In a move that will have broad ramifications for any company that does business in the US, the California legislature has passed the nation’s strongest data privacy law.

The California Consumer Privacy Act of 2018, which takes full effect in 2020, will limit how big companies like Google, Amazon and Facebook, among others, collect and use personal data. It mimics the effects of Europe’s General Data Protection Regulation (GDPR), which took effect May 25 and resulted in a flood of email notifications to consumer inboxes.

Companies will be required to disclose the types of data they collect about consumers and with whom they share that information, and let consumers opt-out of having their data sold. If a consumer opts-out of having data sold, they cannot be treated differently under the new law. Any data collected must be stringently secured or fines will result.

California has long been a leader in privacy protections, and the new law is expected to serve as a template for other state legislatures in the US. The bill passed the legislature unanimously and was signed by Gov. Jerry Brown.

Anticipating the effects of the GDPR and the possibility of other countries and states enacting strict new laws, many larger companies have already been pro-actively preparing enhanced consumer privacy tools and regulations.