CISPA‘s sponsors insist the law is 100% voluntary—it doesn‘t compel companies to do anything. But as we‘ve been warning for a year and warned again yesterday, the bill‘s blanket immunity provision doesn‘t merely clear a „legislative thicket“ of laws restricting information-sharing about cyber threats. It also bars companies from making enforceable promises to their users about how they might share users‘ information with the government or other companies in the name of protecting cybersecurity.