SB 259 adds a new Chapter 40 to California’s Business and Professions Code to stop businesses from setting prices shown on a consumer’s online device using certain device-derived inputs. The bill defines “online device” and “hardware state,” then forbids generating a price based in whole or in part on device hardware/state, the presence or absence of software, or geolocation-based inferences, while carving out narrow exceptions for repairs, trade‑ins, immediate-demand pricing, and legitimate location-based cost differences.
The law targets price personalization that relies on device fingerprinting and similar signals. Compliance will require platforms, retailers, and pricing-service vendors to audit data sources and model inputs, update engineering and product flows, and reassess how they use geolocation and device telemetry in pricing decisions.
The text leaves several implementation questions open—most notably enforcement mechanisms and how server-side modeling that uses device signals will be evaluated in practice.
At a Glance
What It Does
SB 259 bars a price shown to a consumer on their online device from being generated using (1) the device’s hardware or hardware state, (2) the presence or absence of software on the device, or (3) geolocation used to infer personal characteristics. The bill specifies narrow exceptions (repairs, trade-ins, immediate-demand services, and legitimate location-based cost differentials) and allows general public coupons that don’t incorporate the forbidden inputs.
Who It Affects
Online retailers, marketplaces, travel and ride‑hailing apps, dynamic‑pricing platforms, adtech and data brokers that perform device fingerprinting, and developers who build pricing models or ingest device telemetry. Compliance officers and product teams at companies that personalize prices will be directly responsible for changes.
Why It Matters
The bill creates a state-level limit on using device-derived signals for price personalization—shifting what many platforms treat as routine telemetry into a regulated input. That can force architectural changes (removing device signals from pricing pipelines), reduce some forms of micro‑targeted pricing, and set a legislative precedent other states or regulators may follow.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 259 tackles a narrow but increasingly common source of price personalization: signals taken from the consumer’s device. It begins by defining the covered inputs: a broad “hardware state” (battery life, wireless connections, performance characteristics, age, and transient vs. persistent device data), the presence or absence of software, and geolocation information.
The operative prohibition says a price offered via the consumer’s online device cannot be generated in whole or in part using any of those inputs, with several enumerated exceptions.
The exceptions are concrete and limited. Firms can use hardware or hardware state to price repairs or maintenance and to calculate trade‑in values.
Geolocation may be used when pricing reflects real‑time demand for a product or service that will be delivered immediately, or when prices legitimately vary by physical location because of cost differences or state/local taxes and fees. Coupons and discounts remain lawful so long as they are separate from the quoted price, offered to the general public on the same terms, and do not incorporate the banned input data.Practically, the bill will force businesses that personalize prices to inspect every place device signals flow into pricing logic.
That includes client-side scripts, server-side models that receive device headers or telemetry, third‑party pricing engines, and adtech feeds used to infer buyer characteristics. The statute explicitly makes these duties cumulative with other laws, so companies must still meet existing advertising and pricing statutes even after adjusting inputs.
Finally, the Legislature clarified that cellular broadcast technology—used for one‑to‑many alerts and not dependent on an individual device’s geolocation—is outside the statute’s definition of geolocation for these purposes.SB 259 does not specify enforcement mechanisms or penalties in the text provided here; it therefore creates an obligation without an explicit private right of action or assigned enforcement agency in the chapter as written. That gap matters because compliance hinges on how regulators or courts interpret phrases like “generated in whole, or in part” and what proof will suffice to show a price used prohibited input data.
The Five Things You Need to Know
The bill defines “hardware state” expansively to include transient and persistent device signals—battery life, connected wireless networks, performance characteristics, device age, and data that may be erased or retained on reboot.
A price shown to a consumer via their online device may not be generated in whole or in part from the device’s hardware or hardware state, except when pricing repairs/maintenance or calculating trade‑in values.
The bill outlaws using the presence or absence of any software on the device as an input to generate a price.
Geolocation cannot be used to set a price based on inferences about the consumer, but may be used for real‑time demand pricing for immediately delivered services and to reflect legitimate physical-location cost differentials, including taxes and fees.
Coupons and public discounts remain allowed so long as they are separate from the quoted price, offered on the same terms to the general public, and do not incorporate the prohibited device-derived inputs.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title: Fair Online Pricing Act
This short section names the statute. Its practical effect is to frame the chapter as consumer‑protection and privacy legislation, which signals legislative intent that courts and regulators should read the rest of the chapter in light of consumer fairness and privacy concerns.
Defines key terms: coupon, discount, hardware state, online device
The definitions set the operational perimeter. “Hardware state” is unusually broad—covering both volatile and persistent signals—and “online device” covers common consumer hardware (phones, tablets, laptops). Because the prohibitions reference these defined terms, companies must map internal telemetry (battery, connected networks, stored device identifiers) onto the statutory language when auditing systems.
Core prohibitions on device-based inputs to pricing
This clause is the substantive heart of the bill: it prohibits using device hardware/state, software presence, or geolocation‑based inferences as inputs to generate a price shown on the online device. The language—“generated in whole, or in part”—is broad and likely to capture both direct use of device signals and indirect uses where models rely on features derived from those signals.
Enumerated carve-outs for repairs, trade‑ins, immediate services, and location cost differences
The statute explicitly allows device signals to be used for practical, narrowly defined purposes: repairs or maintenance pricing, trade‑in valuations, pricing tied to immediate delivery or demand (e.g., surge pricing for an on‑demand ride), and price differences that reflect legitimate costs or government taxes at different physical locations. These exceptions are functional but limited, leaving room for disputes over what qualifies as “immediate” or a legitimate cost differential.
Coupons and discounts: permissible when general and separate
Discounts, coupons, and rebates remain lawful provided they operate separately from the base price, are available to the general public on the same terms, and do not incorporate any prohibited device inputs. This preserves standard marketing promotions while closing a backdoor where device signals could be used to gate discounts.
Cumulative duties and legislative finding on cellular broadcasts
Section 22949.82.2 makes the chapter supplemental—companies still must comply with other price‑display and advertising laws. The Legislature also declares that cellular broadcast technology is privacy‑preserving and not covered by the bill’s geolocation restriction, which narrows the statute’s application for emergency broadcast systems and certain one‑to‑many services.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Price‑sensitive consumers, especially those using older or lower‑end devices: They are less likely to face upwardly adjusted prices that exploit device age, battery/state, or software signals that correlate with willingness to pay.
- Privacy‑minded users and advocacy groups: The ban reduces one vector of device fingerprinting used for opaque personalized pricing and strengthens consumer protections against invisible profiling.
- Brick‑and‑mortar businesses and location‑based sellers relying on transparent, location‑based pricing: The carve‑outs for legitimate location cost differentials preserve traditional local pricing structures and taxes.
Who Bears the Cost
- Online retailers and marketplaces: They must audit data pipelines and pricing models, remove or block device signals from pricing inputs, and reengineer personalization systems—an engineering and compliance cost.
- Adtech companies and data brokers that monetize device fingerprinting: Loss of a revenue stream and the need to shift products away from device‑level signals toward less intrusive targeting.
- Small app developers and SaaS pricing vendors: Smaller teams may struggle to separate telemetry used for analytics, security, or UI from telemetry fed into pricing, increasing compliance and legal risk without clear enforcement guidance.
Key Issues
The Core Tension
The central dilemma is protecting consumers from opaque, device‑based price discrimination while preserving legitimate, efficiency‑enhancing uses of device signals—like fraud prevention, repairs, trade‑in valuation, and real‑time demand pricing for immediate services—so the law risks either undercutting useful personalization or leaving loopholes that defeat its anti‑discrimination purpose.
The statute’s operational phrase—prohibiting prices “generated in whole, or in part” from covered device inputs—is deliberately broad, but the bill does not define burden of proof, enforcement authority, or remedies in the chapter as provided here. That creates uncertainty: companies must decide how strictly to treat indirect uses (features derived from device signals), whether server‑side models that receive device headers are covered, and how to demonstrate compliance in audits or investigations.
Practical questions also arise around cross‑device linking and third‑party processors: if a third party enriches a customer profile with device signals and feeds a pricing engine, who is responsible?
The exceptions create another set of trade‑offs. Allowing geolocation for immediate‑delivery demand pricing and for legitimate location cost differences preserves common commercial practices, but the statutory terms—“immediate” and “legitimate cost differential”—invite litigation over borderline cases (scheduled services, temporally proximate deliveries, or location‑based taxes vs. market‑driven price differences).
Finally, the law may incentivize firms to shift personalization onto signals not named in the statute (behavioral history, account tenure, payment history), producing the same discriminatory outcomes through other channels unless regulators or future legislation broaden the scope.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.