The Center for Democracy and Technology says, "CISPA has a very broad, almost unlimited definition of the information that can be shared with government agencies and it supersedes all other privacy laws."

According to the Electronic Frontier Foundation:
"An ISP could even interpret this bill as allowing them to block accounts believed to be infringing, block access to websites like The Pirate Bay believed to carry infringing content, or take other measures provided they claimed it was motivated by cybersecurity concerns."

How the bill would work:The bill encompasses three quite different kinds of information sharing, which pose very different considerations: sharing government information (attack signatures and other threat or vulnerability knowledge) with the private sector; sharing attack, threat and vulnerability information, including private communications data, among private sector companies for mutual self-protection; and sharing attack, threat and vulnerability information, including private communications data, with the government.

The first type of sharing is addressed in the section of the bill that authorizes the Director of National Intelligence to establish procedures through which companies could apply to become certified to receive cyberattack signatures and threat information from elements of the intelligence community. Once certified, a company could use that information for any purpose (except to gain an undefined “unfair competitive advantage”), including to protect its own network or the network of a company that had hired it to provide cybersecurity services.

The second and third kinds of information sharing are addressed in the provisions of the bill authorizing companies, whether certified or not, to use “cybersecurity systems” to obtain “cyberthreat information” and to share that information: (i) with other companies of their choosing subject to any limits the company authorizing the sharing might place; (ii) with any agency of their choosing in the Federal Government, but without any such use limits. Such sharing would be authorized even if otherwise barred by the electronic surveillance laws, other privacy statutes, or any other statutes at all.

Under the bill, when communications data is shared with the government, it could be used to prosecute an individual for any crime, used to target him or her for intelligence surveillance, and shared among governmental agencies to the extent permitted by current law and used by those agencies for any lawful non-regulatory governmental purpose. Data shared with other entities in the private sector could be used and redisclosed for any purpose, subject only to restrictions placed on such sharing by the entity authorizing the information to be shared – whether the authorizing entity is “self protected” or hires a “cybersecurity provider” such as an ISP. The bill itself places no limits on secondary use or dissemination of unclassified cyber threat information. Under the bill, the data can even be used to target advertising. Companies that in good faith share information impermissibly, or in good faith fail to act on information shared with them that reveals a vulnerability they leave unaddressed, are completely insulated from liability.

Much of the bill turns on definitions. The “cyber threat information” that a company is authorized to share is broadly defined as information

… directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of the system or network from—(A) efforts to degrade, disrupt or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property or personally identifiable information.
This includes not only meta-data, but also the content of communications themselves. The information does not have to be limited to that pertaining to a known or suspected attack or activity indicative of a probe or attempted attack. Instead, it encompasses any information “pertaining to the protection of” a system or network. All systems and networks are included, not just those that hold classified information or control critical infrastructure. Since any message could contain an attack, and since carriers routinely scan all their traffic in “protecting” their networks, this could allow all of that traffic to be shared with the government. Since all log-in information retained by a social networking site or an online merchant “pertains” to protecting that system, all that information could be disclosed to the government as well. The bill would permit companies to share this information without a court order for cybersecurity purposes with the National Security Agency, the FBI and any other government agency, which could then use the information for any purpose not otherwise illegal.

This includes not only meta-data, but also the content of communications themselves. The information does not have to be limited to that pertaining to a known or suspected attack or activity indicative of a probe or attempted attack. Instead, it encompasses any information “pertaining to the protection of” a system or network. All systems and networks are included, not just those that hold classified information or control critical infrastructure. Since any message could contain an attack, and since carriers routinely scan all their traffic in “protecting” their networks, this could allow all of that traffic to be shared with the government. Since all log-in information retained by a social networking site or an online merchant “pertains” to protecting that system, all that information could be disclosed to the government as well. The bill would permit companies to share this information without a court order for cybersecurity purposes with the National Security Agency, the FBI and any other government agency, which could then use the information for any purpose not otherwise illegal.

Full Bill Text: HERE