ContractsProf Blog

Plaintiffs allege that Twitter was a dumpster fire. Twitter’s Head of Security from 2020 until 2022 turned whistleblower and testified to Congress about pervasive problems with Twitter’s data security. Plaintiffs allege that, due to Twitter’s negligence on that front, Twitter experienced a massive data breach, and Twitter users’ personal information was harvested and then sold on the dark web. Plaintiffs allege special harm because they took advantage of Twitter’s invitation to users to post under pseudonyms. The data breach made it possible for people to establish the identities behind their posts. They filed a class action complaint, alleging seven causes of action, including breach of express and implied contracts. The others are of less interest to us beyond the fun bit where Twitter moves to dismiss the claim for gross negligence despite having already conceded that California law forbids limitations on liability for gross negligence. The court dryly notes that "it is unclear why Defendant would raise this argument here."

In Gerber v. Twitter, Inc., the issue was the enforceability of Twitter’s Terms of Service (ToS), which put Twitter’s users on notice that its services were provided AS IS and without warranties and that Twitter’s liability was limited to the maximum extent provided by law. Kandis Westmore, Magistrate in the U.S. District Court for the Northern District of California got right to the heart of the matter, noting that ToS are enforceable unless unconscionable.

Data Breach, Image by Microsoft Copilot

California tests unconscionability on a sliding scale, requiring some combination of procedural and substantive unconscionability. The court found that the ToS were “at least somewhat” procedurally unconscionable, in that they are a form contract of some length, and the objectionable terms appear on pages eight and nine of a twelve-page document. Twitter objected that the language was conspicuous, in large font and ALLCAPS and that it provided notice to users each time it updated its terms. Still, the court noted plaintiffs’ objections that "these terms were buried in lengthy forms drafted by the party who wished to enforce them.” In California, that is enough to establish at least some procedural unconscionability.

As to substantive unconscionability, while parties can disclaim liability, the problem here is that, taking the allegations of the complaint as true, Twitter had statutory duties to protect its users against data breaches and knowingly failed to do so. The court rejected Twitter’s claim that the statute in question cannot be relied on in support of common law claims for breach of contract or negligence. California courts have found otherwise.

The court granted Twitter’s motion to dismiss Plaintiffs’ allegations of a breach of an express contract. Plaintiffs relied on blog posts and website statements that they did not adequately link to the User Agreement. Moreover, Plaintiffs conflate Twitter’s promise not to disclose users’ personal information without their consent with a failure to maintain adequate data security measures. As a result, Plaintiffs could identify no express promise that Twitter breached. However, Plaintiffs did successfully allege breach of an implied contract based on representations on Twitter’s website about its commitment to data security. Those promises were then breached if, as alleged, Twitter failed to take steps to safeguard users’ information. I am not sure why the court dismissed Plaintiffs’ express contract claims but then upheld “implied” claims that are based on written promises. A written promise seems like an express promise to me.

In the end, the court dismissed plaintiffs claims for breach of an express contract and denied Twitter’s motion with respect to all other claims.

Tip of the hat to my former student Don Dechert, who alerted  me to a post about the case on Eric Goldman’s Technology and Marketing Law Blog. Professor Goldman notes that the ruling is quite broad, rendering ToS ineffective to shield companies for liability for intentional conduct. There is no clear way to fix that infirmity. One might suggest that sophisticated technology companies not knowingly fail to protect their users from data breaches, but of course all plaintiffs have to do is plausibly allege knowing misconduct to create a litigation headache for the defendants.

https://lawprofessors.typepad.com/contractsprof_blog/2025/01/court-finds-twitters-terms-of-service-unconscionable-in-part.html