Connecticut has become the second US state to enact legislation restricting how retailers can use customer data to set personalised prices. As reported by Retail Dive, Governor Ned Lamont signed HB 5563 on 5 June, following Maryland's lead in April 2026. On the same day, New York state lawmakers approved similar legislation, now awaiting Governor Hochul's signature. Meanwhile, Colorado's governor vetoed a comparable bill, highlighting the political fracture lines around this issue.
For eCommerce merchants, this is not a distant regulatory concern. It is a direct challenge to one of the core capabilities of modern personalisation technology, and it demands a careful reassessment of how you use customer data in pricing.
What these laws actually prohibit
The Connecticut and Maryland laws share a common principle: retailers cannot use personally identifiable data to customise prices for individual shoppers. This includes browsing history, purchase history, health conditions, income data, location data linked to an individual, and similar personal attributes.
It is important to understand what these laws do not prohibit. Traditional dynamic pricing, adjusting prices based on aggregate supply and demand, time of day, inventory levels, or competitor pricing, remains legal. The distinction is between pricing that responds to market conditions (permitted) and pricing that targets individual consumers based on their personal data profile (restricted).
Connecticut's law also requires a specific disclosure when automated pricing tools use personal data: "THIS PRICE WAS INCREASED BY A PRICE SETTING DEVICE USING YOUR PERSONAL DATA," as detailed in an analysis by Mintz. The disclosure requirement applies from 1 October 2026, while the broader surveillance pricing ban takes effect on 1 July 2027.
Consumer Reports, which has been championing these restrictions, praised Connecticut's law but noted it still contains significant gaps. Grace Gedye, senior policy analyst at Consumer Reports, warned that businesses may feel the law "permits personalised pricing so long as they increase list prices and then offer personalised discounts to certain consumers based on their perceived willingness to pay."
The bigger picture: A patchwork is forming
What is emerging is a state-by-state regulatory patchwork, similar to what happened with data privacy before the California Consumer Privacy Act (CCPA) set the pace. Maryland's law takes effect on 1 October 2026. Connecticut's broader ban follows on 1 July 2027. If New York's governor signs, that state will follow on a similar timeline. California and New Jersey are also considering similar bans during the 2026 legislative session.
The Colorado veto is instructive about the political dynamics. As reported by Grocery Dive, Governor Polis rejected the legislation because he felt it was "too wide-ranging," writing that he worried about "discouraging perfectly acceptable uses of technology to set an appropriate price or wage." But the overall trend is clearly towards restriction, and the question for merchants is not whether to prepare but how aggressively.
For eCommerce businesses operating nationally, which is most eCommerce businesses, the practical impact is that you need to comply with the most restrictive applicable law. Once two or three major states restrict personalised pricing, the compliance overhead of maintaining different pricing logic for different geographies typically makes it simpler to apply the most restrictive standard everywhere.
What this means for your tech stack
If you are using personalisation tools that influence pricing, and many eCommerce platforms now offer this capability natively or through extensions, you need to audit exactly what data inputs are feeding your pricing decisions.
Safe territory. A/B testing of price points where the variant assignment is random (not based on user profiles). Dynamic pricing based on aggregate inventory levels, competitor prices, or time-based promotions is applied uniformly. Promotional pricing triggered by cart composition or order value thresholds that apply to all customers equally.
Risk territory. Individual pricing adjustments based on a customer's browsing history, purchase frequency, inferred price sensitivity, geographic wealth indicators, or device type used as a proxy for affluence. Loyalty programme pricing is a grey area. It is technically based on personal data (membership status), but most legal analyses suggest that transparent, opt-in loyalty pricing remains permissible because the customer explicitly chose to participate.
Immediate action items:
-
Audit your pricing logic. Document every input that influences the price a customer sees. If any input is derived from personally identifiable data, flag it for review.
-
Review your personalisation vendor contracts. Understand whether your tools have the ability to exclude PII from pricing decisions while still using it for product recommendations, content personalisation, and other non-pricing uses.
-
Separate personalisation from pricing. The safest approach is to maintain a clear architectural boundary between your personalisation engine (which can use personal data for recommendations, content, and UX) and your pricing engine (which should not use personal data).
-
Monitor New York. If Governor Hochul signs the bill, the effective market coverage of these laws will include a significant share of US eCommerce consumers, making nationwide compliance the only practical option.
The opportunity for transparency
There is a silver lining here for merchants who have been building their personalisation strategy around genuine customer value rather than price extraction. Research consistently shows that consumers respond positively to personalisation that helps them discover relevant products, but react negatively, and vocally, when they discover they have been shown a higher price than someone else for the same item.
Merchants who use customer data to improve relevance (better product recommendations, more useful content, streamlined checkout) while keeping pricing transparent and uniform are positioned to benefit as competitors who relied on personalised pricing face regulatory headwinds.
This is also an opportunity to reframe your personalisation narrative. Instead of personalising the price, personalise the experience: curated collections, personalised email content, tailored search results, predictive inventory suggestions. These uses of personal data deliver genuine value to the customer and face no regulatory restrictions.
Looking ahead
We expect more states to introduce similar legislation through 2026 and 2027, eventually creating enough pressure for federal action. The EU's approach through the Digital Markets Act and Consumer Rights Directive already restricts personalised pricing practices in ways that align with where US regulation is heading.
For eCommerce merchants, the strategic imperative is clear: invest in personalisation that improves the customer experience through relevance and convenience, not through price discrimination. The regulatory environment is catching up with consumer sentiment, and the merchants who are ahead of this curve will have a competitive advantage in trust and brand loyalty.
About On Tap
On Tap is a growth-focused eCommerce consultancy helping mid-market and enterprise merchants navigate the intersection of technology, personalisation, and compliance. From pricing stack audits and personalisation architecture to platform optimisation and data strategy, On Tap helps merchants build capabilities that deliver value to customers without creating regulatory exposure.
If you need to audit your pricing and personalisation stack, get in touch.
