California passed one of the toughest online privacy bills in the country Thursday, despite lobbying by Facebook, Google, Microsoft, Amazon, AT&T, and others, who poured money into an industry-aligned group that tried to defeat the measure.

If signed by Gov. Jerry Brown, the bill, the California Consumer Privacy Act of 2018, will require technology companies that collect user information to disclose the type of data they collect, details on the advertisers or other third parties with which they share data, and allow customers to opt out of having the data collected about them sold. The new bill also gives customers the option to request companies delete personal information collected on them—like data on how many kids a person has, their buying habits, location information, or other non-publicly available data. Companies that do peddle user data have to offer the new privacy options for free and won’t be allowed to degrade service if a customer opts to no longer have their data sold.

Perhaps most importantly, the new measure is enforceable. If companies fail to protect the data of their users, the state attorney general is allowed to sue, as are customers. That means if there’s another data breach, like what happened with Equifax last year, both the attorney general can investigate and customers can mount a class-action lawsuit. Still, unlike the General Data Protection Regulation in the European Union that went into effect at the end of May, the new California measure doesn’t require notification in the event of a data breach, and the limit for damages is much lower, too. The GDPR allows fines to reach up to 4 percent of a company’s global revenue, which for an outfit as large as Google could mean over $2 billion. The maximum amount of damages a company is liable for under the California bill is $750 per person per violation, though in some cases the penalty may reach as high as $7,500 per violation. This, obviously, is substantially lower than billions of dollars. (Update, June 28, 7:05 p.m.: The law wouldn’t go into effect until 2020, and that could give tech companies the opportunity to find ways to water the measure down in the interim.)

If the measure had failed to pass, it would have ended up as a ballot measure in November. The initiative behind the bill had garnered 629,000 signatures by the beginning of May, nearly double the number of signatures required to send the measure the measure to the polls. The main backer of the bill, Alastair MacTaggart, a San Francisco real estate mogul, agreed to withdraw the ballot measure if a slightly toned-down version was approved by the state legislature. Had the measure gone to the polls, there’s a strong chance that deep-pocketed Silicon Valley companies would have had the opportunity to pour large sums of money into advertising campaigns to defeat it. And Facebook ultimately decided it supported the bill, perhaps because it fear strong public support for a harsher ballot measure.

If the bill become law, technology companies will have to make a choice: Either create a new set of data collection and user protection provisions just for Californians—or extend the new data rights granted to Californians to everyone in the country. This is what happened in 2003 with the passage of the California Online Privacy Protection Act, which required websites to publish privacy polices when they collect data about users. Although California was the first state with such a law and since posting a privacy policy for a website in one state and not others would be difficult to implement, California ended up setting nationwide internet privacy standards.

While members in Congress on both sides of the aisle have expressed interest in imposing data privacy regulations on American technology companies, actually passing a meaningful law is no small task. And now, the most populous state, which many of the largest tech companies call home, may be in the best position to force stricter regulation of the industry.