Published May 9, 2026. Maryland's Protection from Predatory Pricing Act (HB 895) was signed by Governor Wes Moore in April 2026. Effective October 1, 2026. This guide covers what is prohibited, who is covered, and what the exemptions are.
Maryland's Protection from Predatory Pricing Act is the first US state law to directly restrict surveillance pricing in food retail, charging individual consumers different prices based on their personal data profiles. It is not a general AI regulation law and does not address competitor price coordination or hub-and-spoke pricing schemes. The scope is specific: large grocery stores and food delivery platforms using consumer data to personalize food prices.
TL;DR: Maryland's Protection from Predatory Pricing Act (HB 895) was signed by Governor Wes Moore in April 2026. Effective October 1, 2026. It prohibits large food retailers (15,000+ sq ft) and third-party food delivery services from using consumer personal data, browsing history, location, purchase behavior, income, to set personalized prices for tax-exempt food items. This is 'surveillance pricing': charging different prices to different consumers based on their data profile. Standard loyalty programs, promotional pricing, and geographic pricing are exempt. Maryland AG enforces with a 45-day cure period; penalties up to $10,000 first offense, $25,000 repeat. No private right of action.
What the Law Bans
The core prohibition: food retailers cannot use consumer personal data to charge one consumer more than another for the same food item.
The law defines the prohibited practice as "dynamic pricing", a term the legislature uses specifically to mean personalized pricing based on individual consumer data, not demand-based pricing that applies equally to all consumers.
| Practice | Legal status under Maryland law |
|---|---|
| Different prices to different consumers based on their browsing history | Prohibited |
| Different prices to different consumers based on income data | Prohibited |
| Different prices to different consumers based on location data used to infer willingness to pay | Prohibited |
| Different prices based on purchase behavior analytics showing individual price sensitivity | Prohibited |
| Surge pricing that applies equally to all consumers during high-demand periods | Permitted |
| Geographic price differences based on supply chain and shipping costs | Permitted |
| Loyalty program discounts based on membership status | Permitted |
| Promotional and sale pricing applied to all consumers | Permitted |
| Subscription pricing tiers | Permitted |
| Prices offered in exchange for the consumer's explicit consent to share data | Permitted |
The distinction the law draws: demand-based and geography-based pricing is permitted because it reflects objective market conditions that apply to everyone. Personalized pricing based on individual consumer data profiles is prohibited because it charges different people different amounts for identical products.
Who Is Covered
Covered:
- Food retailers operating grocery stores or retail food stores with 15,000 or more square feet of sales area in Maryland
- Third-party delivery service providers that connect grocery retailers to delivery services and consumers for food purchases
Not covered:
- Grocery stores or food retailers under 15,000 sq ft (small grocers, corner stores, specialty shops)
- Restaurants and food service establishments
- Non-food retail (the law applies specifically to food products)
- Non-food product categories sold by covered food retailers
- Online-only food retailers that do not operate a physical Maryland grocery store (this is less certain, check with counsel)
The 15,000 sq ft threshold captures major chains, Walmart, Kroger, Giant, Safeway, Whole Foods, Target, but not small independent grocers.
Personal Data Covered
The law covers personal data "linked or reasonably linked to an identified or identifiable consumer," excluding de-identified data and publicly available information. Data types specifically implicated:
- Browsing history, including product pages viewed, searches, and time spent on pages
- Location data, geographic location used to infer affluence or willingness to pay
- Purchase behavior, frequency, basket size, brand preferences, price sensitivity indicators
- Inferred income or demographics, data purchased or derived that estimates consumer income or economic status
- Protected class data, race, gender, ethnicity, and other legally protected characteristics (the law adds this as a separate concern)
What to Do Before October 1, 2026
If you are a covered food retailer or grocery delivery platform:
- Audit your pricing systems, identify any dynamic pricing component that uses consumer-level personal data (not just aggregate demand) to set prices
- Confirm what data inputs your pricing tools use, get written documentation from any third-party pricing software vendor about whether they use individual consumer data profiles
- Separate personalization from personalized pricing, product recommendations, marketing personalization, and loyalty discounts remain legal; personalized price-setting does not
- Review delivery platform contracts, if you use Instacart, DoorDash Grocery, or similar, confirm how their pricing layer operates and whether it uses consumer data to set prices
- Document your pricing methodology, written description of what your pricing tools do and do not do; this is your first line of defense in an AG inquiry
- Assess your loyalty program structure, confirm your loyalty discounts are based on membership status or actions, not on individual consumer data profiles used to charge non-members more
Third-Party Pricing Vendors: Who Is Responsible
Most large grocery retailers do not build their own pricing algorithms, they license dynamic pricing software from vendors. Under Maryland's law, responsibility does not transfer to the vendor. The retailer and the delivery platform are the covered entities; vendor software is how they implement the prohibited practice.
This creates a documentation and contract obligation:
Vendor audit. Before October 1, 2026, covered retailers must confirm in writing whether any pricing software they license uses individual consumer personal data (not aggregate demand data) to set prices. The question to put to vendors: "Does your system set prices that differ between consumers based on their individual data profiles, including browsing history, location, purchase behavior, or inferred income?" A yes answer means the feature must be disabled or the contract must be renegotiated.
Contract language. Retailers should add a warranty clause to new and renewing pricing software contracts: the vendor warrants that the software does not use Maryland-prohibited individual consumer personal data to set prices for food items in Maryland, and will notify the retailer within 30 days of any feature change that could implicate this restriction.
Data flow mapping. The compliance question is not just what the pricing tool does today, it is what data flows into the pricing calculation. If a retailer's loyalty platform shares individual consumer purchase history with a pricing engine, and that pricing engine uses it to calibrate per-consumer prices, that is the prohibited flow, even if both systems are operated by different vendors.
How the AG Enforcement Process Works
The Maryland Attorney General's Consumer Protection Division is the sole enforcer. No private lawsuits are allowed, consumers cannot sue directly under this statute. The enforcement process:
Step 1, Notice. Before filing a formal enforcement action, the AG must provide written notice to the covered entity identifying the alleged violation and specifying the conduct that must cease or be remediated.
Step 2, 45-day cure period. The covered entity has 45 days from notice to cure the violation. A retailer that disables the prohibited pricing feature, documents the change, and notifies the AG within the 45-day window is insulated from civil penalties for the noticed violation. This cure right applies once, repeat violations after a cure do not carry a second cure period.
Step 3, Enforcement action. If the retailer does not cure within 45 days, the AG may bring a civil enforcement action in Maryland Circuit Court. Penalties: up to $10,000 per violation for first offenses; up to $25,000 per violation for repeat offenses. "Per violation" likely means per individual pricing transaction that used prohibited personal data, though this has not been litigated, the practical exposure for a high-volume grocery chain could be significant.
Documentation matters for cure. To successfully cure, the retailer needs documentation: a written description of what was changed, when, and by whom. A retailer that simply turns off a feature without documenting the change has a weak cure record. The AG's office has discretion in assessing cure adequacy.
What "Publicly Available Information" Means
The law excludes "publicly available information" from the definition of personal data, meaning retailers can use publicly available data in pricing without triggering the prohibition. But this carve-out is narrower than it first appears.
Maryland's law adopts the CCPA/CPRA definition of publicly available information: information that is lawfully made available from federal, state, or local government records, or information the consumer has made available to the general public without a restriction. This covers things like a ZIP code's median household income published by the US Census Bureau.
What it does not cover: data purchased from data brokers that was derived or inferred from non-public sources, behavioral data that a consumer made "available" through a transaction but did not intend to make public, and aggregated or probabilistic inferences about individual consumers derived from publicly available inputs.
The line in practice: a retailer can price differently by ZIP code based on publicly available Census income data (geographic pricing, already permitted). A retailer cannot use a consumer's specific browsing history or transaction record to infer their individual price sensitivity and set a price accordingly, even if some inputs to that inference came from public sources.
Federal Context
Maryland's law is narrower than the federal policy debate. The FTC has signaled interest in surveillance pricing more broadly, its 2024 study of surveillance pricing practices examined eight companies using personal data for personalized pricing across retail. Maryland's law turns state-level interest into enforceable rules, specifically for food.
Other states are watching. California, New York, and Illinois have had similar proposals. Maryland's approach, sector-specific (food), with clear exemptions for loyalty programs, and AG-only enforcement, may serve as a template. Federal Trade Commission guidance on surveillance pricing issued in 2024 is consistent with Maryland's framework, which suggests future federal action in this space would likely preempt state laws rather than add to them. Until federal law arrives, grocery and food retailers operating in Maryland should treat October 1, 2026 as a hard deadline and build compliant pricing architectures now rather than retrofitting later.
Sources: Maryland HB 895 (Protection from Predatory Pricing Act), Maryland Attorney General, Morgan Lewis analysis, Consumer Reports statement on signing. Effective October 1, 2026. Consult counsel for advice specific to your situation.
