This bill creates a new chapter (554J) that bars any person from using an automated decision-making system to change the price of a product or service for a specific individual when the change is based on surveillance data. It defines the covered technologies and the type of data at issue, and declares violations to be unlawful practices under Iowa’s consumer-fraud statutes, opening the door to civil enforcement and penalties.
The measure is significant for businesses that deploy algorithmic pricing and for privacy-focused compliance programs: it limits a common application of machine learning—personalized pricing driven by observed or inferred personal attributes—and channels enforcement through existing consumer-protection remedies, including injunctions, restitution, disgorgement, and civil penalties administered under chapters 714 and 714H.
At a Glance
What It Does
The bill defines two core terms—“automated decision-making system” and “surveillance data”—then prohibits price adjustments for a specific person if those adjustments rely on surveillance-derived inputs. It does not create a private new statutory cause of action; rather it folds violations into Iowa’s consumer-fraud enforcement framework and authorizes the attorney general to adopt implementing rules.
Who It Affects
Any entity using algorithmic pricing or personalization (retailers, online platforms, pricing-as-a-service vendors, ad tech firms) will need to audit whether their models use surveillance-derived signals to set individualized prices. The text carves out routine cost-based price differences, widely available discounts, insurer underwriting, and credit decisions governed by the federal Fair Credit Reporting Act.
Why It Matters
This law would constrain a common use of AI in commercial settings—dynamic, individualized pricing based on observed behaviors or biometrics—potentially requiring changes to data pipelines, model inputs, and vendor contracts. Compliance officers should prepare for rulemaking from the attorney general and enforcement under existing consumer-fraud channels.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill establishes a short new statutory scheme aimed squarely at algorithmic personalized pricing that relies on surveillance-style inputs. It starts by giving two working definitions: an "automated decision-making system" is a system that uses AI or algorithms to make decisions or predictions with little or no human intervention, and "surveillance data" covers information obtained by observing, inferring, or surveilling people that relates to their characteristics, behaviors, pay, biometrics, or group membership.
Those definitions set the scope of covered technologies and data sources.
The core prohibition appears next: no person may use such an automated system to change the price of a product or service for a particular individual when the change is based on surveillance data. The bill then explicitly connects violations to Iowa’s consumer protection apparatus by labeling such conduct an "unfair practice" under section 714.16 and by incorporating it into chapter 714H’s enforcement framework.
That linkage means remedies available under existing law—injunctions, restitution, disgorgement, and statutorily authorized civil penalties—apply to violations of this new chapter.Recognizing certain legitimate pricing differences, the bill lists four exceptions. Covered uses include altering price where differences stem from actual cost-to-serve variations; widely available, bona fide discounts such as membership or student discounts; insurers using automated systems for policy pricing; and credit decisions when the input is a consumer report subject to the federal Fair Credit Reporting Act.
Finally, the attorney general gets rulemaking authority under chapter 17A to implement and enforce the chapter, which will shape compliance details, interpretive guidance, and enforcement priorities.
The Five Things You Need to Know
The bill defines an "automated decision-making system" as an AI- or algorithm-driven system that makes decisions or predictions with little or no human intervention.
It defines "surveillance data" to include observed, inferred, or surveilled information about an individual’s characteristics, behaviors, salaries, biometrics, or group membership.
The statute prohibits using an automated decision-making system to alter the price of a product or service for a specific individual when the alteration is based on surveillance data.
Four exceptions narrow the prohibition: cost-to-serve price differences, bona fide widely available discounts (membership, student, military, senior, special-event), insurer pricing, and credit/transaction decisions relying on FCRA-regulated consumer reports.
Violations are treated as unfair practices under Iowa Code section 714.16 and chapter 714H, exposing violators to the attorney general’s enforcement and civil remedies available under those provisions.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions for scope — automated systems and surveillance data
This provision sets the boundary lines for the chapter. By describing an automated decision-making system in functional terms—AI or algorithms making decisions with little human intervention—the bill captures both in-house models and third-party pricing engines. The surveillance data definition is broad: it covers not only direct video or sensor feeds but also inferred attributes (like inferred income or group membership) and biometrics, which expands the prohibition beyond raw camera feeds to derived signals used in model features.
Core prohibition against person-specific price alterations based on surveillance data
This is the operative language that creates the offense. It is targeted at price changes for a "specific individual" when the driver is surveillance-derived inputs fed into an automated decision-making system. Because the statute applies to any "person," the prohibition reaches vendors, platforms, and service providers that set prices or supply algorithmic pricing tools to merchants. The text does not itself provide a new private cause of action but positions the conduct within the state's unfair-practices regime.
Enumerated exceptions limiting the ban
The bill lists four clear carve-outs that are important for operational compliance. Cost-to-serve differences are allowed, which means businesses can still vary price where legitimate operational costs differ by customer. Widely available discounts—membership, student, military, senior, and event discounts—are expressly permitted. The insurer carve-out preserves typical underwriting and premium-setting. Finally, actions based on FCRA-covered consumer reports (credit decisions such as extending credit) are excluded, reducing preemption conflicts with federal credit regulation.
Attorney general rulemaking and enforcement pathway
The attorney general is authorized to adopt rules under chapter 17A to implement and enforce the chapter. That rulemaking authority gives the AG latitude to define compliance details—such as what qualifies as surveillance data, recordkeeping expectations, safe-harbor criteria, or thresholds for enforcement—and to issue enforcement guidance. Because the bill relies on existing consumer-fraud statutes for penalties, the AG’s interpretive rules will be crucial for translating the high-level prohibition into enforceable standards.
Integration with consumer-fraud remedies and private actions
The bill amends Iowa’s unfair-practices statute and chapter 714H to add violations of section 554J.2 as unlawful conduct. Practically, that means the remedies and procedures in those chapters—civil penalties, injunctions, restitution, disgorgement, and private right-of-action remedies—apply to prohibited pricing conduct. The cross-reference also means plaintiffs and regulators can use familiar statutory mechanisms rather than a novel enforcement scheme.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers facing individualized price increases: The statute blocks price adjustments based on observed or inferred personal attributes, protecting individuals from hidden algorithmic profiling that can raise prices without transparent criteria.
- Privacy-minded compliance programs at regulated entities: Companies that prioritize privacy or have strict vendor controls will see a clearer legal boundary that supports limiting surveillance-derived features in pricing models.
- Small merchants who rely on non-personal pricing models: Businesses that price by cost, inventory, or broad customer segments avoid competition from rivals using hyper-personalized surveillance-driven premiums.
- State enforcement agencies and consumer advocates: Embedding the prohibition in existing consumer-fraud law gives these actors a direct tool to challenge opaque algorithmic pricing practices.
Who Bears the Cost
- Online platforms and dynamic-pricing vendors: Firms that sell algorithmic personalization services or operate marketplaces may need to reengineer models, remove surveillance-derived features, or implement compliance controls for Iowa customers.
- Data brokers and behavioral-advertising firms: Entities that collect, infer, and sell surveillance-like signals could lose market value for certain data products if those inputs cannot be used for individualized pricing.
- Compliance and legal teams at retailers and service providers: Businesses will need to audit model inputs, update contracts with third-party AI providers, and prepare for potential AG rulemaking and enforcement actions.
- Insurers and credit-related firms (operation friction): Although carved out, insurers and credit adversaries may face regulatory scrutiny distinguishing permissible underwriting/credit uses from prohibited surveillance-driven price adjustments, increasing compliance complexity.
- Attorney general’s office: The AG will absorb rulemaking and enforcement workload; without additional resources, implementation and oversight could strain agency capacity.
Key Issues
The Core Tension
The bill balances two legitimate goals—preventing opaque, surveillance-driven price discrimination and preserving legitimate, cost- or risk-based price differentiation—but doing so requires drawing difficult lines between protected personal inferences and permissible operational signals; tightening the ban reduces exploitative personalization but risks constraining efficient, individualized pricing that benefits consumers and businesses.
The bill uses broad definitions and simple prohibitory language, which makes enforcement straightforward in principle but raises practical questions in application. The surveillance-data definition reaches both direct observational inputs and inferred attributes; that breadth will force regulators and courts to draw lines between innocuous model features (e.g., time of day, inventory-based surge pricing) and disallowed surveillance-derived inferences (e.g., inferred income, health status from behavior).
The attorney general’s forthcoming rules will be the de facto interpretive manual—and the quality and specificity of those rules will determine how disruptive the statute is in practice.
Another implementation challenge is attribution: when a platform supplies a pricing engine or multiple models combine to produce a quote, determining which component used surveillance data—and whether the resulting price alteration was "for a specific individual"—will be fact-intensive. The carve-outs reduce some friction (cost-to-serve, public discounts, insurers, FCRA-covered credit decisions), but they also create edge cases.
For example, a loyalty discount that is technically "widely available" may still rely on behavioral signals to target offers; insurers will continue using automated underwriting, but disputes could arise where models blend underwriting and marketing features. Finally, folding enforcement into existing consumer-fraud law provides robust remedies but leaves enforcement priorities and procedural details to the AG and courts rather than the statute itself.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.