Maryland Just Became the First State to Ban Surveillance Pricing at Grocery Stores—Then Wrote Four Loopholes Into the Law That Let Every Loyalty Program Keep Doing It

On April 28, 2026, Maryland Governor Wes Moore signed House Bill 895, the Protection From Predatory Pricing Act, making Maryland the first state in the country to formally ban surveillance pricing in any retail sector. The law forbids large grocery stores and third-party delivery services from charging two shoppers different prices for the same item at the same time based on the shoppers' personal data. It takes effect October 1, 2026, with fines of up to $10,000 per violation, rising to $25,000 for repeat offenses.

That is the headline. The text of the bill is what determines whether the headline holds up. Maryland's Department of Legislative Services and the Hunton retail practice both published analyses concluding the same thing: the prohibition has been narrowed by at least four explicit loopholes, and the enforcement model is, in Consumer Reports' own words, "weak."

What Surveillance Pricing Actually Is

Surveillance pricing, also called personalized pricing, is the practice of charging different customers different prices for the same product at the same moment based on what the seller knows about each customer. The "what the seller knows" part is the variable that has changed in the last five years. It now includes purchase history, loyalty program data, device type, location, IP address, time of day, browser fingerprint, inferred income, and signals bought from third-party data brokers.

In a grocery context the experience is uneven and largely invisible. The customer who shops a Kroger or Safeway store with the app open can be served a "personalized" digital price tag that is higher or lower than the shelf tag depending on the data the retailer has linked to that profile. The customer who orders the same loaf of bread through Instacart or DoorDash can see a marked-up unit price that the retailer never published. The Federal Trade Commission's 2024 inquiry into eight retail intermediaries produced internal documents showing that some merchants offered the same SKU at five different prices to five different shoppers based on consumer profile data.

The Four Loopholes

The IAPP's analysis of HB 895 walks through the gaps in the bill section by section. Four of them stand out because they affect the categories of pricing the FTC inquiry actually documented.

1. There is no baseline price. The statute prohibits using personal data to charge someone "more than they otherwise would have" paid, but does not define what the "otherwise would have" price is. A retailer can post a nominal regular price of $10 and personalize the discount downward to $7 for some shoppers and $9 for others. Nobody paid more than the regular price, so nobody is overcharged on the statute's terms, even though the differential pricing happened.

2. Segment pricing is fine. The prohibition applies to "individualized" prices. A retailer who classifies shoppers into segments, then prices the segment instead of the individual, is not covered. With modern data, a segment can be defined narrowly enough that it functionally identifies a single person, but the legal label is segment, not individual.

3. Loyalty and membership programs are explicitly exempt. The same loyalty card that hands the retailer its single largest pool of personalized purchase data is also the lawful vehicle for offering members different prices than non-members. Every major grocery chain in Maryland already operates a loyalty program. Every one of them can continue to price members one way and non-members another based on the data the program collects.

4. Enforcement is centralized and slow. There is no private right of action. Only Maryland's Division of Consumer Protection in the Office of the Attorney General can bring a case, and only after sending the violator a written notice of violation and waiting 45 days for a response. The fines are capped at $10,000 per violation, $25,000 for repeat violators. For a major grocery chain those numbers are an operating expense, not a deterrent.

Why This Still Matters

The loopholes are real and the enforcement is thin. The bill still matters for three reasons that the privacy law community has been making in print since the day it passed.

First, it is the first time a U.S. state has formally named surveillance pricing as a regulated category of business conduct. Up to now, the practice has lived in a gray zone between the Federal Trade Commission Act's unfair practices doctrine and consumer privacy frameworks that focus on data collection rather than data use. Maryland has created a hook that other states can build on. Connecticut, New York, and California have all introduced parallel bills since.

Second, it forces retailers to admit the practice exists. Compliance with HB 895 requires documentation of pricing models, which means a paper trail. That trail will be discoverable in later enforcement actions and class actions, in Maryland and elsewhere.

Third, the loyalty program exemption is the part everyone in privacy is now watching. The same exemption that lets grocers price their members differently is the doctrinal seed for whether loyalty programs can be treated as consent vehicles for the entire surveillance ecosystem. If the Maryland law holds the line that loyalty equals consent equals lawful, every personalized advertising and pricing system in the country gets cleaner legal cover. If a court or a subsequent legislature pushes back, the whole structure becomes vulnerable.

The Email Connection

The personal data that powers surveillance pricing does not come from the cash register. It comes from the digital exhaust the same customer leaves across the rest of their life. The single richest source is email. Marketing emails contain tracking pixels that log opens, location, and device type. Click trackers record exactly which products a recipient was interested in. Receipt scraping services sold to grocers' loyalty partners convert the contents of every order confirmation in an inbox into a behavioral profile.

The Federal Trade Commission's surveillance pricing inquiry specifically called out email engagement signals as one of the inputs the intermediaries used. France's CNIL issued new email tracking guidance in 2026 in part because the same pixel that knows when you opened a newsletter is what feeds the system that knows what to charge you later.

Maryland's law regulates the price tag. It does nothing about the pipeline. For now the most reliable way to remove a shopper's profile from the pipeline is at the inbox, by blocking the tracking pixels and click trackers that pump the engagement signals into the same data brokers feeding personalized pricing models.

What Happens October 1

When HB 895 takes effect on October 1, 2026, Maryland grocers will need to be able to demonstrate that any pricing variation between customers either falls inside one of the four exemptions or is not based on personal data. The compliance bar is low; the reputational bar will be higher. Consumer Reports has already announced it will monitor Maryland stores for the first 90 days and publish findings.

If the loopholes hold up in practice, the law will end up regulating the most blatant individualized pricing while leaving segment based and loyalty based pricing intact. That is not nothing. It is also not what most consumers will have understood when the headline crossed their feed. Connecticut followed Maryland's lead—see how Connecticut SB4 builds a statewide deletion mechanism and bans surveillance pricing.