X (formerly Twitter) has introduced daily posting caps for non‑paying accounts, restricting them to 50 original posts and 200 replies per day. The move raises questions about user rights under GDPR and CCPA, the potential for fines, and how creators can adapt while staying compliant.
X slashes free‑user activity to 50 posts a day
Elon Musk’s X announced on its help centre that accounts which do not subscribe to a paid tier will be limited to 50 original posts and 200 replies per day. The restriction also applies to other actions: 500 direct messages, 400 follows, and a handful of email‑change attempts per hour. The limits are enforced by the platform’s backend and are broken down into semi‑hourly windows, meaning that even a burst of activity can trigger a block.
The announcement arrived alongside a glitchy pricing page and a downed status page, leaving many creators scrambling for answers. While the move is framed as a way to “encourage monetisation”, it has immediate legal implications for data‑protection regulators in the EU and California.
Legal basis: GDPR, CCPA and the right to fair treatment
GDPR (EU)
Article 5(1)(f) of the General Data Protection Regulation requires personal data to be processed fairly and transparently. By imposing a hard cap on free users, X is effectively creating a two‑tier service where a large class of users—many of whom are EU residents—receive a materially reduced experience unless they pay. If the limitation is not clearly disclosed before registration, it could be deemed unfair processing under Recital 47.
Furthermore, Article 12 obliges controllers to provide concise information about any restrictions that affect the data subject’s ability to exercise their rights. X’s help page mentions the limits, but the sudden rollout without advance notice may breach this duty, exposing the company to supervisory‑authority investigations and fines of up to €20 million or 4 % of global turnover, whichever is higher.
CCPA (California)
The California Consumer Privacy Act grants consumers the right to equal service unless a price difference is justified. While the CCPA does not explicitly ban tiered services, Section 1798.115(b) requires businesses to disclose any material differences in the quality of service. If X’s caps significantly impair a user’s ability to communicate, California regulators could view the practice as an unlawful discrimination against non‑paying consumers, potentially resulting in statutory damages of $2,500–$7,500 per violation.
Impact on users and companies
For individual creators
- Reduced reach – With only 50 original posts, many micro‑influencers will hit the ceiling before the end of the day, limiting audience engagement and growth.
- Increased pressure to subscribe – The caps make the paid tiers appear essential, nudging users toward subscription fees that can range from $8 to $15 per month.
- Potential data‑rights violations – Users who feel coerced into paying may invoke their GDPR right to object to processing, arguing that the limitation is a form of unlawful profiling.
For brands and agencies
- Campaign planning disruption – Agencies that schedule multiple daily posts for client accounts must now factor in the cap, possibly splitting activity across several paid accounts.
- Compliance risk – Brands that rely on X for advertising must ensure that any data collected from free‑user interactions (likes, replies, DMs) is processed in line with GDPR’s purpose‑limitation principle. The new limits could be interpreted as a change in the purpose of data collection, triggering a need for a fresh lawful basis.
What changes are required?
- Transparent communication – X should update its Terms of Service and privacy notice to explicitly state the daily caps before users create an account. A clear FAQ section would satisfy GDPR’s transparency requirement.
- Grace periods – Offering a 30‑day trial of the full posting limit before enforcing the cap would demonstrate good faith and reduce the risk of regulatory backlash.
- Data‑subject rights workflow – Companies using X for marketing must update their internal processes to handle GDPR requests that reference the posting limits (e.g., a user asking for deletion of posts that were blocked by the cap).
- Alternative channels – Brands should diversify their social‑media strategy, incorporating platforms like Bluesky or the Fediverse (see the Electronic Frontier Foundation guide) to mitigate reliance on a single, increasingly restrictive service.
Looking ahead
The caps are likely to push a segment of X’s user base toward paid subscriptions, but they also open the door for enforcement actions under GDPR and CCPA. Regulators have shown willingness to penalise opaque or discriminatory practices, as seen in the €50 million fine against a major European ad‑tech firm earlier this year.
For now, free users should monitor the X status page (currently offline) and keep records of any blocked activity. Documenting when and how the limits affect your workflow will be useful evidence should you need to lodge a complaint with a data‑protection authority.
The situation remains fluid. We will update this article as X clarifies its policy or as regulators issue formal guidance.
Comments
Please log in or register to join the discussion