diff --git a/changelogs/client_server/newsfragments/2246.clarification b/changelogs/client_server/newsfragments/2246.clarification
new file mode 100644
index 00000000..7d2625a6
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2246.clarification
@@ -0,0 +1 @@
+Clarify that servers may choose not to use `M_USER_DEACTIVATED` at login time, for example for privacy reasons when they can't authenticate deactivated users.
diff --git a/data/api/client-server/login.yaml b/data/api/client-server/login.yaml
index 28de0be1..4eba954e 100644
--- a/data/api/client-server/login.yaml
+++ b/data/api/client-server/login.yaml
@@ -262,6 +262,8 @@ paths:
                 or the requested device ID is the same as a cross-signing key
                 ID.
               * `M_USER_DEACTIVATED`: The user has been deactivated.
+                Servers MAY instead use `M_FORBIDDEN` when they can no longer authenticate
+                the deactivated user (e.g. their password has been wiped).
           content:
             application/json:
               schema: