Table of Contents
If the phrase “social media compliance” gives you chills, we don’t blame you. Compliance can be tricky in any role. In marketing, where so much of our work is public and scrutinized, it’s extra thorny.
In this guide, we’ll break down what risk and compliance mean on social media. We’ll also share examples and tools to help social media marketers stay compliant.
Compliance means following the rules. But in practice, ensuring social media compliance is hardly ever simple.
Social media compliance means following regulatory and legal guidelines on social networks. These include data privacy, advertising, content moderation, intellectual property rights, and disclosure requirements.
By following compliance guidelines, businesses can avoid risking legal issues and reputation damage.
There are many common compliance risks and regulations to help mitigate them. They can vary by industry or location but generally fall into the following categories.
Social media platforms collect a lot of personal data from users. Businesses can and do use this info for marketing and advertising.
But businesses must also work within data privacy laws. That includes obtaining appropriate consent and protecting the data from unauthorized access.
Here are some crucial data protection regulations grouped by region:
- USA: CAN-SPAM, California Consumer Privacy Act (CCPA), Children’s Online Privacy Protection Act (COPPA)
- Canada: Canada’s Anti-Spam Legislation (CASL)
- Europe: General Data Protection Regulation (GDPR)
- Global: Cross Border Privacy Rules (CBPR) Declaration
To save you from having to read the full details of each regulation, here are the general principles:
- Do not send unsolicited messages
- Notify users when collecting and storing their personal data
- Ensure users’ personal data is secure and used responsibly
These guidelines are more general, but confidentiality requirements can be even more niche depending on your industry. For example, those marketing educational institutions must follow the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).
Marketers must follow ad regulations when using social media to promote their business. This includes disclosing sponsored content and ensuring that advertisements are truthful. If you fail to do this, you risk facing fines or lawsuits.
In the US, organizations like the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) regulate social media posts. The FDA monitors claims related to food, beverage, and supplement products. The FTC scrutinizes endorsements and testimonials, primarily from social media influencers.
— FTC (@FTC) May 10, 2022
The Financial Industry Regulatory Authority (FINRA) monitors financial services businesses in the US. FINRA says that social media posts (and all other communications) must be “fair, balanced and complete.”
In the UK, the Advertising Standards Authority (ASA) monitors social media ads. Their rules are fairly straightforward. According to the ASA, “it must be obvious to consumers before … they interact with a social media post if what they are engaging with is advertising.” Since 2021, the ASA has publicly listed influencers who have failed to disclose paid posts.
All social media platforms have community guidelines. In creating an account, every business agrees to these guidelines. That means marketers must follow these rules when posting content on social media.
The risks can be serious if you violate a platform’s content guidelines. The platform may remove your post and even ban your account.
Sweetleaf Collective, a cannabis brand, experienced this firsthand. Meta shut down their account for promoting the sale of cannabis products.
Marketers must be careful to respect intellectual property rights when posting content online.
Copyrighted material can be any other content created by someone else. This includes images, video clips, music, quotes and more. Don’t risk using this content without permission. If you do, it can open your business to legal battles.
Memes are a bit of a gray area for intellectual property risks. In fact, both a meme and its original materials can be copyrighted or trademarked.
If you want to avoid the risk, check the ownership of a meme’s materials. To be safe, you should buy the rights to that photo before posting. If the image in a meme is available under an open Creative Commons license, it’s a little easier.
There are many benefits when employees use social media on behalf of their employer. But there are also increased risks.
All employees should know their responsibilities and relevant laws and regulations. This is especially important for regulations around confidentiality, data privacy, and advertising.
The Health Insurance Portability and Accountability Act (HIPAA) governs all healthcare employees. Generally, HIPAA restricts any posting of personal health information of patients. A HIPAA violation can be as simple as resharing a social post without signed consent.
Employee conduct (or misconduct) on social media can come with big financial penalties. Just ask MassMutual, a life insurance and financial services company. The company had to pay a $4 million fine failing to flag an employee who initiated the GameStop stock frenzy. They were also ordered to revise their social media policies.
The best way to avoid employee conduct risks is to have an employee social media policy (more on this below).
The first step to staying compliant on social media? Learn the rules and regulations specific to your industry.
If you work in a regulated industry, your company has in-house compliance experts. They should be your first stop for questions about what you can (and can’t) do on social media platforms.
Sure, it can add extra time to your publishing process. But involving your compliance team in your approval process can reduce risks for your business.
If per-post approval isn’t necessary, show your compliance team your content creation process. This will allow them to identify risks and let you know when you should consult them.
Limiting access to your accounts is a smart way to keep your content under control. It’s also a great way to reduce compliance risks.
Many social media tools (such as Hootsuite) allow you to give different levels of access to each user type. That way, you only have to grant as many permissions as necessary. There are several compliance benefits to these permissions:
- Prevent unauthorized access to confidential information (personal data, financial information, and intellectual property). Unauthorized access to this information can lead to security incidents. These can result in legal or financial liabilities.
- Ensure that all content posted is accurate and truthful. This is important for regulated industries, where false information can have severe consequences.
Monitoring your own social media posts and engagements is critical for compliance. It can help you identify potential issues before they become serious problems.
Brands that work with external salespeople or affiliates should watch for inappropriate claims. The Direct Selling Self-Regulatory Council (DSSRC) handles claims in these cases. When sellers for the meal kit brand Tastefully Simple made improper income claims on social media, the brand was held responsible.
In regulated industries, social media monitoring is critical. In some industries, marketers need to respond to comments within a specified time. They may have to report comments, like ones about adverse drug reactions, to a regulatory body.
If you conduct customer service over social media, protecting confidential information is vital. If companies need to request sensitive information over social, use direct messages. Always discourage customers from sharing personal information publicly.
In regulated industries, all communications on social media need to be archived. That means keeping detailed records of your business’s social media activity. These records should include posts, ads, and user-generated content. This practice helps you prove compliance in the event of a social media audit or investigation.
We know this can sound daunting. Luckily, there are tools to ease and automate the archival process. They can classify content, create a searchable database, and preserve messages in context. Scroll to the end of this article for some tool recommendations.
So you’ve worked hard to learn your industry’s regulations — great! But how do you guarantee each post meets compliance standards? And what if you’re not the only one creating content or posting on behalf of your business?
The answer: create a library of pre-approved content that passes all compliance checks. Collaborators can use this library for easy sharing across their social channels.
IAG, a leading insurance company in Australia and New Zealand, built a content library to share with a network of over 18,000 brokers. After launching the library, 95% of brokers started posting content weekly. These posts earned 80% better reach than IAG’s corporate channel posts.
If you partner with brands or influencers, practicing proper disclosure is a win-win.
According to the FTC, content creators must disclose all “material connections” to brands in their posts. This includes personal, family, and employment relationships — not just financial relationships.
Brands should also ensure that influencer posts are not misleading. All claims about your products or services should be truthful. When working with influencers, brands should make sure their posts follow regulations. If an influencer breaks any laws, the repercussions could rebound.
Social media compliance training should be part of your new employee onboarding process. If employees are familiar with the rules, they’re more likely to flag compliance risks.
Social media platforms and compliance regulations can change over time, though. To combat this, businesses should conduct social media compliance regular training.
Your compliance team will know the latest regulatory developments. Use their intel to keep your training up-to-date.
A social media compliance policy is a simple but effective way to educate your employees. It should explain why compliance is important and offer tips to help mitigate risks.
Your policy’s components will vary based on your industry and the size of your business. It might include several different types of policy, such as:
- Social media policy. Guides your internal social media strategy and employees’ social posts. It should include relevant rules and regulations, your content approval process, and more. We’ve created a complete guide on creating a social media policy.
- Acceptable use policy. Sets expectations for how fans and followers can interact with your brand. This policy helps reduce risks from public interactions on your social media accounts.
- Influencer compliance policy. Outlines disclosure and copywriting guidelines for influencers that work with your brand. You should share this policy transparently with influencers within your signed contract.
Here are some examples of actual social media compliance policies from businesses.
The Government of BC’s social media policy is an extensive toolkit. It explains how to use social media, examples of how to apply guidelines, and many more resources.
This policy is an excellent example for other government and public service organizations. It’s also a great reference for any business that wants to build a social media policy.
Source: Government of British Columbia
Flordis is a natural health products supplier based in Australia with a “Social Media House Rules” page on their website. It outlines how they handle social media interactions and content moderation.
American Express has a detailed influencer marketing policy. It requires that influencers disclose any incentives they receive for their content.
Financial institutions face extensive compliance requirements when posting on social media.
In the US, the Securities and Exchange Commission (SEC) monitors social media for compliance violations.
The SEC’s main rules on social media usage are:
- Businesses must include disclosures or cautionary statements (when necessary) when sharing some information
- Before publishing nonpublic material information, businesses must inform investors and the broader market
- Executives and key employees must be careful when engaging online. Commenting, sharing links, or connecting with specific individuals can be viewed as endorsements
- Financial advisors can’t ask for or pay for reviews from clients. They also can’t edit or hide negative reviews
Static content is considered an ad and must go through pre-approval for compliance. Interactive content, though, goes through post-review. You must archive both types of social posts for at least three years.
In the UK, the Financial Conduct Authority (FCA) covers financial institutions. Their general stance on social media is pretty straightforward. According to the FCA, “financial promotions must … be fair, clear and not misleading” (source).
The Australian Securities and Investments Commission (ASIC) regulates financial institutions in Australia. Recently, ASIC issued a helpful information sheet for financial-focused influencers.
Learn more about how to use social media for financial services.
When it comes to healthcare compliance, all marketers should get familiar with HIPAA. Even if you aren’t based in the US, HIPAA’s general principles provide good guidance.
HIPAA says that healthcare providers can’t share any protected health information (PHI) on social media.
PHI can include the following:
- standard identifiers like name, address, birth date, and SSN;
- a patient’s health history and treatment plan;
- payments for care provided; and
- photos in which a patient’s name, face, or other identifying details are visible.
Some common HIPAA violations include:
- Sharing patient testimonials or case studies without explicit written authorization
- Sharing workplace photos with patients’ faces or identifying features in the background
- Using full names when replying to patients’ reviews or comments
- Uploading patient emails to create custom audiences on ad-targeting platforms
- Communicating with patients via non-HIPAA-compliant solutions
- Sending appointment reminders with PHI
The maximum fine for a HIPAA violation is $1.5 million.
While this all can sound daunting, we’ve got you covered. Check out our complete guide on HIPAA and social media compliance.
As you may have guessed, government institutions have several compliance considerations.
Marketers working at government institutions should understand the relevant regulations in their jurisdiction. Then, they should create guidelines that cover:
- Content. What is acceptable and what is not acceptable
- Citizen engagement. How to interact with citizens, including dealing with harassment and negative interactions online
- Representation. How to identify a profile as an official government or political account
- Disclaimers. Any disclaimers that should be added to profiles or messages and when
For government institutions, archiving is a requirement, not just a best practice. The US Freedom of Information Act (FOIA) and other public records laws mandate that the public have access to government records. These records include government social media posts.
According to FOIA, government social accounts should not block followers, even problematic ones. This includes politicians’ personal accounts if they’re used to conduct political business.
Read our complete guide about how to use social media for government institutions.
Hootsuite is an all-in-one social media management tool that helps marketers stay compliant.
First, Hootsuite allows you to create custom permissions for all users. You can require approvals from senior staff or compliance officers before content can be scheduled or published.
Second, Hootsuite’s content library enables you to create and store pre-approved content. This ensures that all content posted to your business’s accounts is fully compliant.
Hootsuite Amplify extends your approved content library to your entire employee network. This allows you to build a strong employee advocacy program without compliance risks.
Plus, Hootsuite integrates with many handy social media compliance apps and tools.
Brolly is a secure recordkeeping and archiving app used to meet compliance requirements. It’s used by organizations in government, education, financial services, and the private sector.
AETracker allows healthcare companies to identify, track, and report events in real-time.
Social SafeGuard pre-screens all posts and attachments. Non-compliant posts are flagged for review and cannot be posted. It also creates a complete audit trail.
When added to Hootsuite, Proofpoint flags common violations as you type your posts. It won’t allow you to schedule content with compliance issues. Proofpoint will even tell you why content is non-compliant. It’s like having a compliance officer living in your Hootsuite dashboard.
Read more about how to use Proofpoint and Hootsuite to keep your social media posts compliant.
Smart Moderation is an AI tool that monitors and moderates real-time user comments. The platform automatically detects and removes unwanted comments. It doesn’t require specific keywords or a blocklist.
These apps allow you to convert any social conversation into a ticket in your case management system. They allow you to resolve complaints or inquiries without leaving your Hootsuite dashboard.
Save time managing your social media presence with Hootsuite. From a single dashboard you can publish and schedule posts, find relevant conversions, engage the audience, measure results, and more. Try it free today.
With files from Christina Newberry.