Court Declares Parts of Twitter’s TOS Unconscionable–Gerber v. Twitter

This is a data breach case involving a flaw in Twitter’s API that allowed malefactors to steal information about 200M Twitter users. Twitter invokes its TOS, including its warranty disclaimer and limitation of liability, against the plaintiffs’ claims for breach of contract, breach of implied contract, negligence, gross negligence, and unjust enrichment. However, everyone agrees that gross negligence can’t be preempted by contract. The court does an unconscionability analysis of the TOS’s applicability to the other claims.

Procedural Unconscionability

The “TOS was at least somewhat procedurally unconscionable” because the clauses at issue “were buried in lengthy forms drafted by the party who wished to enforce them.”

Substantive Unconscionability

“Plaintiffs clearly allege that Twitter knew of the vulnerability and declined to address
it….in light of Plaintiffs’ allegations of intentional conduct, the Court finds that the TOS is unconscionable, such that the negligence and contract claims are actionable.” However, Twitter may invoke them to try to limit damages at a later stage of the case.

Breach of Contract

The plaintiffs tried to pull in various statements from outside the TOS, including blog posts. The court rejects the request because “the user is not guided to the other documents as part of the User Agreement itself, but, rather, these are merely links that appear at the bottom of the same webpage, rather than in the body of the Agreement.”

Also, “Plaintiffs conflate the Privacy Policy’s promise of not disclosing users’ information to third parties without their consent with a promise to maintain adequate data security measures.”

As a result, the express contract breach claim is dismissed. The implied contract breach claim survives, however.

Implications

It’s always disconcerting for defendants when their TOS fails and they lose their risk allocation provisions like their warranty disclaimers and limitations of liability. Without the clauses, the defendants are left without their standard mechanisms to quantify and control their risks. Here, the court implies that standard TOS provisions always will be unconscionable as applied to any intentional conduct by the defendant–a potentially broad conclusion indeed. As a result, I can’t immediately think of a way to draft around this ruling.

Case Citation: Gerber v. Twitter, Inc., 2024 WL 5173313 (N.D. Cal. Dec. 18, 2024).