Photo of David Navetta

David Navetta

Subscribe to David Navetta's Posts

David advises clients on all aspects of technology and data law, including data privacy, information security, artificial intelligence (AI), financial reporting, data governance, technology-related transactions, and data monetization and use.

Contact:Read more about David Navetta

Key Points: California Attorney General Rob Bonta announced a sweep concerning so-called “surveillance pricing” or “algorithmic pricing” The AG highlights potential CCPA privacy violations tied to the use of individualized pricing models based on a lack of transparency and failure to comply with the CCPA’s “purpose limitation” principle. Other regulators are likely to follow suit — now is the time to assess and mitigate potential compliance and enforcement risks.

On January 27, 2026, California Attorney General (AG) Rob Bonta announced an investigative sweep focused on businesses that use consumer data to individualize prices for their goods or services. Bonta framed the issue as follows:

Consumers have the right to understand how their personal information is being used, including whether companies are using their data to set the prices that Californians pay, whether that be for groceries, travel, or household goods. We need to know whether businesses are charging people different prices for the same good or service — and if they’re complying with the law.”

The California Department of Justice (DOJ) is issuing written inquiries to businesses with substantial online operations in the retail, grocery, and hotel industries that leverage individualized pricing. It is requesting certain information on this issue, including details about:

  • Companies’ use of consumer personal information to set prices.
  • Policies and public disclosures regarding personalized pricing.
  • Any pricing experiments undertaken by companies.
  • Measures companies are taking to comply with algorithmic pricing, competition, and civil rights laws.

This post summarizes the basis for the California DOJ’s investigatory sweep, how it intends to apply California Consumer Privacy Act (CCPA) requirements, and how businesses can prepare for and mitigate the risk of these inquiries and potential enforcement actions.

IoT_1200x600_GettyImages-1661051950

This article was republished on ALM’s Business Crimes Bulletin on September 30, 2025 and on Law.com on October 14, 2025.

Key point: Addressing the litigation and regulatory risks regarding tracking technologies requires a balanced approach between legal exposure and business impact, through a close and continuing collaboration between legal, technology, and business stakeholders.

U.S. companies face a massive wave of wiretapping law class action lawsuits and regulatory enforcement actions over online “tracking technologies.” Nearly every company with a website or app uses pixels, SDKs, cookies, session-replay technology, and chat/chatbot tools, putting them in the crosshairs. In California alone, plaintiffs have reportedly filed more than 1,800 lawsuits since 2022 under the state’s two-party consent wiretapping law (the California Invasion of Privacy Act (CIPA)). These laws carry statutory damages (e.g., up to $5,000 per violation under CIPA), which makes them an extremely attractive target for class action plaintiff attorneys. Plaintiffs’ attorneys have also issued thousands of demand letters, the settlement of which has helped build a war chest for funding further litigation.

Colorado state flags waving along with the national flag of the United States of America

Key point: Unable to reach an agreement on amending the Colorado AI Act during the special session, the Colorado legislature voted to delay the law’s effective date to June 30, 2026.

On August 26, the Colorado legislature ended its special session by voting to pass SB 4, which extends the Colorado AI Act’s effective date from February 1, 2026, to June 30, 2026. The bill will next head to Governor Jared Polis, who is expected to sign it into law.

Colorado state flags waving along with the national flag of the United States of America

Key point: Starting August 21, Colorado lawmakers will consider four bills that significantly amend the Colorado AI Act.

On August 21, Colorado lawmakers will reconvene for a special legislative session. Earlier this month, Governor Jared Polis called the special session to deal with a nearly $1 billion hole in Colorado’s state budget created by the federal government’s One Big Beautiful Bill (H.R. 1) and to consider amendments to Colorado’s first-in-the-nation Colorado AI Act.

Key point: The Colorado attorney general’s (AG’s) office is considering amendments to its Colorado Privacy Act (CPA) rules to provide further guidance to controllers subject to the law’s children’s privacy protections.

In late July, the Colorado AG’s office circulated draft amendments to the CPA rules. The draft amendments modify and supplement the existing CPA rules in reaction to the Colorado legislature passing two bills amending the CPA over the prior two sessions. Below, we provide an overview of the draft amendments and relevant context for the rulemaking.

Key point: The California legislature is currently considering several privacy-related bills that could impact the private sector.

The California legislature is currently in its summer recess, returning on August 18. Once it returns, it will have approximately five weeks to pass bills prior to closing for the year on September 12.

We are currently tracking 23 private sector AI-related bills and eight privacy-related bills that crossed chambers at the legislature’s deadline. If passed and signed into law, these bills could significantly impact companies doing business in California.

In this two-part series, we provide a brief summary of the bills and their current status. This article focuses on the privacy bills. Our prior article focused on the AI bills. Once the legislature reconvenes, we will provide regular updates on the status of the bills. If you are not already subscribed to this blog, we encourage you to do so to stay up to date.