Facebook’s Cambridge Analytica scandal was not the impetus for the European Union’s General Data Protection Regulation (G.D.P.R.)—one of the strictest data-privacy laws passed anywhere to date. But in the aftermath of the leak of millions of people’s data to the Donald Trump-linked analytics firm, privacy concerns shot to the forefront of the public consciousness—and to the top of many lawmakers’ to-do lists. Concern was perhaps the most pronounced in California, the tech mecca and home to Silicon Valley itself. And so Alastair MacTaggart, a San Francisco-based real-estate developer, began to circulate a petition advocating for a California Consumer Privacy Act, a bill that would force tech companies into disclosing what exactly they did with personal user data. Some $3 million and more than 600,000 signatures later, MacTaggart gave lawmakers a choice: pass a privacy bill, or his initiative would go to ballot in November. “If the bill passes before [Thursday], we will withdraw our initiative. If it doesn’t, we will proceed to the November election,” he said in a statement earlier this week. “We are content either way, as we feel that both the legislative solution, and our initiative, provide tremendously increased privacy rights to Californians.”

On Thursday, lawmakers obliged, passing the California Consumer Privacy Act of 2018 and propelling America one step further down the path to its own version of G.D.P.R. In the country’s most populous state, the act will likely dramatically alter how businesses handle user data. Beginning in 2020, everyone from big tech companies like Facebook, Amazon, and Google down to smaller businesses will be required to disclose the kinds of data they collect from users and give to third parties, including advertisers. What was passed is slightly different from MacTaggart’s initiative: instead of requiring companies to disclose the identity of third parties that receive information about a user, the bill requires only the disclosure of the “category” of the third party. Consumers will be able to see the sources from which companies collect data about them and can opt out of having their data sold altogether, and businesses will be prohibited from selling the data of anyone younger than 16. In its current form, if companies fail to adhere to these guidelines, they can be sued by the state attorney general.

Tech giants had initially expressed opposition to the effort, though they eventually decided to compromise on the bill instead of attempting to fight it. Facebook Vice President Will Castleberry told Axios that while “not perfect, we support” the law, and an industry trade group called the Internet Association, which represents tech entities like Uber, Facebook, and Amazon, said it wouldn’t obstruct the proposal. “Maintaining people’s privacy and security has always been and remains a top priority of internet platforms,” Internet Association Vice President of State Government Affairs Robert Callahan said on Thursday after the bill’s passage. “Trust with IA member products and services is essential . . . and the internet industry is committed to providing people with information and tools to make informed choices about how their personal information is used, seen, and shared online.”

If tech companies maintain their stance, California’s law could set a new standard for the rest of the United States. For big companies like Facebook and Google, it may be more attractive to comply with California’s standards in every state, rather than attempting to maintain two different sets of rules: one for California, and one for the rest of the country. “Between the Europeans and California, we’re starting to move towards having a universal privacy bill of rights, and I just think it’s going to create a precedent that ultimately is going to be a national standard,” Senator Ed Markey told Axios on Thursday. Markey’s optimism, however, could be premature—the rules aren’t slated to take effect until 2020, giving corporate lobbyists plenty of time to wage aggressive campaigns to water them down.

Others are concerned that the bill doesn’t adequately address privacy concerns in the first place, or that it could backfire. Under its terms, tech companies are prohibited from offering lower-quality service to users who opt out of having their data sold to third parties; however, the rules stipulate that an I.S.P. or tech company could still charge them more. “I believe this path to pay for privacy is a dangerous and slippery slope,” state Sen. Hannah-Beth Jackson, a supporter of the bill, told The Washington Post. “This is a hastily drafted, bad bill that won’t protect Californians’ privacy,” the A.C.L.U. of Northern California tweeted. “We’ll be back next year to make sure the legislature gets it right.”