Maryland passed the first US surveillance pricing law in May 2026. It targets companies that adjust prices using personal data about an individual (browsing history, device type, real-time location, purchase patterns). California, Colorado and Illinois have drafts in flight. The EU's Digital Services Act already covers part of it. If your SaaS uses any form of algorithmic pricing, this article is the operational checklist.
What counts as surveillance pricing
Three signals trigger the rules:
- Price varies between two users for the same product at the same time
- The variation is driven by personal data about the user, not by inventory, promotions or volume tiers
- The user is not told the price was personalized
Standard tiered pricing (Free, Pro, Enterprise) is out of scope. Geographic pricing (USD vs EUR, PPP discounts) is borderline; document the criteria publicly and you stay in the clear. Real-time A/B testing of price points crosses the line if the test uses behavioral targeting.
What your privacy policy must disclose
1. Existence of algorithmic pricing
If you do it, say so. Vague language fails. "Prices may vary" is not enough. "We use [device type, region, prior session activity] to compute the price shown to you" is clear.
2. The categories of personal data used
List them. Even the apparently neutral signals (browser fingerprint, time of day) count.
3. User right to a non-personalized price
Maryland and the EU DSA both require an opt-out path. Your policy must describe it.
4. Logic, significance and consequences
GDPR Article 22 already required this for automated decisions; surveillance pricing laws make it explicit. Plain-language explanation of how the algorithm decides.
| Region | Disclosure required | Opt-out required |
|---|---|---|
| Maryland (2026) | Yes, prominent | Yes, before checkout |
| EU (DSA Art. 27) | Yes, in policy + UI | Yes, for very large platforms |
| California (draft) | Yes | Yes |
| Other US states | Not yet | Not yet |
The IAPP analysis flagged loopholes: most laws exclude "loyalty discounts" and "introductory offers". Vendors are restructuring price experiments to fit those carve-outs. Expect a follow-up enforcement wave once regulators catch the workaround.
What to add to your ToS
- Clause explaining that prices shown are individualized when applicable
- Refund or credit policy if a user discovers post-purchase that they paid more than baseline
- Reservation of right to change pricing algorithm with notice
Operational impact on the product
Beyond policy text, surveillance pricing rules trigger product work:
- Logging: every price computation must be reproducible (algorithm version, inputs, output)
- Audit endpoint: a user requesting their pricing record must receive it within 30 days
- Non-personalized price exposure: a public baseline price displayed in tandem with the personalized one when required
The pattern repeats across regulation: what is built without disclosure becomes the next compliance debt. SaaS that documented algorithmic pricing in 2024 are now ahead; those who did not are spending Q2-Q3 retrofitting.
Conclusion
Algorithmic pricing is no longer a black box. If your SaaS uses any signal beyond inventory and standard tiers to set prices, the 2026 minimum is transparency in the privacy policy and an opt-out path. Maryland is the first; more will follow. Adding the disclosures pre-emptively is cheaper than rebuilding after a complaint.
If you want a policy generator that already produces the algorithmic pricing section per jurisdiction, try Termerly free and ship the compliant version this week.
