The global conversation around data privacy changed dramatically in March of 2018. That’s when Cambridge Analytica made international headlines. It was the story of a shadowy political firm misappropriating the data of tens of millions of Facebook users without their knowledge. But really, the story was how Facebook, keeper of 2 billion users' private messages, photos, and social connections, let it happen.

Washington spent the better part of the year talking tough to tech companies and threatening a crackdown on the wanton collection, dissemination, and monetization of personal data. But all of that was just prelude. The real privacy showdown is slated for the year ahead.

Companies like Amazon, Apple, Facebook and Google are pushing hard for federal digital privacy legislation in 2019, and not quite out of the goodness of their hearts. This summer, California's state legislature passed a groundbreaking bill that would give residents unprecedented control over their data. The law, which has been widely criticized by pro-business groups like the Chamber of Commerce and the Internet Association, is set to go into effect on January 1, 2020.

SIGN UP TODAY Sign up for the Daily newsletter and never miss the best of WIRED.

So tech giants are racing the clock to supersede California’s law with a more industry-friendly federal bill. Given the bipartisan backlash to Big Tech in 2018, it seems possible that a deal on regulation could be reached, even in a divided Congress. “You have a bipartisan sense that some type of privacy legislation needs to happen, and at the same time, you have industry pushing for it,” says Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union. “We’re certainly in a moment that’s been different from moments in the past.”

The exact contours of that legislation will no doubt be the subject of debate among lawmakers, lobbyists, and privacy advocates in the months to come.

What would it look like if Silicon Valley got its way? Tech giants have offered some hints in numerous policy papers released over the last few months. The Internet Association, which represents companies like Amazon, Facebook, Google, and Twitter, released its own framework for a federal bill, as did the Chamber of Commerce. Intel went so far as to draw up a draft bill, tentatively titled the “Innovative and Ethical Data Use Act of 2018.” Central to all these proposals is the notion that a federal bill should preempt any statewide legislation—like, say, California's—from taking effect. "A strong national baseline creates clear rules for companies and ensures that individuals across the United States can expect consistent data protections from companies that hold their personal information," the Internet Association's proposal reads.

Want more? Read all of WIRED’s year-end coverage

This will likely be a point of contention between industry lobbyists and consumer rights groups like the ACLU, which argue that states should be free to pass stricter rules if a federal bill doesn't go far enough. "Any federal law should be a floor, not a ceiling," Guliani says.

The topic of preemption came up repeatedly during a recent hearing of the Senate Commerce Committee, where executives from Amazon, Apple, AT&T, Google, and Twitter, as well as Charter Communications all testified. Senators were predictably split on the matter. Republicans Mike Lee and Jerry Moran underscored the need to avoid a patchwork of privacy laws in different states, while Democrats like Brian Schatz called out the industry for trying to undercut the California law with a weaker federal one.

"I understand that from the standpoint of some of the companies, the holy grail is preemption. And I want you to understand that you're only going to get there if this is meaningfully done," Schatz said. "We're not going to get 60 votes for anything and replace a progressive California law, however flawed you may think it is, with a non-progressive federal law."

The Trump administration's National Telecommunications and Information Administration has released its own point-by-point proposal, describing in unspecific terms a set of "privacy outcomes" the administration would like to see. It too proposes a bill that would "harmonize the regulatory landscape" to "avoid duplicative and contradictory privacy-related obligations." The goal of the proposal, says NTIA spokesperson Anne Veigle, is to "serve as a point of information if Congress decides to move forward with privacy legislation."

“You have a bipartisan sense that some type of privacy legislation needs to happen, and at the same time, you have industry pushing for it.” Neema Singh Guliani, American Civil Liberties Union

Another key question is how any sort of federal legislation would be enforced. In California, tech giants lobbied hard against giving individual consumers the right to sue the companies for violations of privacy. They half-won: The new law holds that state residents can sue only in the event of a data breach. Otherwise, it's up to the state's attorney general to investigate. In Washington, industry groups hope to leave enforcement to the Federal Trade Commission. Critics of that approach say that the FTC has too little authority to impose meaningful penalties on companies, and that it's failed to act on what authority it does have.