Two sweeping new laws in California have been a heavy burden for us to bear here at Cagle Cartoons, Inc. I wrote about Assembly Bill 5 (AB 5) that limits California freelance cartoonists and columnists to 35 contributions to a publisher each year. Because of this limit, we will no longer consider submissions from California creators and we have dropped a number of California contributors from our Cagle.com site and our PoliticalCartoons.com store. Other California freelance contributors that stayed with us are no longer paid, because of AB 5.
The California legislature dropped a second bomb on us with the California Consumer Privacy Act (CCPA). This poorly written, overly broad law is intended to affect only very large companies and protect consumer information that should be kept private, but in their sweeping ignorance, the legislature has swept up Cagle.com along with the Silicon Valley giants.
The CCPA imposes a huge $7,500.00 per violation fine for failing to properly disclose information about an individual and delete a user’s data upon request; the colossal fine is intended to threaten Web behemoths like Google and Facebook, who make billions of dollars reselling consumer data. The law applies to companies with over $25 million of revenue, or companies that earn over half of their annual gross income from reselling consumer information, or who maintain data on 50,000 or more people –it is the 50,000 threshold that snares our tiny, little business along with many other unintended small business victims.
We have about 85,000 fans who have opted to subscribe to Cagle.com’s free, cartoon-a-day, email newsletter. We use the mailing list to maintain the community of fans on Cagle.com. The emails include links to my blog posts and new topical sections on Cagle.com; most of the traffic to Cagle.com is sustained by churning, with emails enticing the same fans to come back again and again to look at our new content. (Sign up for our Free Daily Newsletter here.)
50,000 sounds like a lot, but it is a small drop in the ocean of the internet.
Here’s how it works: if one of our emails has an enticing subject line we’ll get about 20% of the recipients to open the email; then, if the cartoon and link look interesting enough, another 20% of that number will click on the link to go to our site; so, perhaps 4% of the list, or around 3,400 fans, end up visiting Cagle.com from a typical email link. Since we have no outside site feeding traffic to us (as we used to have with msnbc.com), the newsletter keeps an active, but small community of political cartoon fans engaged with our cartoons and columns.
We’ve spent thousands of dollars in legal fees to comply with AB 5 and CCPA. The fines for failing to comply with AB 5 are steep, but a handful of $7,500.00 CCPA compliance fines are worse and could put our small business out of business.
Here’s some background to illustrate our risk …
Cagle.com is a target for hackers who we believe come from third world regimes with humorless dictators who don’t like how they are depicted in our cartoons; there are clues that lead us to this conclusion, including the content on our site at the times of the worst attacks and the distribution of the servers delivering the attacks. The hacks we suffer from are often unusually large, complex and sophisticated; they are designed to bring our business and Cagle.com down –unlike the common attacks that normal Web sites see, that are only looking to steal credit card information or to hijack servers for Bitcoin mining. A good example is a sophisticated attack about five years ago on our email server that we used for our Free Daily Newsletter.
Five years ago we had about 150,000 opt-in email addresses on our list. Hackers broke into our email server and, over the course of about eight months, slowly, daily, methodically, added small batches of valid email addresses to our list, which grew over the months of the hack to nearly 800,000 email addresses. We didn’t notice the added addresses. Unlike a more typical attack that would try to delete the data on our servers and bring Cagle.com down, the daily email list continued to be delivered everyday without an apparent problem; we received the newsletters in our own accounts, as did all of our subscribers. We got few complaints from the hundreds of thousands of people who were added to the list by the hackers. We didn’t realize there was a problem over the months as determined hackers were bloating our email list.
People who didn’t sign up for our newsletter didn’t complain to us –but some of them complained to their own email providers who placed Cagle.com on blacklists as a spammer. We ended up on all of the major email blacklists. Our newsletters, and our other business emails, were blocked and the newsletter stopped churning our traffic. It took some time for us to figure out what happened. We replaced the newsletter list with a backup we had from a year earlier and set out on a quest to get off of the blacklists, a difficult process that took a couple of years. We moved our email newsletter to MailChimp, which is more expensive but which has better security than we could manage on our own.
The experts who looked at the history of this hack told us that the attack was very unusual, and that the hackers were surprisingly sophisticated, motivated and patient, spending countless hours over the months, manually adding valid email addresses to our list. The experts hadn’t seen anything like it before. Instead of simply taking down our server such that we could put the server back up from a backup copy, this hack poisoned the well for us, with blacklisting that crippled our newsletter and our traffic for years to come. One comment the experts made was memorable, “Those guys must really, really hate you.”
As a target for hackers, we’ve come to realize that we can’t win, we can only respond and do our best against the persistence of the third world regimes that see cartoons as a threat. We’re small and we only do what we can (thanks again to Cloudflare’s Project Galileo for their generous support and protection against DoS attacks).
With continuing attacks, we can’t really be sure of what data is on our servers, we react and make fixes as we go along. We don’t keep sensitive data on our servers (like credit card numbers that can be stolen). We don’t run advertising on our sites. We never have and never will sell our data to anyone else.
Which brings me back to CCPA. Our modest, Free Daily Newsletter, that allows our community of fans to function, and which subjects us to a potential $7,500.00 per-violation fine if we’re found to have data on our servers that we didn’t report to any inquiring user. This opens us up to a potential hacker attack that would threaten us with potential CCPA fines for non-compliance in disclosing or deleting data that we never knew had been placed on our servers. It wouldn’t take much of an effort for hackers to subject us to a handful of $7,500.00 fines that could take down our small business.
Companies in California are expected to spend an initial $55 billion simply complying with CCPA, according to The Los Angeles Times, with a “gold rush” of start-ups and consultants looking to take advantage of the anxiety that CCPA is causing countless small businesses in California, like ours.
Since we store street addresses for these editors, we must post this: … In particular, we have collected the following categories of personal information from its consumers within the last twelve (12) months: G. Geolocation data. Physical location or movements.
Since we keep notes on our contacts with the editors, we must post this: … In particular, we have collected the following categories of personal information from its consumers within the last twelve (12) months: K. Inferences drawn from other personal information. Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Since we store names and email addresses, we must post this: … In particular, we have collected the following categories of personal information from its consumers within the last twelve (12) months: A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
Since we acknowledge that we haven’t sold our data, we’re excused from some of the requirements of CCPA, for example, we’re not required to maintain a toll-free telephone number, posting our regular phone number is sufficient. But we’re not allowed to broadly state that we have not sold our data in the past and we won’t sell it in the future, we have to use this wording: In the preceding twelve (12) months, the Company has not sold personal information.
The first advice my attorney gave me, before embarking on our expensive compliance journey under CCPA and AB 5, was, “You should move out of California.”
I’ve lived most of my life in California and I don’t want to move away from family and friends, so Cagle Cartoons, Inc. is suffering through the muck of risky, expensive, bone-headed, bad legislation. Since our business is small, it is fragile. Since we speak truth to power, we have many enemies around the world who would seek to take us down and it is ironic that the worst threats to us, and to the press in California, come from our Democrat controlled legislature in California.
We need your support for Cagle.com (and DarylCagle.com)! Notice that we run no advertising! We depend entirely upon the generosity of our readers to sustain Cagle.com. Please visit Cagle.com/heroes and make a contribution. You are much appreciated!