Social media compliance is a complex topic that can strike fear into the hearts of social marketers. In this post, we will try to make it a little clearer and a little less intimidating.
Compliance simply means following the rules. But in practice, social media compliance is hardly ever easy. The “Rules”are a complex mixture of industry regulations and federal, state, and local laws.
Social media compliance standards and risks vary by industry and location. The most common ones generally fall into four broad categories.
1. Privacy and data protection
General privacy and data protection requirements:
- Limit the circle of contacts of marketers
- Specify how marketers collect and store data
- Make sure consumers know how their data is stored and used
There are many consumer protection laws and regulations in this area. A few relevant rules include:
- CAN-SPAM (USA)
- Canada’s Anti-Spam Legislation
- California Consumer Privacy Act (CCPA)
- EU General Data Protection Regulation (GDPR)
- United States Children’s Online Privacy Protection Act (COPPA)
- Global Cross-border Privacy Policy (CBPR) Forum
General principles tend to overlap. In fact:
- Internet marketers should not send unsolicited messages.
- Marketers must notify consumers when they collect and store personal data.
- Marketers need to ensure that personal data is secure and used responsibly.
2. Privacy
Marketers need to understand the full range of privacy requirements in their industry.
For example, these marketing schools must comply with the Family Educational Rights and Privacy Act (FERPA) and the Student Rights Protection Amendment (PPRA).
It is very important that healthcare professionals understand the Health Insurance Portability and Accountability Act (HIPAA). Simply re-posting to a social network without a signed consent can be a HIPAA compliance issue.
In fact, all healthcare professionals are subject to HIPAA social media compliance rules. That’s why it’s so important to have an internal social media policy (see Tip #7 below).
For example, a series of tweets recently went viral in which someone claimed to work at the Barbados hospital where Rihanna gave birth. Tweets announcing her labor and delivery would have resulted in a significant fine for the hospital for non-compliance with HIPAA in the US.
For more information, check out our post on using social media for healthcare.
3. Marketing claims
Social marketers in all industries need to be aware of the rules of marketing and advertising in order to ensure a safe social media presence.
They may come from agencies such as the Food and Drug Administration (FDA) and the Federal Trade Commission (FTC).
The FDA monitors claims related to food, beverages and supplements in particular. They are currently particularly focused on curbing claims related to COVID-19.
The FTC often focuses on approvals and recalls. In the social sphere, this often means influence.
In the UK, the Advertising Standards Authority has taken a unique approach to inappropriate influencers. The authorities posted their names and pseudonyms on the web page. They even advertised on social media, naming influencers by their first names.
Source: Daily Mail
4. Access and archiving
Access and accessibility requirements aim to ensure access to critical information.
The United States Freedom of Information Act (FOIA) and other public records laws provide public access to government records. This includes government posts on social media.
This means that government social media accounts should not block followers, even problematic ones. Even personal pages of politicians should not block subscribers if they use these pages for political business.
Learn more in our post on how to use social media for government agencies.
Meanwhile, archiving requirements ensure that every organization has a record of social media activity. This may be required for legal cases.
1. Learn the rules of your industry
If you use social media for regulated industries, you probably have in-house compliance officers. They should be your source of answers to any questions about what you can (and can’t) do on social media.
Your compliance teams have the most up-to-date information on compliance requirements. You have the latest information on social tools and strategies. When compliance and social media marketing work together, you can maximize the benefits for your brand and mitigate risk.
2. Control access to social accounts
You need to know exactly who has access to your social media accounts. You also need to give different team members different levels of access.
For example, you might want multiple team members to be able to create social media content. But you may need approval in principle before publishing.
Sharing passwords between team members creates unnecessary risk. It is especially problematic when people leave their role. A system for managing passwords and permissions is required.
3. Monitor your accounts
In regulated industries, monitoring is especially important. You may have to respond to comments within a certain amount of time. You may also need to report comments to the regulator. For example, those associated with adverse drug reactions.
It’s also important to keep an eye on social accounts that are associated with your organization but are not under corporate control.
It could be a well-meaning consultant or a partner creating an inappropriate account. Or it could be an impostor account. Each of these can cause compliance headaches.
Any brand that works with external sellers should be on the lookout for inappropriate claims.
For example, the Direct Selling Self-Regulatory Council (SRCSB) conducts regular monitoring. They recently discovered that sellers of the multilevel marketing food kit brand Tastefully Simple were making unsubstantiated earnings claims on Facebook and Pinterest. The council notified Tasteful Simple, who contacted the sellers to withdraw the claims.
In some cases, Tastefully Simple was unable to remove claims. The board then advised the company:
“Use the social media platform’s mechanism for reporting intellectual property infringements and, if necessary, also contact the platform in writing and ask for the remaining social media posts to be removed.”
To avoid problems, start with a social media audit to identify social media accounts associated with your brand. Then implement a regular social monitoring program.
4. Archive everything
In regulated industries, all social media posts must be archived.
Automated social media compliance tools (see some tips at the bottom of this post) make archiving much easier and more efficient. These tools categorize content and create a searchable database.
They also keep messages in context. Then you (and regulators) will be able to understand how each social post fits into the big picture.
5. Create a content library
The pre-approved content library gives your entire team easy access to compatible social content, templates and resources. Employees, consultants and contractors can share them on their social networks.
For example, Penn Mutual provides an approved content library for independent financial professionals. Ease of posting means that 70% of Penn Mutual financial professionals share approved social content. They see an average of 80-100 shares per day.
6. Invest in Regular Workouts
Make social media compliance training part of your onboarding. Then invest in regular training updates. Make sure everyone understands the latest developments in your field.
Work with your compliance team. They can share the latest regulatory developments with you. You can share the latest developments in social marketing and social strategy with them. This way, they can flag any new potential compliance risks.
And perhaps most importantly…
7. Create Appropriate Social Media Compliance Policies
The components of your social media compliance policy will vary depending on your industry and the size of your business. In fact, it can include several different types of policy, for example:
- Politics in social networks. This guides internal social media activity and helps your team stay compliant. Include relevant rules and regulations, a description of social roles and responsibilities, an approval process, and account security guidelines. We have an entire post to help you create a social media policy.
- Acceptable Use Policy. This helps fans and followers interact with you in the right way. This helps reduce the risk of non-compliance based on public interactions with your social media.
- Privacy Policy. This informs people about how you use and store their data. Posting a strong privacy policy on your website is a requirement of many privacy laws. Make sure you’re targeting social media users specifically.
- Influencer Compliance Policy. Influencers are unlikely to have in-depth knowledge of compliance. Include compliance requirements in your contracts with influencers.
Social Media Compliance Policy Examples
Here is an example of each type of social media compliance policy mentioned above:
Social media policy: GitLab
It’s worth reading the entire GitLab social media policy for team members, but here are some good excerpts from their list of do’s and don’ts:
Source: GitLab
Acceptable Use Policy: Canopy Growth Corporation
The acceptable use policy for this subsidiary of Spectrum Therapeutics begins:
“We ask that all comments and postings be respectful of both Canopy Growth Corporation and other users.”
Among other guiding principles, the policy contains the following important recommendations:
“Do not post messages that are illegal, false, offensive, libelous, offensive, threatening, harmful, obscene, blasphemous, sexually oriented, or racially offensive.”
What if you ignore politics?
“Several offenders will be banned from using our social media channel after three warnings.”
Privacy Policy: Wood Group
The social media privacy policy for this group of companies describes how and why social data is collected, stored and shared. It includes information about both visitors and employees.
For example:
“The information we collect automatically may include information such as your IP address, device type, unique device identification numbers, browser type, wide geographic location (such as country or city level location), and other technical information. We may also collect information about how your device has interacted with our social networks, including pages visited, links clicked, or if you follow our social media pages.”
Influencer Compliance Policy: Fiverr
In its Influencer Support Policy, Fiverr lays out the FTC’s requirements. For example:
“Each social media influencer endorsement must clearly, conspicuously and unequivocally disclose their ‘material connection’ to the Fiverr brand.”
The policy contains detailed guidance on how to enable this disclosure:
“In order for a video to be approved, the influencer must make a verbal disclosure, as well as overlay the language of the disclosure on the video itself. For live support, the Influencer must make a verbal disclosure and repeat the disclosure periodically throughout the live broadcast.”
Fiverr also provides examples of approved disclosure statements:
Source: Fiverr
Social Media Compliance for Financial Institutions
Financial institutions face an extensive list of social media compliance requirements.
Take, for example, the US Financial Industry Regulatory Authority (FINRA). It provides different compliance requirements for static and interactive content.
Static content is considered advertising and must be pre-approved to be eligible. However, interactive content is post-reviewed. You must archive both types of social media posts for at least three years.
What is a static and interactive post? This is a question that each firm will have to answer depending on its risk tolerance. The compliance strategy should involve the highest levels of the organization.
The US Securities Exchange Commission (SEC) also monitors violations of social media requirements.
In the UK, the Financial Conduct Authority (FCA) has rules governing social compliance by financial institutions.
The FCA recently forced an investment app to remove all social media ads featuring influencers. The action was based on concerns about financial requirements. Among other things, Freetrade Ltd. quoted:
“A TikTok video that was posted to an Instagram story on an influencer’s profile that promotes the benefits of using the Firm to engage in an investment business, but does not include the required risk disclosure.”
Meanwhile, the Australian Securities and Investments Commission (ASIC) recently submitted RG 271. It states that financial services companies must confirm complaints within 24 hours. Even on social media.
You can find more information in our post on how to use social media for financial services.
Compliance management is a big job. Social media compliance tools can help.
1.Hootsuite
Hootsuite helps keep your brand aligned in several ways. First, it allows you to create custom permissions. Team members get access to social content creation, but final approval is limited to relevant senior staff or compliance officers.
Second, the Hootsuite Content Library allows you to create and store pre-approved, compatible content. Social groups can use and share this material at any time.
Hootsuite Amplify distributes approved content to your entire network of employees and consultants. This ensures that well-intentioned employees do not create unintended compliance risks.
Hootsuite also integrates with the social media compliance tools below for added security.
2. Brolly
A secure record keeping and archiving application used by multiple organizations in government, education, financial services, and the private sector to meet compliance requirements.
3.AETracker
AETracker is designed for companies involved in life sciences. It identifies, monitors and reports potential adverse events and off-label use in real time.
4. Social protection
This application pre-screens all user messages and attachments. It verifies that they comply with corporate policies and applicable regulations. Messages that do not meet the requirements are marked for review and cannot be published. It also creates a complete audit trail.
5 ZeroFOX
ZeroFOX automatically checks for inappropriate, malicious and fake content. It can send automatic alerts for dangerous, threatening or offensive messages. It also detects malicious links and scams.
6.Proofpoint
When added to Hootsuite, Proofpoint flags common compliance violations as you type your messages. Proofpoint does not allow the posting of content with compliance issues.
7.Smarsh
Real-time Smarsh validation ensures compliance with corporate, legal and regulatory policies. All social content is archived, whether approved, rejected or modified. Content can be controlled, collected, viewed, added to cases, and legally held.
Hootsuite’s permissions, security, and archiving tools keep all of your social media profiles up-to-date from a single control panel. See it in action today.