In 2008, the social networking site Classmates.com found itself on the receiving end of a class action lawsuit that focused on its membership recruitment tactics. The company has now settled the suit via the typical mechanism: trivial discounts to the affected parties, and some hefty legal fees. But, as part of the settlement, the company will have to abide by an agreement that's specific enough to dictate how it will set browser cookies on its members' computers.Classmates.com was sued because it allegedly sent out e-mails to anyone registered for its free service, suggesting that their fellow graduates were looking to contact them—they could find out who that person was if they'd simply upgrade to one of the subscription tiers. At least two individuals did so and quickly discovered that the mystery classmate didn't exist—nobody they knew had been looking.
As part of the settlement, Classmates.com didn't have to admit that it had actually sent out misleading e-mails, but the settlement does recognize that there's a distinct class of individuals who had received marketing e-mails during the time the offenses allegedly took place. Those individuals will have a choice of $3 in cash or a $2 credit towards their paid Classmates subscription. These payments are capped at a total of $9.5 million; if more people sign up, this total will be divided evenly among them. Any members, even if they didn't receive one of the marketing e-mails, will get a $2 credit.
For their troubles, the two initial representatives of the class who filed suits will get $2500. Their lawyers, however, can collect up to $1.3 million in attorney's fees.
So far, nothing out of the ordinary. But the company has also agreed to injunctive release terms that are rather specific about how it goes about its business. For starters, it won't be able to simply refer to its "guestbook" in any marketing; instead, it will have to use "Classmates® Guestbook," and hyperlink any use of the term to a detailed explanation of how the feature works. (The e-mails at issue said that a former classmate had browsed a user's guestbook.) Similar links will have to appear in the company's terms of service and information pages.
Another issue that's addressed by the injunctions is the handling of login credentials in some of Classmates e-mails. Apparently, the e-mails contained HTML, and would use it to test for the presence of a cookie that specified if a user was logged in; if they weren't, the e-mail would set the cookie to do so. This, not surprisingly, led to some problems when the company's users forwarded these e-mails—all the recipients would end up logged in to someone else's account.
Going forward, Classmates will clearly indicate this in its Privacy Policy, and each e-mail that uses a cookie of this sort will contain warnings against forwarding the message in all-caps. Not as good as ending the practice, but better than nothing.
Although the basic terms of the settlement are nothing out of the ordinary, the injunctive relief is rather unusual, in that it addresses both issues related to the practice at issue, and those that don't seem to directly relate, but could very well have seriously annoyed the parties to the suit—those parties not only seem intent on reforming Classmate's business practices, but its security practices as well. This seems unlikely to set a trend, but it's difficult not to wish that it would.
Source: Arstechnica.com
