Social media compliance is a complex topic that can strike fear in the hearts of social marketers. In this post, we try to make it a little more clear and a little less scary.
Compliance simply means following the rules. But in practice, social media compliance is hardly ever simple. The “rules” are a complicated mix of industry regulations and federal, state, and local laws.
Social media compliance standards and risks vary by industry and location. The most common generally fall into four broad categories.
1. Privacy and data protection
Privacy and data protection requirements generally:
- Limit who marketers can contact
- Specify how marketers collect and store data
- Ensure consumers know how their data is stored and used
There’s a lot of consumer protection legislation and regulation in this area. A few relevant regulations include:
The broad principles tend to overlap. Essentially:
- Online marketers should not send unsolicited messages.
- Marketers need to notify consumers when they collect and store personal data.
- Marketers need to ensure that personal data is secure and used responsibly.
2. Confidentiality
Marketers must understand the full scope of confidentiality requirements in their industry.
For example, those marketing educational institutions must follow the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA).
It’s essential that healthcare employees understand the Health Insurance Portability and Accountability Act (HIPAA). Simply resharing a social post without signed consent could be a HIPAA compliance issue.
In fact, all healthcare employees are governed by HIPAA compliance rules on social media. That’s why it’s critical to have an internal social media policy (see compliance tip #7 below).
For instance, a series of Tweets recently went viral in which someone claimed to work at the Barbados hospital where Rihanna gave birth. The Tweets, which announced her labor and delivery, would have landed the hospital with a significant HIPAA non-compliance fine in the U.S.
Hi! HIM professional here. If this occurred in the U.S. this would absolutely be a HIPAA violation. Not only would the employee be fired, but the hospital would face a huge fine. It’s weird that so many people in the comments are saying “this is fine.”
— Julie. Speak Now against injustice. 💜💜💜 (@herstrangefate) May 15, 2022
For more details, check out our post on using social media for healthcare.
3. Marketing claims
Social marketers in all industries need to be aware of marketing and advertising rules to build a risk-free social media presence.
These can come from bodies such as the Food and Drug Administration (FDA) and Federal Trade Commission (FTC).
The FDA, in particular, monitors claims related to food, beverage, and supplement products. Currently, they’re particularly focused on cracking down on claims related to COVID-19.
The FTC often focuses on endorsements and testimonials. In the social sphere, that often means influencers.
If you recommend or endorse products or services on social media, there is stuff you should know, start here: https://t.co/QVhkQbvxCy https://t.co/HBM7x3s1bZ
— FTC (@FTC) May 10, 2022
In the UK, the Advertising Standards Authority has taken a unique approach to non-compliant influencers. The authority posted their names and handles on a webpage. They even took out social media ads calling out the influencers by name.
Source: Daily Mail
4. Access and archiving
Access and accessibility requirements aim to ensure access to critical information.
The U.S. Freedom of Information Act (FOIA) and other public records laws ensure public access to government records. That includes government social media posts.
This means government social accounts should not block followers, even problematic ones. Even politicians’ personal pages must not block followers, if they use those pages to conduct political business
Find more in our post on how to use social media for government bodies.
Meanwhile, archiving requirements ensure each organization has a record of social media activities. This can be required for legal cases.
1. Understand the regulations for your industry
If you use social media for regulated industries, you likely have in-house compliance experts. They should be your go-to resource for any questions about what you can (and can’t) do on social networks.
Your compliance officers have the latest information on compliance requirements. You have the latest information on social tools and strategies. When the compliance and social media marketing departments work together, you can maximize the benefits for your brand — and reduce the risks.
2. Control access to social accounts
You need to know exactly who has access to your social media accounts. You also need to give different team members different levels of access.
For example, you might want several team members to have the ability to create social content. But you might need principal approval before posting.
Sharing passwords among team members creates unnecessary risk. It’s especially problematic when people leave their role. A password management and permissions system is a must.
3. Monitor your accounts
In regulated industries, monitoring is especially important. You may need to respond to comments within a specified time. You may also have to report comments to a regulatory body. For instance, those involving adverse drug reactions.
It’s also important to watch out for social accounts related to your organization but not under corporate control.
This might be a well-intentioned advisor or affiliate creating a non-compliant account. Or, it might be an imposter account. Each can cause its own kind of compliance headaches.
Any brand that works with outside salespeople needs to keep a particular eye out for inappropriate claims.
For example, the Direct Selling Self-Regulatory Council (DSSRC) conducts regular monitoring. They recently found sellers for the multilevel marketing meal kit brand Tastefully Simple making inappropriate income claims on Facebook and Pinterest. The council notified Tastefully Simple, who contacted sellers to remove the claims.
In some cases, Tastefully Simple was not successful in having claims taken down. The council then advised the company to:
“Use the social media platform’s reporting mechanism for intellectual property violations and, if necessary, also contact the platform in writing and request removal of the remaining social media posts.”
To avoid trouble, start with a social media audit to uncover social accounts related to your brand. Then put a regular social monitoring program in place.
4. Archive everything
In regulated industries, all communications on social media need to be archived.
Automated social media compliance tools (see some recommendations at the bottom of this post) make archiving much easier and more effective. These tools classify content and create a searchable database.
They also preserve messages in context. Then, you (and regulators) can understand how each social post fits into the larger picture.
5. Create a content library
A pre-approved content library provides your whole team easy access to compliant social content, templates, and assets. Employees, advisors, and contractors can share these across their social channels.
For example, Penn Mutual provides an approved content library for independent financial professionals. The ease of posting means 70% of Penn Mutual’s financial pros share approved social content. They see an average of 80-100 shares per day.
6. Invest in regular training
Make social media compliance training part of onboarding. Then, invest in regular training updates. Make sure everyone understands the latest developments in your field.
Work with your compliance team. They can share the latest regulatory developments with you. You can share the latest changes in social marketing and social strategy with them. That way, they can flag any new potential compliance risks.
And, perhaps most important of all…
7. Create appropriate social media compliance policies
The components of your social media compliance policy will vary based on your industry and the size of your business. It might actually include several different types of policy, such as:
- Social media policy. This guides internal social media activities and helps keep your team compliant. Include relevant rules and regulations, an outline of social roles and responsibilities, the approval process, and guidelines to keep accounts secure. We’ve got an entire post to walk you through creating a social media policy.
- Acceptable use policy. This helps fans and followers interact with you appropriately. It helps reduce compliance risk based on public interactions on your social properties.
- Privacy policy. This informs people how you use and store their data. Posting a robust privacy policy on your website is a requirement of many privacy laws. Make sure you specifically address social media users.
- Influencer compliance policy. Influencers are unlikely to have deep compliance knowledge. Build compliance requirements into your influencer contracts.
Social media compliance policy examples
Here’s an example of each type of social media compliance policy mentioned above:
Social media policy: GitLab
GitLab’s entire social media policy for team members is worth reading, but here are some good excerpts from their list of dos and don’ts:
Source: GitLab
Acceptable use policy: Canopy Growth Corporation
The acceptable use policy for this subsidiary of Spectrum Therapeutics begins:
“We ask that all comments and posts remain respectful of both Canopy Growth Corporation and other users.”
Among other guidelines, the policy contains this important advisory:
“Do not post messages that are unlawful, untrue, harassing, defamatory, abusive, threatening, harmful, obscene, profane, sexually oriented or racially offensive.”
And if you ignore the policy?
“Multiple offenders will be blocked from using our social media channel after three warnings.”
Privacy policy: Wood Group
The social media privacy policy for this group of companies lays out how and why social data is collected, stored, and shared. It includes details for both visitors and employees.
For example:
“The information we collect automatically may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Social Media, including the pages accessed,links clicked, or the fact that you became a follower of our Social Media pages.”
Influencer compliance policy: Fiverr
In its influencer endorsement policy, Fiverr outlines FTC requirements. For example:
“Each of the Influencer’s social media endorsements must clearly, obviously and unambiguously disclose their ‘material connection’ with Fiverr’s brand.”
The policy provides detailed guidance for how to include this disclosure:
“For video endorsements, the Influencer should make the disclosure verbally and also superimpose the disclosure language in the video itself. For live stream endorsements, the Influencer should make the disclosure verbally and repeat the disclosure periodically throughout the live stream.”
Fiverr also provides examples of approved disclosure wording:
Source: Fiverr
Social media compliance for financial institutions
Financial institutions face an extensive list of compliance requirements for social media.
For example, take the U.S. Financial Industry Regulatory Authority (FINRA). It provides different compliance requirements for static and interactive content.
Static content is considered an ad and must go through pre-approval for compliance. Interactive content, though, goes through post-review. You must archive both types of social posts for at least three years.
What exactly is a static versus an interactive post? That’s a question each firm will have to answer depending on its risk tolerance. The compliance strategy should involve input from the highest levels of the organization.
The U.S Security Exchange Commission (SEC) also monitors for social media compliance violations.
In the U.K., the Financial Conduct Authority (FCA) has regulations governing social compliance for financial institutions.
Recently, the FCA forced an investment app to take down all social media ads involving influencers. The action was based on concerns about financial claims. Among other things, the notice to Freetrade Ltd. cited:
“A TikTok video which was posted to an Instagram story on the influencer’s profile, that promotes the benefits of using the Firm to engage in investment business but does not include the required risk disclosure.”
Meanwhile, the Australian Securities and Investments Commission (ASIC) recently introduced RG 271. It states that financial services companies must acknowledge complaints within 24 hours. Even on social media.
You can find more details in our post on how to use social media for financial services.
Managing compliance is a big job. Social media compliance tools can help.
1. Hootsuite
Hootsuite helps keep your brand compliant in several ways. First, it allows you to create custom access permissions. Team members get access to create social content, but final approval is limited to appropriate senior staff or compliance officers.
Second, the Hootsuite content library lets you create and store pre-approved, compliant content. Social teams can use and share this material at any time.
Hootsuite Amplify extends approved content to your entire network of staff and advisors. This ensures well-intentioned employees don’t create unintentional compliance risks.
Hootsuite also integrates with the social media compliance tools below for extra protection.
2. Brolly
A secure record-keeping and archiving app used by several organizations in government, education, financial services, and the private sector to meet compliance requirements.
3. AETracker
AETracker is designed for life sciences companies. It identifies, tracks, and reports potential adverse events and off-label usage in real time.
4. Social SafeGuard
This app pre-screens all user posts and attachments. It checks to make sure they follow corporate policy and applicable regulations. Non-compliant posts are flagged for review and cannot be posted. It also creates a complete audit trail.
5. ZeroFOX
ZeroFOX automatically checks for non-compliant, malicious, and fake content. It can send automated alerts about dangerous, threatening, or offensive posts. It also identifies malicious links and scams.
6. Proofpoint
When added to Hootsuite, Proofpoint flags common compliance violations as you type your posts. Proofpoint will not allow content with compliance issues to be posted.
7. Smarsh
Smarsh’s real-time review ensures compliance with corporate, legal, and regulatory policies. All social content is archived, whether approved, rejected, or altered. The content can be supervised, collected, reviewed, added to cases, and placed on legal hold.
Hootsuite’s permissions, security, and archiving tools will ensure all your social profiles remain compliant—from a single dashboard. See it in action today.
Manage all your social media in one place, measure ROI, and save time with Hootsuite.