Social media compliance: Three words that can strike fear into the heart of any marketer in the regulated industries. At its most basic, social media compliance simply means following the rules when using social media to engage with the public.

But the truth is that social media compliance is hardly ever that simple. The rules are a complicated mix of industry regulations and federal, state, and local laws. Marketers using social media for regulated industries need to understand their compliance obligations. They need to work within the rules to use social media as an effective and appropriate marketing tool.

“A good social media compliance program is an extension of a company’s communication and data governance strategy,” says Angus Chan, Hootsuite’s senior staff developer, product and privacy. “Having a program in place to establish processes and make decisions quickly is essential as the public becomes more aware of how their information is being used.”

In this post, we’ll look at how marketers can craft an effective social media compliance program. This will help address the most common social media compliance requirements and threats.

Bonus: Get the free social media audit template to see what’s working and what’s not. Save time and improve performance.

Common social media compliance threats

Social media compliance requirements vary by industry and by geographic region. That means the threats and challenges vary, too. Here’s a quick primer on just some of the compliance requirements you may need to be aware of.

Financial services and insurance

A recent study by the University of Massachusetts Dartmouth Center for Marketing Research found that all of the commercial banks in the Fortune 500 have both corporate Twitter accounts and corporate Facebook pages. Financial services companies are using social. That means they need to understand how compliance requirements apply to social channels.

The Financial Industry Regulatory Authority (FINRA), for example, provides different compliance requirements based on whether a social post is considered static or interactive content.

Static content is considered an ad and must go through pre-approval for compliance. Interactive content, on the other hand, goes through post-review. Both types of posts must be archived for at least three years.

What exactly is a static versus an interactive post? That’s a question each firm will have to answer for itself, depending on its risk tolerance. The compliance strategy should involve input from the highest levels of the organization.

The U.S Security Exchange Commission (SEC) also monitors social media for compliance violations. For example, they recently issued a charge against social media superstar DJ Khaled. He failed to disclose that posts on his social accounts were paid for by the cryptocurrency company mentioned in the posts.

In the U.K., the Financial Conduct Authority (FCA) has its own regulations for compliance on social media. Those regulations can vary based on whether a social post is “real-time” or “non-real time,” but the distinction may not be as obvious as you’d think.

All posts require disclosure, even when there are word count restrictions. FCA provides some good examples of compliant and non-compliant posts in its guidance document.

You can find more details in our post on how to use social media for financial services.

Marketing and advertising

Social marketers need to follow rules that govern who they can and cannot engage with. Some of those rules are:

The GDPR has very strict rules about how advertisers handle and use personal data. The regulation also specifies how to notify people when you are collecting data using cookies or other methods.

On the content side, the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) both have regulations in place. These affect what marketers and advertisers can say on social media.

The FDA, in particular, monitors advertising claims related to food, beverage, and supplement products. The FTC often focuses on endorsements and testimonials. In the social sphere, that often means influencers. Here’s a very basic overview of the FTC guidelines for compliance when working on an influencer campaign.


The U.S. Freedom of Information Act (FOIA) and other public records laws require the public to have access to government records. That includes government social media posts. That means all social posts must be archived.

It also means government social accounts should not block followers, even problematic ones. Recent court decisions have said that even politicians’ personal pages must not block followers, if they use those pages to conduct political business

Political advertising has its own set of compliance challenges.

While the Honest Ads Act is not yet in force, expect to see new rules and legislation related to political advertising in the coming year. Facebook and Twitter have both announced that they are on board with the Honest Ads Act. They have started implementing some of its requirements already.

Find more in our post on how to use social media for government.

Health and pharmaceutical

The Health Insurance Portability and Accountability Act (HIPAA) provides strict rules for how organizations use patient health information.

In short, you must keep that information in strictest confidence. You cannot share patient information without explicit patient consent. That includes photos and videos in which a patient or their records are identifiable in any way. Simply resharing a patient post without a signed consent form could be a HIPAA compliance issue.

The requirement for privacy also includes social posts in which a patient is not identified by name but may be identifiable based on other factors.

A Houston nurse was fired in August after posting about a measles case at the hospital where she worked. She did not mention the patient’s name, but her profile specified her workplace, where the boy she posted about was being treated. There were enough details that her posts were considered a HIPAA violation.

The FDA also has rules that healthcare and pharmaceutical companies need to follow on social. And they’re not only about what you post yourself. You also have to keep an eye on what your fans and followers are posting. For example, companies must report any adverse drug effects reported on social channels. They must also document and respond to off-label information requests.

For more details, check out our post on using social media for healthcare.

Keep in mind that this list is not exhaustive. These are just some of the most common social media compliance requirements and challenges to be aware of.

Bonus: Get the free social media audit template to see what’s working and what’s not. Save time and improve performance.

Get the free template now!

How to stay compliant on social media: 9 tips and best practices

1. Understand the regulations for your industry

It’s impossible to cover all the social media compliance regulations for all industries in one post.

If you use social media for regulated industries, you likely already have compliance officers on staff. They are your in-house compliance experts and should be your go-to resource for any questions about what you can (and can’t) do on your social channels.

Your compliance officers have the latest information on compliance requirements. As a social marketer, you have the latest information on available social tools and strategies. When the compliance and marketing departments work together, you can maximize the social benefits for your brand.

You also minimize the risks.

2. Create a clear social media policy

On that note, make sure you have a good, up-to-date social media policy. This important document guides your social media activities and helps keep the team compliant.

Put your policy in writing, and make sure the team knows it is the foundational document for all social activity. This can help prevent honest mistakes made based on incorrect assumptions.

“For example, say you find a public post that includes a photo with your brand,” Hootsuite’s Angus Chan says. “That doesn’t always mean you can repost it without permission.”

In fact, sharing such a post could be a serious violation, even if your brand is tagged. Clear guidelines about how to interact with patients and customers on social channels could prevent this type of well-intentioned mistake.

At a minimum, your social media policy should include:

  • A primer on the relevant rules and regulations
  • An outline of social roles and responsibilities, including the approval process
  • Guidelines to keep accounts secure, such as how to spot phishing attacks

We’ve got an entire post to walk you through creating a social media policy. It includes examples for health care and government.

3. Create an acceptable use policy

Your social media policy guides your staff and contractors on how to use social media appropriately. An acceptable use policy helps guide fans and followers to interact with your firm in ways that will minimize your compliance risks.

In Australia, for example, the Therapeutic Goods Administration has created a sample social media acceptable use policy that it encourages Australian advertisers to copy and paste.

The sample policy explains how the Therapeutic Goods Advertising Code affects a company’s social channels. For example:

“We love when you comment and tag your friends and family on our posts but we ask that you do not … make comments about how a product works for you outside of its intended purpose, as these comments can be dangerous or misleading—our products are developed for particular purposes, as stated on the label and/or in our advertising.”

This code is specific to Aussie rules and regulations. Still, it gives a good sense of the kinds of guidelines that could be more broadly applied.

4. Control access to your social accounts

“Controls over your communication play a key role in a social media compliance program,” Chan says. “Understanding who is able to access and approve messages to your your social media accounts is essential.”

Using a social dashboard like Hootsuite as a compliance management system, you can give team members access to create social content while limiting final approval to appropriate senior staff or compliance officers. You can also lock down access to social channels in case of a crisis.

5. Monitor your accounts—and watch for imposters

All businesses using social media need to monitor for comments and questions from fans and followers. After all, social media is not very social if your followers find themselves talking into a void.

When using social media for regulated industries, monitoring is even more important. You may need to respond to certain types of comments within a set time. You may also need to report comments, such as those involving adverse drug reactions, to a regulatory body.

Automated compliance software tools like the AETracker app for Hootsuite can help by identifying, tracking, and reporting potential adverse events and off-label usage in real time.

It’s also important to keep an eye out for social accounts that appear to be associated with your organization but are not under corporate control. This might be a well-intentioned advisor creating an account that uses your brand name but is not tied into your compliance management system. Or, it might be an imposter account. Each can cause its own kind of compliance headaches.

When the Swiss financial technology provider SIX conducted a social audit, it discovered and shut down 80 unofficial accounts, all of which were exposing the company to compliance risk.

“We detected a large number of fake accounts we had no idea existed,” said Claudia Holfert, head of external communications at SIX.

Start with a social media audit to uncover any unused or unofficial social accounts. Then implement a regular social monitoring program to keep an eye out for new accounts as they come online.

6. Catch non-compliant posts before they go live

It’s much better to catch potentially non-compliant posts before they’re posted to your social media channels.

Automated compliance software tools can help.

For example, the Social SafeGuard integration with Hootsuite pre-screens all user posts and attachments. It checks to make sure they comply with corporate policy and applicable regulations. Non-compliant posts will be flagged for review and cannot be posted.

7. Archive everything

When using social media for regulated industries, all communications need to be archived.

An automated compliance software archiving system makes archiving much easier and more effective. These tools classify content and create a searchable database.

8. Create a content library

With a large network of employees and advisors, it can be tricky to keep social content under control. A pre-approved content library gives your people access to compliant social content, templates, and assets that they can share across their social channels.

9. Invest in regular training

Compliance requirements are not always intuitive, and they are not set in stone. Make compliance training a part of onboarding for any new employees who will have access to your social accounts. Then, invest in regular training updates to make sure everyone understands the latest developments in your field.

Work closely with your compliance team so that they can share the latest regulatory developments with you. They also need you to share the latest changes in social marketing and your corporate social strategy so they can flag any new potential compliance risks.

Hootsuite’s permissions, security, and archiving tools will ensure all your social profiles remain complaint—from a single dashboard. Try it free today.

Sign Up