On April 11, 2026, the Maryland legislature passed HB 895, the Protection From Predatory Pricing Act, prohibiting food retailers and third-party delivery service providers from using personal data to set higher prices their goods or services. Considering Governor Wes Moore's ardent support of this effort, his signature is all but guaranteed.

The first prohibition of its kind, PFPFA's final product is a study in the tension between consumer protection ambitions and the practical realities of regulating data-driven pricing. Food retailers, third-party delivery platforms, and broader consumer-facing merchants must understand which practices the law prohibits and, critically, the scope of its exemptions. 

What does the law say?

The gist of PFPFA is deceptively simple: it prohibits a food retailer or third-party delivery service provider from engaging in dynamic pricing or using personal data to set a higher price for food.

“Dynamic pricing” means offering or setting a personalized price for a good or service that is specified to a consumer based on the consumer's personal data, regardless of whether the seller collected or purchased the personal data. 

"Food retailers" means merchants operating a business establishment that (i) has a minimum of 15,000 square feet and (ii) sells food intended for off-premises consumption. Essentially, it targets large grocery and market-style stores. Restaurants and prepared food vendors fall outside the definition. 

"Third-party delivery service provider" means a merchant that facilitates the delivery of such food as a consumer service, but expressly excludes food retailers themselves. 

What isn't banned?

The exemptions are where many businesses will rightfully focus their attention. The law carves out a substantial set of pricing practices from its prohibition, including: 

• Promotional offers, loyalty program benefits, or other temporary discounts related to existing customer retention.
• Price differences attributable to objective costs such as shipping or location-based taxes.
• Price differences based on supply or demand associated with selling in different locations or geographies.
• Price differences based on the availability or supply of the good or service.
• Prices offered through loyalty, membership, or rewards programs that any consumer may voluntarily enroll or consent to participate in.
• Prices offered in connection with a subscription-based contract or agreement.
• Price corrections resulting from pricing errors.
• Price resets a price following a system or network outage. 

Thoughts and Takeaways

1. PFPFA's reach is narrower than its name suggests. By limiting the food retailer definition to establishments of at least 15,000 square feet selling tax-exempt food, PFPFA targets large grocery chains while leaving smaller independent grocers, specialty food stores, restaurants, and non-food retailers outside its scope.
2. The law restricts two methods of setting higher prices: (1) engaging in dynamic pricing or (2) using personal data. Because the law's definition of "dynamic pricing" is itself grounded in personal data, these two prohibitions are largely coextensive – likely a drafting artifact.
3. More meaningfully, the prohibition targets only higher prices. A business using personal data to offer a discount would likely fall outside the law's scope. Pricing regulation advocates have long resisted this narrower construction, arguing that a lower price for one consumer necessarily implies a higher price for another. How regulators, courts, and businesses ultimately resolve that tension will define PFPFA's practical reach.
4. The consent standard is borrowed from the Maryland Online Data Privacy Act: freely given, specific, informed, and unambiguous. Loyalty or rewards programs that auto-enroll consumers, bury disclosures in terms of service, use pre-checked boxes, or condition benefits on broad data processing consents will likely fall short.
5. Businesses subject to both PFPFA and MODPA should audit their data collection and use practices under both frameworks before October 1, 2026. PFPFA's consent-based pricing exemption does not clearly resolve whether collecting personal data for personalized pricing satisfies MODPA's strict, substantive data minimization standard. These are distinct yet inseparable compliance obligations.
6. Businesses that rely on financial incentives or loyalty programs to enable dynamic pricing will need to carefully navigate Maryland's new restrictions alongside California's financial incentive rules and Colorado's bona fide loyalty program framework.
7. Some exemptions (e.g., price corrections for errors, system outage resets, and differences based on product availability) appear to address conduct that would not necessarily involve personal data in the first place. Their inclusion nonetheless provides useful clarity on legislative intent and offers an explicit safe harbor on which businesses can document reliance.

Food retailers and third-party delivery platforms have limited runway for ensuring compliance: once signed, PFPFA takes effect October 1, 2026. Enforcement will be solely vested in the Division of Consumer Protection within the Maryland Office of the Attorney General, and includes a 45-day permanent cure period.