New York's Algorithmic Pricing Disclosure Act, signed into law by Governor Kathy Hochul on May 9th, 2025, officially took effect this week. The act regulates algorithmic pricing and requires covered entities to clearly and conspicuously disclose to consumers when such pricing methods are used.
Six days before the law was originally to take effect, it faced a First Amendment challenge from the National Retail Federation, which argued that the mandated disclosures constituted compelled speech. However, the U.S. District Court for the Southern District of New York upheld the law, allowing enforcement to proceed.
Scope
The Act applies to entities that use “Personalized Algorithmic Pricing,” which the law defines as “dynamic pricing set by an algorithm that uses personal data,” to determine the cost of goods or services offered to consumers in New York.
The Act broadly defines personal data as “any data that identifies or could reasonably be linked, directly or indirectly, with a specific consumer or device,” excluding certain location data used by ride and transportation services “solely to calculate the fare based on mileage and trip duration between the passenger's pickup and drop-off locations.”
Other key terms clarifying the scope include:
“Algorithm” defined as, “a computational automated process that uses a set of rules to define a sequence of operations.”
“Dynamic Pricing” defined as “pricing that fluctuates dependent on conditions.”
Disclosure Requirement
Covered entities must clearly and conspicuously display that "THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA” along with their display of the offered, algorithmically set price.
Exemptions
The Act exempts entities subject to New York State’s insurance law, the Gramm-Leach-Bliley (GLBA), and New York State-regulated financial institutions, as well as pricing offers made to customers with subscriptions that are lower than their current subscription cost.
Enforcement
The New York Attorney General’s Office (OAG) has enforcement authority under the Act. The OAG must give alleged violators notice and the chance to cure alleged violations. If entities fail to cure violations, the OAG may ask a court to enjoin the activity. The court issuing this injunction may also impose civil penalties of up to $1,000 per violation.
Attorney General Letitia James has signaled her office’s readiness to enforce the new law. She has encouraged consumers who suspect that a company uses their personal data with algorithms to set prices without being properly informed of this practice to file complaints with her office.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Felicity Slater is an Associate at Hintze Law PLLC with experience in global data protection issues, data breach notification laws, privacy impact assessments, GDPR, and privacy statements.
Sam Castic is a Partner with Hintze Law, chair of the firm’s Retail Group, and co-chair of the Cybersecurity and Breach Response Group and FinTech + Financial Services Group. As a former chief privacy officer, he helps companies build, scale, and right-size privacy programs and strategies.
Clara De Abreu E Souza is an Associate at Hintze Law PLLC. She has experience with artificial intelligence, data privacy, and the regulation of emerging technologies, including evolving state and federal privacy laws, algorithmic accountability, and health data governance.