California lawmakers unanimously passed a new privacy bill on Thursday that would give residents of the state more control over the information businesses collect on them and impose new penalties on businesses that don’t comply. It is the first law of its kind in the United States.

The so-called California Consumer Privacy Act of 2018 (AB 375) was introduced late last week by state assemblymember Ed Chau and state senator Robert Hertzberg, in a rush to defeat a stricter privacy-focused ballot initiative that had garnered more than 600,000 signatures from Californians. The group behind that initiative, Californians for Consumer Privacy, said it would withdraw it if the bill passed. The deadline to withdraw was Thursday, forcing the state legislature to fast-track the bill through the State Senate and Assembly and get it to Governor Jerry Brown's desk by the end of the day. The law takes effect in 2020, but in some ways, Thursday's vote is only the beginning, as business interest groups work to tinker with the legislation's details before then.

In a statement to WIRED following landslide votes in both state houses, Hertzberg said, "Today the California Legislature made history by passing the most comprehensive privacy law in the country. We in California are continuing to push the envelope on technology and privacy issues by enacting robust consumer protections---without stifling innovation.”

The new legislation gives Californians the right to see what information businesses collect on them, request that it be deleted, get access to information on the types of companies their data has been sold to, and direct businesses to stop selling that information to third parties. It’s similar to the General Data Protection Regulation that went into effect in the European Union last month, but adds to it in crucial ways. Under the GDPR, businesses are required to get users' permission before collecting and storing their data. But the way most companies have designed those opt-in pop-ups, "you really don't have a choice," says Ashkan Soltani, former chief technology officer of the Federal Trade Commission who helped author the ballot initiative.

The ballot initiative would have prevented businesses from denying service to consumers if they opt out of having their data tracked and stored. The law contains similar language, though it creates what Hertzberg calls the "Spotify exception," which allows companies to offer different services or rates to consumers based on the information they provide—for instance, a free product based on advertising. But, the bill states, the difference must be “reasonably related to the value provided to the consumer by the consumer’s data."

"The reason why we haven’t been able to do anything in privacy for 20 years is because the special interests are so powerful." Ashkan Soltani

Had the bill failed, it would have been up to voters to decide whether to support the proposal on the ballot in November. Prior to Thursday's vote, Alastair Mactaggart, the real estate mogul behind the ballot initiative sounded optimistic about his options. "We’re heartened by the momentum behind these endeavors, and the protections that both efforts seek to provide for consumers and our children," he said in a statement.

But ballot initiatives are far more difficult to change once they're passed, because amendments require yet another two-thirds majority vote on the ballot. That may be one reason why opponents within the tech industry reluctantly supported the passage of the bill, says Soltani: It’s easier to change.

“The senate can vote on amendments and the special interests can lobby on these amendments,” he says. “The reason why we haven’t been able to do anything in privacy for 20 years is because the special interests are so powerful.”

The tech industry did throw the full weight of its lobbying might---and money---at the fight against the ballot initiative, spending millions of dollars to oppose it through a group called the Committee to Protect California Jobs. They argued that the measure would open them up to liability that would hurt their businesses and their ability to hire. Hertzberg envisioned the bill as a compromise, in part, because it leaves the task of enforcing the law to the attorney general and takes the right to private action by citizens off the table, except in the case of data breaches.