Introduction
This checklist will assist in-house counsel, private practitioners and human resource professionals in developing policies to govern employees’ use of an organization’s social media accounts. It does not cover employees’ use of their personal social media accounts.
This checklist addresses the following steps:
- Determining the scope and level of employee access to social media accounts
- Establishing the organization’s purposes for using social media
- Establishing a system for the prior approval of posts
This checklist can be used in conjunction with How-to guide: How to establish a social media governance framework and Quick view: Legal risks associated with business social media use.
The checklist is presented as a list of considerations that can be checked off as they are addressed. After the checklist, there are explanatory notes corresponding with each requirement in the checklist.
| No. | Requirement |
| 1.1 | Establish which employees should have access to the organization’s social media accounts |
| 1.2 | Define the different types of access permitted |
| 1.3 | Determine the organization’s stance on the use of social media management tools |
| 1.4 | Consider whether the accounts should be linked to a generic company email address |
| 1.5 | Establish a procedure for reassignment of administrator-level access in case of departure |
Step 2 – Establish the organization’s purposes for using social media
| No. | Requirement |
| 2.1 | Identify the organization’s goals in using social media |
| 2.2 | Include a link to other workplace policies |
| 2.3 | Reinforce messages through strategies and training |
Step 3 – Establish a system for the prior approval of posts
| No. | Requirement |
| 3.1 | Establish what approval is required |
| 3.2 | Set a timeline for approvals |
| 3.3 | Consider the necessity of compliance checks or approvals |
Explanatory notes
General notes/overview
Failing to have any social media presence is unlikely to be an option for many organizations in today’s information age. Entering the world of social media as an organization can be both daunting and exhilarating. Depending on the success of the organization’s approach, the attention generated through social media can bring new customers and strengthen brand recognition and loyalty. Alternatively, it can amount to a public relations disaster. Social media can also bring divergent results in-house, with social media-related decisions likely to both motivate and frustrate employees.
For information about social media governance generally, and the legal issues involved, see How-to guide: How to establish a social media governance framework.
Organizations can greatly reduce the potential for problems – and increase the likelihood of positive impacts – by considering several basic issues, and formalizing their conclusions in a social media policy.
Step 1 – Determine the scope and level of employee access to social media accounts
Staff members who have access to an organization’s social media accounts hold a considerable amount of power and responsibility. Their activity on these accounts will, for many customers and other external parties, be the only direct communication to which they will be privy. Organizations therefore need to choose carefully who will represent the organization’s ‘public face’ on social media.
1.1 Establish which employees should have access to the organization’s social media accounts
Deciding which type of staff members are allowed to use the organization’s social media accounts involves finding the right balance between limiting access too strictly and giving access to too many people.
Limiting access too severely can create various problems. As further addressed below, such problems are particularly likely to arise when employees with access to the accounts leave the organization. Bottlenecks are also a real concern, and can occur for many different reasons, such as designated staff being out on holiday or due to illness, forgetting the password, or failing to quickly follow up on messages received in connection with the social media account. Tightly restricting access can also lead to an overly narrow representation of the organization online.
On the other hand, allowing broad access can result in too little control over what is said, which can lead to inconsistent messaging, public relations problems or legal issues. In addition, unfettered access is likely to trigger considerable administrative confusion in-house.
While the exact numbers of employees with access will always depend on the organization and the context, in order to avoid access problems, it is recommended to have an administrator and at least one back-up administrator. It may also be advisable to give access to staff members from various departments, as they will have different types of knowledge and expertise, so their contributions will produce a fuller representation of the organization online.
1.2 Define the different types of access permitted
It is possible to give different types of access to social media accounts. For example, administrators typically have full control of the accounts, meaning they can not only publish posts themselves, but can also edit and approve posts by others, and have additional powers such as changing the password or the email address associated with the social media account. Content creators can usually draft posts, but can no longer edit them after they have been approved, nor can they approve or directly publish them.
It is generally advisable to give limited access to a broader group, but to restrict full access rights. For example, some social media accounts allow adding teams up to a certain number of people, and designating some as managers and others as contributors, with the contributor’s posts requiring approval by the manager(s).
Regardless of which approach is used, organizations should make sure to centrally document who has what kind of access to which accounts.
1.3 Determine the organization’s stance on the use of social media management tools
Social media management tools allow organizations to manage their social media activity in a centralized way, typically via a single app or interface. This means that the settings chosen are applied for multiple social media accounts. It is also possible to use a management tool for a single social media account.
Using such tools can be efficient. For example, staff members are not wasting valuable time by individually logging on to the various channels to post what may ultimately be identical content, and they can often automate post scheduling. Depending on the app, it may also provide useful analytics that provide insight into which kind of posts work best.
On the other hand, such tools cost money, and the more sophisticated and effective versions are more expensive. They also may not cover all of the channels an organization would like to use, or may limit the number of posts that can be scheduled within varying timeframes. The analytics provided by the individual platforms themselves are often stronger than those available via third-party apps.
Regardless of whether or not management tools are used or required, it is vital to clarify the organization’s approach in writing.
1.4 Consider whether the accounts should be linked to a generic company email address
It is surprisingly common for an organization’s social media accounts to be tied to a particular employee’s personal email address. This can cause considerable problems, such as when the employee leaves, taking access to the accounts with them. Any attempts to change the linked email will require changing the password – but this is possible only via the linked email account, and so will be possible only in the case of a cooperative former employee.
At a minimum, it is absolutely vital to require all social media accounts to be linked to an organization email address, rather than to a personal one. It may also be advisable to make this a generic, permanent account, rather than an email account held by a particular individual at the organization – for example, [email protected]. This can mean that the main employee responsible for social media activity has to keep track of more than one email account. However, this approach also permits several people to share the account, and can speed up adjustments when a particular employee leaves the organization.
1.5 Establish a procedure for reassignment of administrator-level access in case of departure
Administrators wield considerable power over an organization’s social media accounts. Their departure – or internal change of roles – can be disruptive. It is vital to have in place procedures for reassigning their access rights in the event of change.
The procedures should provide for quick reassignment of access rights. This helps ensure continuity of the organization’s social media activity and can also avoid problematic actions when a disgruntled staff member is departing. The specified procedure should also apply when a back-up administrator leaves the organization.
Step 2 – Establish the organization’s purposes for using social media
2.1 Identify the organization’s goals in using social media
Before employees start posting material on the organization’s social media accounts, identify, and then spell out, the goals of such activity. The overall purpose of using social media is usually to strengthen the organization’s brand.
The first step is to describe the organization’s branding, by identifying, for example, what specific audience the organization is intended to appeal to or how it should be perceived. This information can help staff members decide what kind of content to post or to avoid, and what kind of tone to use. Also spell out themes and topics that should not be addressed. One practical tool to consider is a basic ‘dos and don’ts’ list. To make these more tangible, illustrative examples can be particularly helpful.
It can also be beneficial to tailor goals to specific social media platforms. The many outlets available attract different types of audiences, and are used for different purposes, with some largely a source of pure entertainment and others relied on for professional networking. As a result, the goals or branding aspects to focus on may vary among the different channels. However, content posted on even a specific channel can ultimately be seen by an extremely wide audience (‘everyone’ is a safe assumption to use). Varying content between channels too significantly can come across as inauthentic or offend unanticipated audiences.
2.2 Include a link to other workplace policies
The social media policy should not exist in a vacuum. Make use of wider organization policies that are already in place by linking to these in informational resources on social media or within the social media policy itself. Policies covering the following topics are likely to be particularly relevant: protecting confidential information; avoiding copyright and trademark violations; false advertising and disparaging competitors; and the prohibition of hate speech and harassment. For examples of social media policies that incorporate broader company policies by reference, see the guidelines/policies issued by FedEx and Dell Technologies.
2.3 Reinforce messages through strategies and training
Issuing policies and guidelines is a vital step, but will need to be supplemented with additional efforts in order to be effective. For example, it can be helpful to formalize and spell out elements of the purposes of using social media in a separate, dedicated social media strategy. It is typically also necessary to provide specific training, at least to the select employees with wider access to the organization’s social media accounts.
The content of such training will vary. However, it can be extremely valuable for the purposes of illustrating, and making more tangible, how broader policies can be implicated in day-to-day social media activity. While providing such training may appear time-consuming or expensive, discussing these issues only after a problem has occurred will likely be significantly more costly.
For example, confidentiality agreements may strike some staff members as theoretical because they are not sufficiently senior to be privy to sensitive information. However, they may unwittingly violate such policies by posting a photo that includes a colleague’s computer screen in the background. Or, given the ease with which information can be accessed and shared online, staff may need reminders about the need to secure a license or authorization before posting copyrighted material, including photos or music. Others may not be aware that a playful jab at a competitor can trigger liability for defamation. Training sessions can provide important opportunities to discuss these kinds of examples openly and without fear of repercussions.
Step 3 – Establish a system for the prior approval of posts
Deciding whether or not to require prior approval of posts is not easy. It involves balancing the need to adequately protect the organization’s reputation and avoiding legal liability, while allowing for social media activity that truly benefits the organization’s brand. To achieve this, social media posts must come across as authentic and be speedy enough to capitalize on any positive momentum generated by the organization’s posts.
A possible alternative to requiring prior approval can consist of regularly conducting spot checks. This may be overly risky when just entering the world of social media, or when access is given to a new employee. However, depending on the context, prior approval may at some point truly no longer be necessary, or may even be counterproductive. This can be the case, for example, if the ‘designated posters’ are both well-chosen and well managed, the social media policy is clear, and additional training has been provided and is continuously updated.
Another possible compromise is to make prior approval requirements temporary (eg, only requiring approvals during an employee’s probationary period or during the first three/six months of the employee being able to post on social media).
3.1 Establish what approval is required
In addition to deciding whether or not approval is required, also specify exactly what kind of approval is needed. This involves choosing from different approaches:
- making such requests optional or discretionary;
- only requiring approval for select categories of content; or
- always requiring a specific person or list of persons to approve certain or all posts.
It will also be necessary to:
- clarify how the approval process will work;
- specify the expected turnaround time for approvals; and
- outline how feedback will be provided and incorporated.
Both original posts and replies to, and comments on, these posts must be considered. This can be particularly tricky because, unlike when making more formal posts, employees may be less careful about how they express themselves in replies. On the other hand, it may not be possible to keep the audience engaged in online interactions if there are overly strict approvals requirements that slow down interactions.
Regardless of which approach is chosen, be sure to clearly spell out the required process. In addition, look into available social media approval systems, which provide for streamlined, automated approval processes.
3.2 Set a timeline for approvals
Even the most brilliant social media posts will fall flat if the timing is off, and waiting for internal approval can be frustrating for employees who see opportunities passing by while their timely and polished posts languish in a supervisor’s inbox. Meanwhile, it is easy for a pending social media post to seem trivial compared to the other matters simultaneously demanding a supervisor’s attention. Therefore, if approvals are required, be sure to set a timeline for reviewing and approving posts, spelling out the applicable deadlines for each person who has to give their go-ahead. This is crucial to avoid bottlenecks and missing the best times of the day, week, or month to publish posts.
It may be necessary to come up with different timelines for different post categories. For example, a pre-set schedule providing for a number of days for certain approvals may make sense most of the time, but will not be helpful when an urgent matter arises.
3.3 Consider the necessity of compliance checks or approvals
Depending on the specific industry at issue, and on the type of social media activities engaged in, concerns about misguided posts can go beyond bad public relations and generally applicable legal matters such as copyright or defamation claims. This is particularly relevant in highly regulated industries such as finance, banking, health, and insurance. In addition, activities such as the use of influencers may require thorough consideration of compliance issues. These issues are outlined at steps 3.3.1 and 3.3.2 below.
It is therefore key to determine whether legal liability considerations specific to the industry or activities are implicated. If so, seek input from specialized lawyers, as the issues that may arise can neither be adequately covered in generic social media policies nor should they be handled primarily by employees who have not had specific training.
3.3.1 Regulated industries
The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule imposes strict restrictions on the use of protected health information. In the social media context, for example, posting a photo of a patient without obtaining the proper consent amounts to a violation. Similarly, responding to a patient complaint posted on a social media account - and, by doing so, publicly identifying that person as a patient and other protected information - can trigger liability, as a settlement reached by a dentistry practice with the US Department of Health and Human Services (HHS) in 2022 illustrates (see HHS press release, December 14, 2022).
Social media can raise considerable compliance concerns for banks and other financial institutions. The Federal Financial Institutions Examination Council (FFIEC) - an inter-agency body that prescribes and recommends standards to promote uniformity in the supervision of financial institutions - in its 2013 Guidance specifically recommends that such entities institute a risk management program to identify, measure, monitor, and control the risks related to social media. Among others, such a program should include an oversight process for monitoring information posted to sites administered by the financial institution or a contracted third party.
As the FFIEC notes, multiple laws must be considered. For example, posting about an existing debt on someone’s social media account, or on the organization’s sites, may violate the Fair Debt Collection Practices Act, which prohibits certain entities from disclosing to the public that a consumer owes a debt (see Consumer Financial Protection Bureau report). Rules imposed by self-regulatory organizations can also be highly relevant. For example, the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization for brokerage firms overseen by the US Securities and Exchange Commission, has noted that its rules on communicating with the public apply to social media activity (see FINRA Rules and Guidance: Social Media). As a result, static content on social media channels - such as posts - must be approved by a registered principal before it is published, and may even have to be filed with FINRA. By contrast, interactive content, such as replies to comments, must generally only be monitored.
3.3.2 Use of influencers
In addition to certain industries being more heavily regulated, some types of social media activity may be subject to more legal scrutiny than others. For example, this applies if social media activity goes beyond using in-house staff and includes hiring influencers - individuals, including but not limited to celebrities, with large numbers of social media followers - to spread the word about the organization and its products or services. While this can be hugely beneficial, it is also risky, and will require a separate compliance review.
The Federal Trade Commission (FTC) has expressed concern about deceptive advertising based on the use of endorsements and testimonials by influencers on social media channels (see FTC, Disclosures 101 for Social Media Influencers). The FTC’s Guides concerning use of endorsements and testimonials in advertising, updated in July 2023, spell out several examples of social media use that may trigger liability. In addition, its plain-language Disclosures 101 guidance for influencers sets out specific steps that can reduce the risk of being accused of deceptive practices. If organizations do choose to work with influencers, the influencers should be contractually required to comply with all relevant laws and rules, such as those issued by the FTC. In addition, requiring in-house review and approval of all influencer posts before they are published is advisable.
Organizations must recognize that the regulatory landscape around influencer marketing is dynamic and continues to evolve. Staying abreast of the latest guidance from regulatory bodies like the FTC, as well as platform-specific rules (eg, Instagram's ’Paid partnership’ tag, YouTube's paid promotion disclosure), is critical. This includes understanding nuances like the ‘clear and conspicuous’ disclosure requirement, which dictates that disclosures must be hard to miss and easy for ordinary consumers to understand, not buried in long captions or requiring extra clicks. Proactive training for both in-house teams and influencers on these evolving standards, coupled with consistent monitoring and auditing of influencer content, will be essential to mitigate risks and maintain consumer trust in the long run.
Additional resources
Federal Financial Institutions Examination Council (FFIEC), Financial Regulators Issue Final Guidance on Social Media, press release (December 11, 2013)
Federal Trade Commission (FTC), Guides Concerning the Use of Endorsements and Testimonials in Advertising (updated 2023)
Financial Industry Regulatory Authority (FINRA), Guidance on Social Media (2023–2024)
Related Lexology Pro content
How-to guides:
How to establish a social media governance framework
How to investigate the social media activity of prospective employees
How to protect brand authenticity on social media
Checklists:
Dealing with false statements on social media
Legal considerations for social media marketing
Quick views:
Legal risks associated with business social media use
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.