As tech giants and lobbying groups race to defang California’s landmark consumer privacy law before it takes effect next year, lawmakers on the other side of the country are considering a bill that's even more drastic.

The New York Privacy Act, introduced last month by state senator Kevin Thomas, would give residents there more control over their data than in any other state. It would also require businesses to put their customers’ privacy before their own profits. The bill is still seeking a cosponsor in the state assembly, but Thomas says he is confident that he has majority support in the senate and hopes to pass the bill this summer. The Committee on Consumer Protection, which Thomas chairs, is scheduled to hold a hearing on the bill Tuesday.

With it, the Empire State is poised to become the next battleground in the fight for state privacy laws. California became the first state to pass such a law last year with the California Consumer Protection Act; industry groups and consumer advocates have been sparring over its language ever since. Businesses argue that the CCPA is overly broad and that complying with different laws in every state is unworkable, preferring instead a lighter touch regulation at the federal level.

The New York Privacy Act bears some similarity to the California law. Like the CCPA, it would allow people to find out what data companies are collecting on them, see who they’re sharing that data with, request that it be corrected or deleted, and avoid having their data shared with or sold to third parties altogether.

Issie Lapowsky covers the intersection of tech, politics, and national affairs for WIRED.

But the New York bill, as it’s currently written, departs from the California model in significant ways. While the California law leaves enforcement to the state’s attorney general, the New York Privacy Act would give New Yorkers the right to sue companies directly over privacy violations, possibly setting up a barrage of individual lawsuits. Industry groups vehemently opposed a similar provision—also known as a private right of action—in California, and they succeeded in driving it out of the bill when it was finally signed into law last year. And while California’s law applies only to businesses that make more than $25 million annual gross revenue, the New York bill would apply to companies of any size.

The bill has already received praise from privacy advocates, including Mary Stone Ross, who helped write the California ballot initiative that formed the basis for the California Consumer Privacy Act.

"This on its own could spark change or at least fear," Ross says. "I'm sure the lobbyists of the big companies are freaking out right now."

Unsurprisingly, the draft is already facing staunch opposition from the tech industry. “The NY Privacy Act, in its current form, is unworkable for businesses that want to comply and fails to provide New York residents meaningful control over how their data is collected, used, and protected,” said John Olsen, a director for the Internet Association, which represents the likes of Facebook, Google, Amazon, and Microsoft.

Thomas met with the Internet Association before introducing his bill to hear what its members do and don't like about other privacy measures like the California law and the General Data Protection Act, which went into effect in Europe last year. Ultimately, however, the bill Thomas introduced still includes several line items that the industry opposes, like the private right to action and a requirement—similar to the GDPR—that companies obtain consumers’ affirmative consent before they process, share, or sell data.

Most notably, the New York bill would also require businesses to act as so-called “data fiduciaries,” an emerging idea in privacy circles that would legally bar businesses from using data in a way that benefits their companies to the detriment of their users. The concept, alternately known as an "information fiduciary," was coined by Yale Law School professor Jack Balkin, who has been promoting the idea since 2014 as one solution to data privacy issues. "To deal with the new problems that digital businesses create, we need to adapt old legal ideas to create a new kind of law—one that clearly states the kinds of duties that online firms owe their end users and customers," Balkin and his coauthor, Harvard professor Jonathan Zittrain, wrote in The Atlantic. "The most basic obligation is a duty to look out for the interests of the people whose data businesses regularly harvest and profit from."