Developing a social media policy is essential for companies to navigate a digital world full of legal, IP and reputational risks.

Social media use and access is now a cornerstone of our daily routines.

Not simply the preserve of millennials and Gen Z-ers, social media is how people communicate, check the news, share adorable dog videos, and buy stuff. This means that for most firms, having a social media presence is a business imperative.

Although this fast-developing marketing channel has brought many opportunities for businesses' consumer engagement, its specific features pose risks to businesses, stemming both internally and externally.

These can be broadly split into two categories: risks posed by the company and its staff's social media presence, and risks posed by third parties' use of social media relating to the company.

These risks are boosted by certain features inherent to social media. As it is fast-moving, global and collaborative, it follows that errors or criticisms of a business likely have a wide audience, and will often leave a permanent record.

Company risks

Unauthorised or uncontrolled social media posts present several risks to a company. For posts made by a company, conveying the right brand message is critical, as any mistakes will be highly visible to consumers and rivals.

Social media opens a dialogue between companies and their consumers. Users can and do offer their views, feedback and opinion on companies' brands, marketing and products, potentially leading to a loss of control and damage to the brand image.

Marketing on social media is subject to advertising laws and regulations, which often extend to endorsements by celebrities, bloggers and, in some cases, even consumers.

It is therefore vital to ensure companies are aware of advertising regulations and how they apply to social media. Likewise, it is important not to misrepresent a connection between your brand and a celebrity, which might prompt legal claims around image rights.

"Marketing on social media is subject to advertising laws and regulations, which often extend to endorsements"

Social media can also raise the risk of the inadvertent disclosure of sensitive or confidential information. This particularly applies to regulated industries or public companies where certain information must be disclosed first in a regulatory filing, shareholder announcement or press release.

A company's legal duties regarding the collection of personal data extends to data collected on social media. Restrictions on this are tightening under the EU's General Data Protection Regulation (GDPR), due to take effect next May.

Care should be taken about sharing consumer details, for example around competitions, and protecting consumer or employee data obtained via social media.

Third-party risks

Third parties may criticise, spoof or infringe a company's intellectual property on social media by selling counterfeit or lookalike products, or passing themselves off as the real thing. Social media accounts may also be used for phishing or other types of cyber crime.

Intellectual property

Any content protected by intellectual property (IP) rights remains so if it is shared on social media. If used without consent, posting third-party content still infringes on the rights of IP owners or individuals featured in the content.

As a rule of thumb, if you do not own an image or have a licence to use it, check whether you can obtain permission to use or share it.

Social media terms of service in many cases allow users to share and comment on content within a given platform. However, posting content across social media often means that the terms and conditions of the respective platform will affect copyright protection.

For example, while the poster will retain copyright, they may automatically grant the respective platform a royalty-free, transferable, sub-licensable, worldwide licence to use the content posted.

Another potential copyright issue for social media is sharing screenshots of images, such as those taken from messaging apps like Snapchat.

Images with enough originality may be copyright protected and if no statutory defences apply – such as review, criticism, and implied consent – sharing such images without the original poster's consent can be copyright infringement.

If the shared images are of a sexual nature this may also result in criminal prosecution.

Equally, using only a few seconds of a piece of music online may be copyright infringement, since the test for infringement is whether a substantial part of an original work has been copied. Thus, if a qualitatively significant part of a song is copied, such as a catchy chorus, you may have infringed copyright.


Social media comments frequently include trademark or brand references. Where such online comment uses a registered trademark 'in the course of trade' without permission, this could be trademark infringement.

However, 'honest use' of a trademark in a descriptive manner, or use that is not 'in the course of trade' will not be infringing. Using a third-party brand online could also amount to passing off, and unfairly comparing your brand against another could amount to unfair comparative advertising.

Spoof and parody

What about 'spoof accounts' and parodies? The 'parody exception' relating to copyright under UK law, which was introduced in 2014, says that 'fair dealing in relation of a copyright protected work for the purposes of caricature, parody or pastiche does not infringe copyright in the work'.

Based on Article 5(3)(k) of the EU Information Society Directive, this concept has been broken down by the European Court of Justice (CJEU), which set out two criteria for its application.

"A parody should be close enough to evoke an existing work but must remain noticeably different from it"

First, a parody should be close enough to evoke an existing work but must remain noticeably different from it, and second, it should express humour and mockery.

In contrast, EU trademark law does not specifically provide for a parody exception. Recital 21 of the Directive (EU) 2015/2436 says that 'use of a trademark by third parties for the purpose of artistic expression should be considered as being fair as long as it is at the same time in accordance with honest practices in industrial and commercial matters'.

The CJEU has clarified that use of a trademark will not be in accordance with 'honest practices' if the use discredits or denigrates the mark.

Importance of policy

The principal reason for having a social media policy is to help mitigate the risks arising from company or employee use of these channels.

Due to the fast-moving, open and collaborative nature of this media, it is generally not possible for the legal team – and often not even the wider business – to monitor and pre-approve social media interactions.

Corporate policy

At a corporate level, having a style guide for social media posts helps ensure that content posted by a company conveys the right brand message. These guidelines might recommend avoiding sensitive topics such as religion and politics.

Despite the inherent speed of social media, it is advisable to moderate outgoing content before it is posted. The policy should therefore aim to ensure that marketing content complies with advertising laws and regulations.

Moderating incoming content such as customer comments is trickier, as the removal of negative comments can draw accusations of censorship.

It is better to have a strategy for dealing with customer dialogue so that responsible staff are polite and know to disengage at the right time, without getting into arguments.

Employee policy

For staff it may not be necessary to have a separate social media policy if there are appropriate restrictions and obligations set out in the staff member's employment contract.

However, in many cases these will be general obligations, lacking the detail that can help inform employees about how their employer expects them to behave on social media, for business or pleasure, and what actions could be taken against them for breaking the rules.


Although policies will vary according to business needs, they should set the parameters of social media activity and the guidelines for engagement.

In particular, they should set out the disciplinary consequences of publishing inappropriate comments and what online conduct will be considered inappropriate.

For example, a social media policy should make clear how seriously the employer treats reputation. To reduce the risk of reputational damage for non-work related comments made by staff, it should contain clear instructions to ensure that such comments cannot be linked to the employer.

"A social media policy should make clear how seriously the employer treats reputation"

A clear, detailed social media policy also allows an employer to control staff use of social media sites relating to the business.

The policy can set out rules for connecting with customers on sites such as the professional network LinkedIn and the type of business information that an employee can post online.

A social media policy should also:

  • Include a broad definition of 'social media' to encompass all possible forms
  • Set out who it applies to. In addition to employees, consider including contractors or others whose communications could reflect on the company
  • Include express provisions as to whether and to what extent staff may access the internet or social media during office hours
  • Describe the circumstances in which an employee's use of social media may be monitored – justifying the benefits to outweigh any possible downsides
  • Address what employees can and cannot do. For example, do not connect social accounts to work email addresses, do not use social media for internal or confidential communications, and do not badmouth clients, colleagues or the company
  • Highlight legal risks such as copyright and trademark infringement
  • Include clear examples of conduct that may harm firm reputation as well as discrimination, harassment, bullying, defamation, breach of confidence or intellectual property right infringements, and how the employer may be liable for an employee's conduct
  • Delineate clearly as to when an employer can be referenced on social media.

Where employees within an organisation are required to use social media as part of their job – for example, in marketing or recruitment – it makes sense to consider specific guidelines for the use of social media sites in a business context.

This should bear in mind confidential client matters or sensitivities. This may also include internal guidance on a quick 'take down procedure' and conflict checks.

Update and enforce

Social media will continue to evolve and it is important to regularly review and update a social media policy in line with changes in the law, technology and business practices.

Further steps should include training and educating employees and line managers on the policy, and making it easily available – for example, on a firm's intranet. Consistent enforcement and the 'tone from top' will all lead to a good social media culture.

Ruth Burstall is senior associate in IP, Sabrina Tozzi is associate in IP, and Birgit Clark is EMEA IP professional support lawyer, all at Baker McKenzie

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.