At its most basic, social media compliance simply means following the rules when using social media to engage with the public. But it’s not that simple.
Social media compliance simply means following the rules when using social media to engage with the public.
But the truth is that social media compliance is hardly ever that simple. The “rules” are a complicated mix of industry regulations and federal, state, and local laws.
Common social media compliance risks
Social media and compliance requirements vary by industry and location. That means the risks also vary.
The most common risks and requirements generally fall into four broad categories:
- Privacy and data security
- Marketing claims
- Access and archiving
Let’s look at some of the ways these risks play out for social marketers.
Privacy and data security
While they vary by industry, privacy and data security requirements generally intend to:
- Limit who marketers can contact
- Specify how marketers collect and store data
- Ensure consumers know how their data is stored and used
There’s a lot of consumer protection legislation in this area. A few of the relevant regulations include:
- CAN-SPAM (in the United States)
- Canada’s Anti-Spam Legislation
- The California Consumer Privacy Act (CCPA)
- The EU General Data Protection Regulation (GDPR)
- The U.S. Children’s Online Privacy Protection Act (COPPA)
But the broad principles tend to be similar. Online marketers should not send unsolicited messages. They need to notify consumers when they collect and store personal data. And they need to ensure that personal data is stored securely and used responsibly.
The GDPR and CCPA in particular are strict about how advertisers use personal data. The regulations also specify how to notify people when you are collecting data. That includes using cookies or other methods.
Compliance can be a challenge. The CCPA came into effect on January 1, 2020. But by October 2019, only about half of U.S. security professionals said their firms would be ready in time.
The risk of non-compliance? For CCPA, a $2,500 fine for each unintentional violation and $7,500 for each intentional violation. That can add up fast.
Obviously, sharing confidential information on social media is not acceptable (or legal). But it’s not always obvious how far the compliance risks extend.
For example, take educators and those marketing educational institutions. They must follow strict confidentiality rules. These are based on the Family Educational Rights and Privacy Act (FERPA).
Those working in healthcare must understand the Health Insurance Portability and Accountability Act (HIPAA). It provides strict rules for how organizations use patient health information.
In short, you must keep client information in the strictest confidence. You cannot share information or photos without explicit consent.
For healthcare marketers, that includes photos and videos in which a patient or their records are identifiable. Simply resharing a post without signed consent could be a HIPAA compliance issue. And the fines can be steep.
Source: HIPAA Journal
Those in the regulated industries face specific social media compliance risks. But all social marketers need to be aware of marketing and advertising rules. These can come from bodies such as the Food and Drug Administration (FDA) and Federal Trade Commission (FTC).
The FDA, in particular, monitors claims related to food, beverage, and supplement products. The FTC often focuses on endorsements and testimonials. In the social sphere, that often means influencers.
Recently, the FTC required wellness brand Teami to pay a $1 million penalty. The case involved a range of social media compliance violations.
Teami made several non-compliant claims about their teas, according to the FTC. They said the teas could “fight cancer, clear clogged arteries, decrease migraines, treat and prevent flus, and treat colds.” Teami faced sanctions related to these unproven health and wellness claims.
Teami also faced compliance penalties related to influencer social posts. They worked with powerful influencers including Cardi B and Jordin Sparks.
Disclosures were not prominent enough on their influencers’ Instagram posts. Viewers could only see them after clicking “more.”
Access and archiving
In general, access and accessibility requirements aim to ensure access to critical information.
The U.S. Freedom of Information Act (FOIA) and other public records laws ensure public access to government records. That includes government social media posts.
This means government social accounts should not block followers, even problematic ones. Even politicians’ personal pages must not block followers, if they use those pages to conduct political business
Find more in our post on how to use social media for government.
Meanwhile, archiving requirements ensure each organization has a record of its social media activities. This can be required for legal cases and discovery.
Keep in mind that this list is not exhaustive. These are just some of the most common social media compliance challenges to be aware of.
Social media compliance for financial institutions
Financial institutions face an extensive list of compliance requirements for social media.
For example, take the Financial Industry Regulatory Authority (FINRA). It provides different compliance requirements for static and interactive content.
Static content is considered an ad and must go through pre-approval for compliance. Interactive content, though, goes through post-review. You must archive both types of social posts for at least three years.
What exactly is a static versus an interactive post? That’s a question each firm will have to answer for itself, depending on its risk tolerance. The compliance strategy should involve input from the highest levels of the organization.
The U.S Security Exchange Commission (SEC) also monitors for social media compliance violations.
For example, they recently issued a charge against the actor Steven Seagal. Among other offences, he failed to include appropriate disclosure in 2018 social posts. He was being paid by the cryptocurrency company mentioned in the posts.
While this post includes the hashtag #ad, the SEC said the post did not meet the requirements. “Any celebrity or other individual who promotes a virtual token or coin that is a security must disclose the nature, scope, and amount of compensation received in exchange for the promotion.”
In the U.K., the Financial Conduct Authority (FCA) has its own regulations governing social media compliance for financial institutions.
Those regulations can vary based on whether a social post is “real-time” or “non-real time.” But the distinction may not be as obvious as you’d think.
All posts require disclosure, even when there are word count restrictions. FCA provides good examples of compliant and non-compliant posts in its guidance document.
How to stay compliant on social media
1. Understand the regulations for your industry
If you use social media for regulated industries, you likely have compliance officers. They are your in-house compliance experts. They should be your go-to resource for any questions about what you can (and can’t) do on your social channels.
Your compliance officers have the latest information on compliance requirements. You have the latest information on available social tools and strategies. When the compliance and marketing departments work together, you can maximize the social benefits for your brand.
You also reduce the risks.
2. Create a clear social media policy
Make sure you have a good, up-to-date social media policy. This important document guides your social media activities. Which helps keep the team compliant.
Put your policy in writing. Make sure the team knows it is the foundational document for all social activity. This can help prevent honest mistakes made based on incorrect assumptions.
A well-meaning social marketer might reshare a public post that mentions the brand. Did they check the post against compliance requirements and get the required permissions? If not, that could be a serious violation. Even if your brand is tagged.
Clear guidelines for how to interact on social channels could prevent this type of simple mistake.
Your social media policy should include:
- A primer on the relevant rules and regulations
- An outline of social roles and responsibilities, including the approval process
- Guidelines to keep accounts secure, such as how to spot phishing attacks
We’ve got an entire post to walk you through creating a social media policy.
3. Create an acceptable use policy
Your social media policy guides staff and contractors on appropriate social media use. An acceptable use policy (AUP) helps fans and followers interact with you appropriately.
In Australia, the Therapeutic Goods Administration created a sample social media AUP. It encourages Australian advertisers to copy and paste the policy on their sites.
The sample policy explains how the relevant advertising code affects social channels. For example:
“We love when you comment and tag your friends and family on our posts but we ask that you do not … make comments about how a product works for you outside of its intended purpose, as these comments can be dangerous or misleading.”
This code is specific to Aussie rules and regulations. Still, it gives a good sense of the kinds of guidelines that could be more broadly applied.
“We may integrate web measurement tools with our social media pages…. These tools enable basic analysis of social media traffic … and do not collect personally identifiable information.”
5. Build compliance into influencer contracts
If you work with influencers, you need to make sure the posts they share on your behalf are compliant. Influencers are unlikely to have deep compliance knowledge. So it’s your responsibility to tell them about the requirements.
Build compliance requirements into your influencer contracts. Not everyone reads the fine print. So follow up to make sure your influencer partners understand what you’re asking.
But don’t rely on your policy alone.
“Keep an eye on what influencers are doing on your behalf,” the FTC advises. “If you pre-approve your influencers’ posts, don’t give them the OK unless they have adequate disclosures.”
6. Control access to your social accounts
You need to know exactly who has access to your social media accounts. You also need to give different team members different levels of access.
For example, you might want several team members to have the ability to create social content. But you might need principal approval before posting.
The City of Adelaide started social marketing with two expert social content creators. This small team helped ensure compliance with local laws and regulatory guidelines.
Then they introduced tailored user access privileges. This let them expand the team to 15 content creators without extra compliance risk. They decentralized content development while centralizing planning and approval.
Sharing passwords among your team members creates unnecessary risk. It’s especially problematic when people leave their role. A password management and permissions system is a must.
7. Monitor your accounts—and watch for imposters
Businesses need to watch for social comments and questions from fans and followers. After all, social media is not very social if your followers find themselves talking into a void.
When using social media for regulated industries, monitoring is even more important. You may need to respond to certain types of comments within a set time. You may also need to report comments to a regulatory body. For instance, those involving adverse drug reactions.
It’s also important to keep an eye out for social accounts that appear related to your organization but are not under corporate control.
This might be a well-intentioned advisor creating a non-compliant account using your brand name. Or, it might be an imposter account. Each can cause its own kind of compliance headaches.
The Swiss financial technology provider SIX conducted a social audit as part of its compliance efforts. It discovered 80 unofficial accounts. All of these were exposing the company to compliance risk. They contacted the social networks and had them taken down.
Start with a social media audit to uncover any unused or unofficial social accounts. Then put a regular social monitoring program in place. Keep an eye out for new accounts as they come online.
8. Archive everything
When using social media for regulated industries, all communications need to be archived.
Automated social media compliance tools make archiving much easier and more effective. These tools classify content and create a searchable database.
They also preserve messages in context. Then, you (and regulators) can understand how each social post fits into the larger picture.
9. Create a content library
With a large network of employees and advisors, it can be tricky to keep social content under control.
A pre-approved content library provides access to compliant social content, templates, and assets. Employees can share these across their social channels without requiring more approvals.
10. Invest in regular training
Compliance requirements are not always intuitive, and they are not set in stone.
Make social media compliance training part of onboarding. Then, invest in regular training updates. Make sure everyone understands the latest developments in your field.
Work closely with your compliance team. They can share the latest regulatory developments with you. You can share the latest changes in social marketing and social strategy with them. That way, they can flag any new potential compliance risks.
Social media compliance software and tools
Managing compliance can be a big job. Social media compliance software and tools can help.
AETracker is designed for life sciences companies. It identifies, tracks, and reports potential adverse events and off-label usage in real time.
You can also flag potential adverse events and send them to the AETracker app for analysis.
It’s better to catch non-compliant posts before they’re posted to your social media channels. Social SafeGuard does just that.
The app pre-screens all user posts and attachments. It checks to make sure they follow corporate policy and applicable regulations. Non-compliant posts are flagged for review and cannot be posted. It also creates a complete audit trail.
ZeroFOX automatically checks for non-compliant, malicious, and fake content. It can send automated alerts about dangerous, threatening, or offensive posts. It also identifies malicious links.
Machine learning helps identify scams targeting both your company and your customers.
When added to Hootsuite, Proofpoint screens posts in real time. Within the Composer, Proofpoint flags common compliance violations as you type. Proofpoint will not allow content with compliance issues to be posted.
Employees get the chance to learn and adapt as they go. They see clear guidance about the changes required to make a post compliant.
Smarsh checks for compliance and security risks through an approval workflow. Real-time review ensures compliance with corporate, legal, and regulatory policies.
All social content is archived, whether approved, rejected, or altered. The content can be supervised, collected, reviewed, added to cases, and placed on legal hold. It can also be exported in various formats.