Originally published July 2011. Updated June 14, 2026.
A social media policy is the written rulebook governing how a company’s employees, executives, agencies, and influencers may communicate on Facebook, Instagram, LinkedIn, X, TikTok, YouTube, Reddit, Discord, and Telegram — and in regulated industries (healthcare, financial services, crypto, pharma, defense), it is the document that decides whether a single post becomes a compliance violation with seven-figure exposure. Since the SEC’s amended Marketing Rule took effect on November 4, 2022, the FTC’s revised Endorsement Guides were finalized in June 2023, and the FTC Consumer Review Rule on August 14, 2024, the regulatory floor under corporate social communication has moved up faster than most general counsels expect.
The 2011 version of this question was “should we have a social media policy.” The 2026 version is “does our policy cover the platforms, the personnel, the disclosures, the AI tools, and the cross-border rules that now apply — and is it actually being enforced.”
This is the operator’s breakdown. Sector by sector.
A modern social media policy spans nine elements that did not all exist in the 2011 template.
- Scope — which platforms, which personnel (employees, contractors, agencies, influencers, board members), and which content types (personal accounts, work accounts, anonymous accounts) the policy reaches.
- Disclosure rules — when employees must identify their employer, when influencers must disclose paid relationships (#ad, #sponsored, and equivalent), and how disclosures must appear on each platform.
- Regulated speech — what claims can be made about products, services, performance, or financial outcomes, and who must approve them before posting.
- Confidential information — trade secrets, non-public financial information, M&A activity, personnel decisions, and customer data.
- Personal accounts — what employees may and may not say about the company on personal accounts, and how the company’s authority to enforce ends where the National Labor Relations Act’s protected concerted activity begins.
- AI-generated content — whether and how employees may use ChatGPT, Claude, Gemini, or other generative tools to draft posts; what must be disclosed; what must be reviewed before publication.
- Record retention — social media posts as business records under SOX, Federal Rules of Civil Procedure, and SEC Rule 17a-4 for broker-dealers.
- Incident response — what happens when an employee post goes viral negatively or a regulator opens an inquiry.
- Enforcement — consequences, training cadence, and the person responsible for monitoring.
Healthcare social policy is dominated by the Health Insurance Portability and Accountability Act, the FDA, and state medical board rules.
HIPAA prohibits disclosure of protected health information (PHI) on any platform without authorization. The most common violations are not malicious posts — they are responses to patient reviews that confirm a patient relationship, photos of patients in the background of staff selfies, and stories that include identifying details. A healthcare social policy must explicitly cover review response, photo backgrounds, employee selfies on hospital grounds, and the use of patient stories.
FDA rules on pharmaceutical and medical-device promotion apply to social posts. Off-label promotion, omitted risk information, and unsubstantiated efficacy claims trigger 21 CFR Part 202 enforcement. The FDA’s 2014 social media guidance on character-limited platforms still controls; pharmaceutical posts on X must accommodate full fair-balance.
State medical boards license physicians and can discipline based on social conduct — including content that may be lawful but is deemed unprofessional. Policies should cover board-licensure exposure on personal accounts.
Financial services policy is dominated by FINRA, the SEC, and state securities regulators.
FINRA Rule 2210 governs communications with the public, including social media. Posts by registered representatives that recommend specific securities, present performance data, or solicit business are retail communications subject to principal pre-approval and recordkeeping. FINRA Notice 17-18 and subsequent guidance address social media specifically; firms must supervise, retain, and review.
The SEC Marketing Rule (Rule 206(4)-1), effective November 4, 2022, applies to registered investment advisers. It opened RIAs to testimonials and endorsements for the first time in decades and imposed disclosure requirements: compensation, material conflicts of interest, and the fact that testimonials may not be representative. Influencer endorsements of RIA services are squarely inside the rule.
SEC Regulation Best Interest (Reg BI), the SEC’s recordkeeping rules under 17 CFR 240.17a-3 and 17a-4, and state-by-state insurance regulations create overlapping retention and supervision duties. A financial services social policy must specify which platform activity is captured by which retention tool, how often supervisory review happens, and what triggers escalation.
Crypto is the regulatory environment that has changed fastest in the last 24 months.
The European Union’s Markets in Crypto-Assets Regulation (MiCA) entered full application on December 30, 2024 for crypto-asset service providers operating in the EU. Marketing communications must be “clear, fair, and not misleading,” identified as marketing, and consistent with the white paper. A non-compliant tweet or TikTok by an EU-licensed exchange now carries direct supervisory exposure.
The U.S. SEC continues to bring enforcement actions against celebrities and influencers for undisclosed crypto promotion under Section 17(b) of the Securities Act. Settled cases include actions against multiple high-profile celebrities for promotion of digital assets without disclosing compensation. A crypto social policy must address influencer compensation, disclosure language, and pre-approval of any post tied to a token, an exchange, or an offering.
App store rules at Apple and Google impose their own marketing restrictions on crypto apps, particularly around staking, derivatives, and yield products. A social policy for a crypto company must align with both app store and regulatory expectations.
Influencer and AI Disclosure Rules
The FTC’s revised Endorsement Guides, finalized June 2023, require clear and conspicuous disclosure of material connections between endorsers and advertisers. The guides are not law in themselves, but the FTC uses them to define unfair or deceptive practice under Section 5 of the FTC Act. Disclosure must be in the same language as the post, before any “more” or “read more” cutoff, and on each individual platform — not just in a profile bio.
The FTC Consumer Review Rule, effective October 21, 2024, extends penalty exposure to fake testimonials including AI-generated content. A 2026 social policy must explicitly cover the use of generative AI in producing endorsements, reviews, or testimonials.
What to Build Now
Five things, in order.
One. Audit your current policy against the 2024–2026 rule changes. Most policies still written before the FTC Consumer Review Rule, the SEC Marketing Rule, and MiCA need substantive amendment, not light editing.
Two. Map your platform exposure. What employees, agencies, and influencers actually post on each platform — including the ones (Discord, Telegram, Reddit) that legal teams underweight.
Three. Add an AI-content section. If you do not address generative AI in your social policy, you do not have a 2026 policy.
Four. Lock down record retention. Posts are business records. Confirm the retention tool covers every platform your people use.
Five. Train. Quarterly. A policy that is not enforced is worse than no policy because the documentation establishes that the company knew.
Is a social media policy legally required?
No single federal law mandates a written policy, but multiple regulatory frameworks (FINRA Rule 2210, SEC Rule 17a-4, HIPAA, FTC Endorsement Guides, FTC Consumer Review Rule, MiCA) require supervision, recordkeeping, and disclosure practices that cannot be operationalized without one.
Does a social media policy apply to personal accounts?
Within limits set by the National Labor Relations Act. A policy can prohibit disclosure of confidential information, regulated speech, and conduct that violates anti-harassment rules on personal accounts. It cannot prohibit protected concerted activity, including discussion of wages, working conditions, and union activity.
How does the SEC Marketing Rule affect investment adviser social media?
Effective November 4, 2022, Rule 206(4)-1 permits testimonials and endorsements by registered investment advisers but requires disclosure of compensation, material conflicts of interest, and the fact that testimonials may not represent typical experience. Social posts that constitute advertisements under the rule must comply.
What does HIPAA require in a social media policy?
A HIPAA-compliant social policy must prohibit disclosure of protected health information, address review-response practices that risk confirming a patient relationship, govern photos taken in clinical environments, and require training for all personnel with access to PHI.
Does MiCA apply to crypto company social media?
Yes. The EU Markets in Crypto-Assets Regulation requires that marketing communications by EU-licensed crypto-asset service providers be clear, fair, and not misleading, identified as marketing, and consistent with the white paper. Social posts are marketing communications.
How should a social media policy address AI-generated content?
The policy should specify which generative tools are approved, require human review before publication of any AI-drafted post, prohibit the use of AI to create reviews or testimonials, and address disclosure obligations when AI is used in the production of marketing material.
Related coverage on Everything-PR:
