SB293 enacts the Consumer Pricing Act. It prohibits suppliers from using a consumer's personal data, biometric data, purchase history, or inferences drawn from those sources to set the price charged to an individual consumer, while expressly allowing the use of purchase history for customer loyalty programs or discounts.
The bill also requires suppliers that rely on automatic pricing systems to store the prices produced and the data used to produce them for at least three years.
The change puts Utah among states limiting individualized, data-driven pricing and creates new compliance and recordkeeping obligations for sellers and platforms that use algorithmic or automated pricing. For businesses that use machine learning models to vary consumer prices, the law introduces retention, documentation, and enforcement risks; for consumers it narrows the legal basis for personalized price discrimination but leaves room for loyalty-based discounts.
At a Glance
What It Does
SB293 bars suppliers from using personal data, biometric data, purchase history, or inferences from those data to set an individual's price, with a carve-out that purchase history may be used for loyalty programs or discounts. It requires retention of the output price and the inputs used by any automatic pricing system for three years.
Who It Affects
Retailers, digital platforms, travel and ticketing services, and any supplier using algorithmic or automated pricing systems; data brokers and firms that supply inference models; the Division of Consumer Protection, which will administer and enforce the new chapter.
Why It Matters
The bill restricts an increasingly common business practice — individualized or algorithmic price discrimination — by tying enforcement to recordkeeping and consumer-protection tools. Professionals in pricing, compliance, and privacy must evaluate both operational changes (logging and retention) and legal exposure under the new statute.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB293 creates a new chapter in Utah law called the Consumer Pricing Act and places it under the Division of Consumer Protection. The chapter starts with definitions that matter: an "automatic pricing system" covers software or processes that analyze data and either assist in or set a price; "personal data" is broadly defined and explicitly includes geolocation, real-time device tracking, and web browsing history.
The bill ties those definitions to the operational rules that follow.
The core substantive rule forbids suppliers from using a consumer's personal data, biometric data, purchase history, or any inference based on those categories to set the price charged to an individual. The statute then narrows the prohibition by allowing suppliers to use purchase history specifically for customer loyalty programs or to offer discounts.
That carve-out is limited to purchase history (not broader personal or biometric data) and applies only to loyalty/discount contexts described in the text.For suppliers that deploy automatic pricing systems, SB293 imposes a contemporaneous records obligation: sellers must store the price produced and the underlying data the system used, and keep those records for at least three years after the price-setting event. The retention requirement applies to the data used to set the price and to the price itself, creating an evidentiary trail for enforcement or civil actions.Enforcement authority rests with the Division of Consumer Protection.
The division can impose administrative fines up to $2,500 per violation, pursue court actions, seek injunctions, disgorgement, and other remedies the court deems appropriate. The bill also amends the statutory list of chapters the division enforces to add the Consumer Pricing Act, making enforcement part of its regular consumer-protection toolkit.
The act becomes effective May 6, 2026, with certain administrative timing noted for the broader division code changes.
The Five Things You Need to Know
The statute bars suppliers from using a consumer's personal data, biometric data, purchase history, or inferences from those data to set the price charged to an individual.
The only express pricing exception permits use of a consumer's purchase history to operate a customer loyalty program or to provide a discount; personal and biometric data remain excluded from that exception.
If a supplier uses an automatic pricing system, it must store the price set and the specific data the system relied on and retain those records for at least three years after the price was set.
The Division of Consumer Protection enforces the law, may impose administrative fines up to $2,500 per violation, and may bring court actions that can result in injunctions, disgorgement, and additional fines.
The bill's definition of 'personal data' specifically lists geolocation, real-time device tracking, and web browsing history, expanding the statute's coverage beyond simple identifiers.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions that frame scope (personal data, automatic pricing, purchase history)
This section sets the technical boundaries the rest of the chapter uses: it defines an "automatic pricing system" to include software that analyzes and then assists in or sets prices; it defines "personal data" to include geolocation, real-time tracking, and browsing history; and it defines "purchase history" and "supplier" by cross-reference. The breadth of "personal data" and inclusion of "inferences" in later provisions expand what counts as a prohibited input.
Prohibition on using consumer data to set individual prices
This is the core substantive rule. Suppliers may not base an individual consumer's price on the consumer's personal data, biometric data, purchase history, or inferences drawn from those categories. The section then narrowly permits the use of purchase-history data to run loyalty programs or give discounts. Practically, firms that personalize prices based on device location, browsing, or modelled inferences will have to stop or redesign those systems unless they fit within the loyalty/discount exception.
Recordkeeping requirement for algorithmic pricing
If a supplier uses an automatic pricing system, the supplier must store both the price produced and the specific data the system used to produce that price, and retain those materials for at least three years. The requirement creates an audit trail intended to enable enforcement and consumer remedies, but it also imposes data management, security, and retention costs on businesses that use algorithmic pricing.
Enforcement tools and remedies
The Division of Consumer Protection administers the chapter and gains explicit authority to enforce it, including administrative fines up to $2,500 per violation and the ability to bring civil actions. Courts can issue injunctions, order disgorgement payable to injured consumers, impose fines, and award other relief. The bill also clarifies that these remedies are cumulative with other state and federal rights and remedies.
Adds Consumer Pricing Act to division's enforcement portfolio
The bill amends the division's statute to add Chapter 82 (Consumer Pricing Act) to the list of chapters the Division of Consumer Protection enforces. That change operationalizes enforcement by placing responsibility within an existing regulatory home and enables the division to adopt rules and maintain public enforcement lists under its general authority.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers subject to individualized price increases — the prohibition narrows the legal path for sellers to raise a single consumer's price using their device data, location, or inferred attributes, which protects many shoppers from opaque, personalized price discrimination.
- Privacy-focused consumers — by treating geolocation, real-time tracking, and browsing history as covered personal data, the law strengthens consumer claims against targeted pricing based on behavioral surveillance.
- Participants in loyalty programs — the statute explicitly preserves the ability to use purchase history for loyalty programs or discounts, so customers who opt into such programs keep access to targeted rewards.
- State regulators and consumer advocates — the Division of Consumer Protection receives clear statutory authority and recordkeeping requirements that make investigations into algorithmic pricing practices more feasible.
Who Bears the Cost
- Retailers and platforms using algorithmic or dynamic individualized pricing — they must stop certain personalization practices or refactor systems to avoid using disallowed inputs, and they must support three-year data retention when using automatic pricing.
- Technology vendors and data brokers that supply inference models or behavioral datasets — their products may become unusable for individualized price-setting in Utah, reducing market demand for inference services tied to pricing.
- Small and mid-sized sellers that adopt automated pricing tools — compliance will require new logging, storage, and security processes that carry direct operational and IT costs.
- The Division of Consumer Protection — while enforcement authority expands, the division will incur investigative and rulemaking work without an appropriation in the bill, potentially stretching existing resources.
Key Issues
The Core Tension
The bill pits two legitimate goals against each other: preventing opaque, discriminatory individualized pricing that leverages surveillance-style data collection versus preserving commercial flexibility for data-driven, efficiency-enhancing pricing and loyalty programs; the statute tries to thread that needle with a narrow exception for purchase-history-based loyalty discounts and with retention rules to enable enforcement, but that compromise creates implementation gaps, compliance costs, and enforcement challenges with no clear, cost-free solution.
The bill leaves several implementation questions unresolved. First, "personal data" is broadly defined and the statute also bars pricing based on "inferences" drawn from that data.
Regulators and courts will need to decide where ordinary market segmentation ends and prohibited individualized pricing begins — for example, whether cohort-based price differences derived from inferred attributes count as individual price-setting. Second, the three-year retention rule applies only to automatic pricing systems, creating potential loopholes for hybrid models where a human adjusts prices after algorithmic suggestions or where systems influence pricing without being the final determinative process.
Determining what constitutes the "data the automatic pricing system uses" will also be contentious for models that rely on third-party feature pipelines or real-time signals.
The statute's penalties and remedies create another tension. The administrative fine caps at $2,500 per violation, which may be modest relative to gains from individualized price discrimination for large sellers; courts can award disgorgement and other relief, but private litigation economics will shape real-world deterrence.
The three-year retention requirement improves enforceability but increases business costs and creates additional security and privacy obligations — retained records may themselves include sensitive personal data the statute otherwise seeks to limit. Finally, the Consumer Pricing Act will interact with existing Utah privacy law and federal statutes, raising questions about preemption, overlapping duties to delete or minimize data, and how consent-based loyalty programs sit alongside a broad prohibition on using personal or biometric data for pricing.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.