Maintaining a social media presence can be a huge asset for charities and non-profits as they pursue their missions and mandates. These networks are powerful tools that can be used to reach wider audiences, increase brand awareness and outreach and facilitate fundraising. However, given recent attention around the repeated data privacy issues of certain social media platforms and the nonexistence of regulations surrounding social networks, non-profits should consider how best to protect themselves while maintaining an online social media presence. This article addresses three risks and potential mitigation strategies.

CRA issues

Charities using social media must ensure they understand the risks involved. When auditing a charity, it is not unusual for CRA auditors to review the charity's social media content to assess the charity's compliance with the Income Tax Act (the "Act"). Charities should be cognizant that the information they are posting to their various social media accounts is compliant with the Act and falls within the ambit of the charity's stated purposes.

For example, the rules around private benefit dictate that a registered charity should be cautious when posting information to a social media account that may publicize a business unrelated to the charity. Depending on the content, such post may be viewed by CRA as providing an undue private benefit to the business (i.e., the business may benefit from the 'free' marketing provided by the charity using the charity's resources). Further, as discussed in our October 2013 Newsletter, charities should be cautious that their social media posts, no matter how brief, do not constitute prohibited political activities. Providing an undue private benefit and engaging in prohibited political activities are both cause for sanction by CRA.

Organizations are well-advised to review and monitor their social media presence on an ongoing basis, and implement practices and training so that employees and volunteers understand the organization's charitable purposes, what is acceptable to post to social media on behalf of the organization and the impact of social media posts on the organization.

Privacy Issues

The federal Personal Information Protection and Electronics Document Act ("PIPEDA") regulates the collection, use and disclosure of personal information by private sector organizations and applies to all organizations that collect, use and disclose personal information in the course of commercial activity. Because the protected personal information must be collected in the course of commercial activity, there is question as to whether PIPEDA applies to charities and non-profits generally (although in some cases the application is clear).

Further, certain provinces (namely, Alberta, British Columbia and Quebec) have enacted privacy legislation applicable to organizations operating in those jurisdictions; and importantly, donor information as well as certain other information collected by charities and NPOs is caught by it. It follows that while not all privacy legislation is applicable to charities and NPOs, in some instances (whether intentionally or unintentionally) personal information about an individual that is posted to a charity or NPO's social media page without their knowledge or consent could breach that organization's federal or provincial privacy obligations. Accordingly, organizations are advised to remain cautious about what they are posting to social media.

Organizations should ensure that they take steps to identify and comply with all applicable privacy legislation. Any employee, contractor or volunteer of the organization who may be called upon to manage an organization's social media accounts should be required to confirm that they have read and understand the policy. Additionally, safeguards such as the limited distribution of account passwords should be implemented to prevent or reduce the risk that someone gains access or "hacks" the organization's social media accounts. Where an organization wishes to post to its social media account any personal information collected through the course of its activities, it should ensure that it obtains the necessary consents to do so.

Posting Photos

Photos, including photos of employees, members or the general public, may constitute personal information, and as such, caution should be taken when posting photos to social media platforms. For example, charities and NPOs are well advised when holding events to obtain consent from attendees whose photos may be posted to social media. This consent may be requested and provided, for instance, upon registration for the event.

Particularly, where a photo posted is that of a child, the legal risks increase substantially. Subject to minor exceptions, a contract entered into with any person under the age of majority is not enforceable. Further, consents signed by one or both parents or the parents and the minor are not bulletproof either. Canadian courts have waived parental consent as being ineffective simply on a policy basis.

Organizations are advised to consider the risks before posting photos. This may mean, for instance, implementing a policy that strictly prohibits posting photos of minors. If an organization does decide to post photos of minors, risk can be mitigated (though not entirely avoided) by implementing a privacy policy and putting procedures in place to obtain robust consents from parents.

Generally, it is recommended that an organization implement policies and procedures that minimize the legal risks associated with using social media. This includes training protocols to educate volunteers and employees on these risks. The lawyers in Miller Thomson's Social Impact Group can help to develop appropriate social media policies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.