X
Headquartered in the United States, X is a social media platform with 250 million active daily users, as reported by the company in March 2024.
X, previously Twitter, has undergone drastic changes since its acquisition in 2022 by Elon Musk for USD 44 billion. Musk immediately took Twitter private, rebranding it as X in July 2023, followed by a change to its website domain in 2024. After taking over, Musk embarked on a series of changes to cut the company’s investments in trust and safety, loosen content moderation rules, and undermine company transparency. Notably, in April 2023, X revised its rule enforcement by restricting the reach of posts that “potentially” violate its policies and applying labels to them insteading of removing them.
In the six months following its acquisition, X’s compliance rates with government censorship and surveillance demands increased, with full compliance reaching 80% compared to 50% in the preceding year. In the meantime, company transparency about such demands decreased, as the company did not publish transparency reports for two years. It finally released a new transparency report covering both its content moderation actions and law enforcement and legal demands in September 2024.[1] These and other changes led to a 15% drop in its score on the 2025 RDR Index, the largest decline among all the companies.
X Corp., X’s parent company, did not make any commitment to human rights. However, the platform itself committed to respecting users' freedom of expression and privacy. The company stopped disclosing any form of high-level and formal oversight of how its practices affect freedom of expression and privacy. Once again, it failed to conduct robust due diligence to assess and mitigate risks arising from regulations in jurisdictions where it operates. It also did not assess human rights risks associated with its processes for policy enforcement, targeted advertising policies and practices, and deployment and development of algorithmic systems. The company did, however, publish a report assessing systemic risks in the EU under article 34 of the Digital Services Act (DSA). This article requires very large online platforms (VLOPs) like X to assess risks associated with their design, functioning, and systems.[2]
At the end of March 2025, Elon Musk announced via a post on X that he had sold the platform to his artificial intelligence company, xAI, for USD 33 billion. The acquisition will enable xAI to leverage X’s vast user data to advance its AI models and technologies, while also using the platform as a direct channel to deploy and promote its innovations to a broad user base.
The 2025 RDR Index: Big Tech Edition covers policies that were active on August 1, 2024. Policies that came into effect after August 1, 2024, were not evaluated for this benchmark.
Scores reflect the average score across the services we evaluated, with each service weighted equally.
We rank companies on their governance, and on their policies and practices affecting freedom of expression and privacy.
X performed poorly in this category, disclosing no commitment at the group level to respect users’ freedom of expression and privacy (G1). The company stopped disclosing any form of oversight of how its practices affect freedom of expression and privacy (G2). This included oversight from the board of directors, which Musk dissolved. X lagged behind all companies assessed in the 2025 RDR Index on human rights due diligence, disclosing no information on whether it assesses risks associated with its policy enforcement processes, targeted advertising policies and practices, and deployment and development of algorithmic systems (G4b, G4c, G4d). It disclosed mechanisms for users to submit freedom of expression and privacy complaints, but it was unclear whether these covered all possible types of violations (G6a). Further, X disclosed limited information about its content moderation appeals process (G6b). It was unclear if this process covered all the types of content moderation actions that the platform can enforce on users’ content or accounts.
X ranked second in this category, behind Bytedance. It was transparent about the types of content, advertisements, and advertisement targeting parameters it does not allow as well as its processes for enforcing these rules (F3a, F3b, F3c). However, it provided no data about the amount of content, accounts, and advertisements it restricted to enforce these rules (F4a, F4b, F4c). While it was transparent about its process for responding to government censorship demands, it provided no data on the number of such demands and its compliance rates (F5a, F6). It disclosed how it deploys algorithmic systems to curate, recommend, and/or rank content and some options for users to control the variables affecting the recommendations they receive (F12). However, it did not state whether these systems are deployed by default.
X ranked sixth in this category, behind all of its U.S. peers as well Bytedance. It clearly disclosed all the types of information it collects and its purposes for doing so (P3a, P5). However, it only disclosed some of the information it infers (P3b) and shares (P4) and for what purposes (P5). It reported data retention periods for some of the information it collects and disclosed that it deletes some of the information collected after users terminate their accounts (P6). However, the company provided no additional disclosures on its data retention policy, including which de-identified user information is retained and the timeframe for deleting users’ information. While it provided strong disclosures about its process for responding to government surveillance demands (P10a), it did not disclose any information about its process for responding to private requests for user information (P10b). It provided no data on the number of these demands and its compliance rates (P11a, P11b). The company did not disclose if it limits and monitors employee access to user information and whether it conducts security audits (P13). It improved its encryption policies by disclosing that some users can encrypt their private messages using unique keys (P16). However, it disclosed no information on how it responds to data breaches when they occur (P15).
[1] The transparency report was released after the policy cut-off date and was thus not considered in this assessment.
[2] In November 2024, the EU released the risk assessment reports submitted by VLOPs, including X, as required by the DSA. However, the reports were published after the policy cut-off date and were therefore not considered in this assessment.