A controversial cybersecurity bill touted by business groups and opposed by privacy activists has cleared the Senate, but months of congressional negotiations lie ahead before it can become law.

The Senate voted 74-21 on Tuesday to pass the Cybersecurity Information Sharing Act (CISA), which encourages companies to share data about cyber threats with the government. But because of significant differences between CISA and the two House-passed cybersecurity bills—the Protecting Cyber Networks Act and the National Cybersecurity Protection Advancement Act—the two houses of Congress must meet in a conference committee to agree on final legislative language.

“We’re going to move at a very slow pace,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.), a CISA cosponsor, told reporters after the vote.

“CISA needs to undergo a near complete makeover to make it palatable from a security and privacy perspective.”

Burr predicted that the conference committee would not produce final legislation until early next year. The Senate and the House must then pass that final bill before it goes to President Barack Obama‘s desk. The White House has already endorsed CISA, and Obama is likely to sign whatever bill emerges from the conference negotiations.

CISA’s opponents hope to use the months-long negotiations to either improve or derail the final bill. Civil-liberties activists worry that the provisions requiring companies and agencies to “scrub” personal information from shared data are too weak to effectively protect Americans’ privacy. Technologists, security experts, and cyber-law professors warn that the legislation would not prevent major cyberattacks like the breaches at Sony Pictures Entertainment and the Office of Personnel Management. Tech companies have also weighed in to oppose CISA in its current form.

Robyn Greene, a policy counsel at New America’s Open Technology Institute, said that Congress should reject any bill that emerges from the conference committee without substantial reforms.

“Congress does need to get serious about real cybersecurity, and CISA just isn’t [it],” Greene wrote in an email to the Daily Dot.

The Senate majority leader and the speaker of the House will appoint conference members from their chambers. Given the subject matter, custom dictates that the chairmen and ranking members of the intelligence committees be part of that group.

CISA’s passage was a landmark moment in a six-year-long campaign to pass cybersecurity legislation. But even the bill’s supporters wasted no time in calling for changes. Two financial-services trade groups asked Congress to remove a provision that requires the Department of Homeland Security to prepare reports on cybersecurity vulnerabilities in critical U.S. infrastructure, arguing that it represented new and burdensome regulation.

Civil-liberties groups aren’t giving up yet, either. Before the final vote on CISA, senators defeated five privacy-minded amendments, including one from Sen. Ron Wyden (D-Ore.) that would have strengthened language in the data-scrubbing provision, and one from Sen. Al Franken (D-Minn.) that would have more narrowly defined key cybersecurity terms. Privacy advocates hope that the conference committee, which will deliberate privately and as a small group, can incorporate some of those changes despite their failure on the Senate floor.

“CISA needs to undergo a near complete makeover to make it palatable from a security and privacy perspective,” Greene said, “but Senator Wyden and [Senator] Franken’s amendments are by far the best because they would have addressed both operational and privacy concerns.”

If the conference committee doesn’t make those changes, CISA opponents could always filibuster the final bill when it returns to the Senate. In the Open Technology Institute’s statement, Greene noted that the Wyden amendment received 41 votes, the bare minimum needed to block the Senate from taking up a bill.

Wyden said in a statement that, despite, the “early, flawed step” of passing CISA, “[t]he fight to secure Americans’ private, personal data has just begun.”

Keith Chu, a Wyden spokesman, said that the senator would continue that fight as the conference committee did its work.

“That’s one of the reasons that Wyden said he wants to keep pushing for stronger privacy protections,” Chu said in an email. “There could be a long conversation between the House and Senate over how to conference the two bills.”

Photo via Matt Tillett/Flickr (CC BY 2.0) | Remix by Max Fleishman