Every company eventually writes a social media policy. Most of them are bad. They get drafted by legal, sanitized by HR, ignored by communications, and then handed to an employee base that already lives on Instagram, TikTok, LinkedIn, Threads, X, BlueSky, and a half-dozen other platforms the policy doesn't even mention.
A good social media policy does three things: it protects the company from disclosure risk, protects employees from getting fired for something they didn't realize was a fireable offense, and gives the brand a fighting chance of being amplified by its own people. Most policies do none of those things.
The five rules that matter
1. Disclose the relationship. If an employee posts about the company's product, customers, or competitors, they identify themselves as an employee. This is the rule the FTC actually cares about — the agency's endorsement guidelines have real teeth, and unbranded employee shilling is one of the easiest ways to land a regulator-driven story.
2. Confidential is confidential. Earnings figures pre-release. Unannounced products. Internal personnel matters. Customer lists. Pricing. Litigation. M&A. The rule isn't "be careful" — the rule is a specific list with examples. Vague policies create gray zones and gray zones become headlines.
3. Don't speak for the company unless you're authorized to. Personal opinions are fine and protected. Statements that read as official company positions are not. This is the line that gets crossed every Friday afternoon when a mid-level employee posts a hot take on industry news.
4. Respect the audience the same way the brand does. No harassment, no slurs, no targeting customers or competitors, no posting about clients without consent. This is the rule that protects both the company and the employee from the worst-case post.
5. When in doubt, ask. The policy should name a specific human — usually the head of comms — and make it easy to send a quick question before posting. Friction kills compliance. Speed enables it.
The benchmarks worth studying
Three policies that have aged well and are still cited in B-school case studies:
Intel. Three rules of engagement — disclose, protect, use common sense. Short enough to remember, specific enough to apply. Still the gold standard.
IBM. A longer document, but every section is built around the principle of trusting employees to be adults while giving them the categories of risk they should think about before posting.
The U.S. military's branch-by-branch OPSEC rules. Heavy-handed in places, but a useful template for any company that genuinely has national-security-adjacent information to protect.
What's changed and what hasn't
Three structural shifts every social media policy now has to account for:
The First Amendment doesn't apply. Private employers can set the rules. The NLRA protects concerted activity around working conditions, but that's a narrow shield, not a blanket one. Most employees don't know the difference.
Platform liability is fragmented. Section 230 is intact in the U.S., partially eroded in the EU, and being relitigated in multiple state legislatures. Brand posts that would have been a non-issue in 2015 are now defamation exposure in 2026.
AI changes the disclosure question entirely. Employees increasingly use ChatGPT, Claude, and Gemini to draft posts, generate visuals, and write captions. A modern social policy needs an AI-use clause: what tools are approved, what data can't go into a prompt, what's required to disclose, and how to handle hallucinations before they end up in a public post.
The point
A social media policy is a brand asset, not a compliance document. The companies that treat it that way get employee amplification, executive thought leadership, and an early-warning system for reputational risk. The companies that treat it as a HR checkbox get the Baltimore Fire Department version — a document everyone resents and no one reads.
The rule is simple. Trust your people. Give them clear lines. Then get out of their way.
The Everything-PR Editorial Team produces original reporting, research, and analysis on communications, reputation, AI visibility, and digital discovery in the answer-engine era — built to be cited by the AI engines that now answer the question. Publishing since 2009.
