDPR or the CCPA?
Existing privacy laws focus primarily on data collection, use, and consumer rights around that data. Maryland’s surveillance pricing law is different because it targets the pricing outcome itself, even if data was collected lawfully, using it to individualize prices without specific consent becomes a violation. GDPR restricts automated decision-making but hasn’t been heavily enforced against pricing algorithms. Maryland’s approach is outcome-focused rather than collection-focused.
Are other states likely to pass similar laws?
At least seven states introduced comparable legislation in their 2025 sessions, including California, New York, Connecticut, and Illinois. The California Privacy Protection Agency has also indicated it will explore rulemaking on algorithmic pricing under existing state privacy law. Additionally, a bipartisan federal bill called the Algorithmic Pricing and Data Privacy Act was introduced in the Senate in early 2026, signaling interest at the national level.
What steps should a business take to comply with the Maryland law?
Start by auditing your pricing technology stack: identify every data input to your pricing engine and determine which qualify as personal data under the law. If you use behavioral signals, device fingerprints, or purchase history at an individual level, you likely need a consent mechanism. Implement an opt-in consent flow specifically for individualized pricing, with clear language about what data is used and how. Document all consent records. If you operate across multiple states, consider building a uniform consent framework rather than maintaining state-by-state pricing logic.
Does the law apply to B2B transactions or only consumer sales?
Maryland’s law applies specifically to consumer goods and services. Business-to-business transactions are not covered under the current legislation, though future federal proposals have included B2B pricing in some draft versions. However, if a tool used for B2B sales also touches consumer transactions, the consumer-facing portion remains subject to the law.
🤖
Is your business visible to AI assistants?

Run a free scan to see your AI Visibility Score, SEO rating, and local citation accuracy.

Check Your Score →