Legal Checklist: Business use of social media

Use of social media may be relevant to a business because:

  • blogging and networking are conducted on its own website;
  • its staff are using social media sites provided by third parties in order to further the company's business in some way; or
  • third parties affiliated with the company as part of its promotional strategy refer to the company's business or products on their own social media sites (such as blogs).

This checklist sets out the precautions that a business should take in these contexts.

A.  Social media activities managed by your company or business

1.         Establish terms of use and privacy policies

  • Establish terms of use for online sites, services and applications. These should:
    • request users' specific consent (for example, by requiring them to click on an "I Agree" button) to increase the likelihood that a court will find the terms enforceable by the company;
    • include provisions to protect the company from misuse, infringement and misappropriation of its intellectual property and unauthorised disclosure of its confidential information; and
    • include provisions to limit liability for infringement of third-party intellectual property rights, defamation, breaches of privacy, employment-related harassment and the acts of third-party users, particularly for any content posted or uploaded by those users (commonly referred to as user-generated content (UGC)).
  • Establish an online privacy policy to assist the company in complying with its privacy and non-disclosure obligations to third parties. The privacy policy should address how the users' data will be collected, used, disclosed and maintained.
  • Ensure that the terms of use and privacy policies cover any customised pages or channels offered by the company on third-party social media sites (for example, the company's Facebook fan page or YouTube channels or communities).

2.         Minimise legal risk arising from user-generated content

Allowing users to post user-generated content (UGC) on a website raises many legal issues for the site owner or operator, including exposure to liability for UGC that infringes third-party copyright and other intellectual property rights, breaches an individual's publicity or privacy rights, is defamatory or obscene or is otherwise unlawful.

Take appropriate steps to minimise liability for UGC, including, for example:

  • Determining the applicability of defences under:
    • the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013), which exempt ISPs from liability provided that they act as a mere conduit, cache or host of the offending material and act expeditiously to remove or bar access to it having become aware of it;
    • Section 1 of the Defamation Act 1996, under which intermediaries (including ISPs) who unknowingly disseminate libellous material have a defence to liability in certain situations ; and
    • other regulations which shelter ISPs from liability in relation to specific matters.
  • Establishing, publicising  & implementing notice-and-take-down policies and procedures.
  • Implementing comprehensive terms of website use that:
    • prohibit the uploading of infringing, defamatory, obscene or otherwise unlawful or offensive content;
    • disclaim company liability for that content;
    • allow the site operator to remove content at its discretion; and
  • Ensuring that the proposed use complies with all applicable laws  before making any further use of UGC (such as for promotional purposes) and that necessary rights to use the UGC have been obtained from all relevant third parties.

B.  Use of third-party sites for business-related purposes

1.         Review third-party terms of use and privacy policies

  • Ensure that the company's use complies with each site's terms, which can vary significantly between sites and may include important restrictions. Pay particular attention to terms relating to:
    • prohibitions or restrictions on use of the social media site, such as for advertising, marketing and promotions or other commercial purposes (for example, Facebook's Statement of Rights and Responsibilities (its terms of use) prohibits businesses from administering promotions through Facebook without it’s prior written consent);
    • ownership of intellectual property used on, or information collected or generated through use of, the site (for example, any of the company's copyright material and trade marks that might be posted on the site, or customer information the company collects through the site);
    • requirements for licences to permit use by the site owner and other third parties of the company's trade marks or other intellectual property; and
    • recourse available to the company if its intellectual property rights are misused by other users.
  • Ensure that the site owner's privacy practices for any data disclosed by the company or collected by the company from users of the site are appropriate and sufficient for the company's intended use of the site.
  • Monitor site terms and privacy policies for updates and changes.

2.         Ensure legally compliant use of social media

  • Certain activities could expose the company to liability as well as risk to its reputation. The company should pay particular attention in the following areas:
    • defamation laws and prohibitions on unfair or deceptive acts such as false advertising. In particular, do not engage in or permit unethical marketing practices, including the posting of fake blogs, fake positive reviews, or fake negative reviews of competitors;
    • the law on promotions and competitions; and
    • rules prohibiting insider trading and other forms of market abuse.
  • Ensure legal compliance with industry-specific rules as well.

3.         Give guidance to all employees on social media use, eg in standard policies:

  • To avoid unduly interfering with the company's use of social media to advance business and legal objectives, do not impose unnecessary restrictions on social media use.
  • Provide clear guidance that includes provisions to protect:
    • company intellectual property assets (eg trade marks, copyrights, patents);
    • the company's confidential information;
    • third-party confidentiality and privacy (including data protection with respect to personal information of employees, customers, suppliers and others); and
    • the company's reputation and relationships with customers, clients and other third parties (for example, statements made by employees may be imputed to the company, especially if made by senior management).
  • Include in this guidance provisions to prevent:
    • discrimination;
    • harassment and bullying;
    • victimisation and other unlawful detriment (eg, as a result of whistle-blowing  or union activities);
    • misrepresentation; and
    • defamation.
  • Communicate this guidance clearly, monitor compliance and ensure enforcement is uniform throughout the organisation. Inconsistent enforcement may lead to discrimination or unfair dismissal claims.

Consider using social media as a legal tool

Consider using social media sites:

  • To prosecute, protect and enforce company intellectual property rights and defend against third-party infringement claims (for example, searching for prior conflicting trade mark use and patent prior art, and monitoring against potential third-party infringement).
  • As an effective way to share non-privileged information on legal topics, and obtain referrals to legal advisers and consultants.

Relevance of social media to conduct of litigation

  • Litigators can use social media sites to:
    • make jurisdictional claims based on the worldwide accessibility of social media sites;
    • identify potential experts and other witnesses;
    • find information relating to opposing parties and witnesses that can discredit their testimony (and can request disclosure of these parties' online profiles, postings, tweets, status updates or other online communications, or otherwise seek an order against the operator of the relevant social media site requiring provision of the information).
  • A party conducting disclosure of social media communications should narrowly tailor its disclosure requests to relate specifically to its own defences, the other party's claims and the character and mental state of the other party's witnesses. If a party is unable to obtain the requested disclosure from the other party or the applicable social networking site operator, it may still be able to obtain it if the online information is publicly available (for example, publicly available YouTube videos, tweets or Facebook profiles).
  • Postings made on social media sites may be disclosable. The company may lose the protection of legal privilege as a result of a disclosure of information through social media.

Potential for market abuse

When using social media sites to communicate with investors, market professionals and the public, a company should:

  • Comply with section 397 of the Financial Services and Markets Act 2000 (FSMA) which prohibits companies from making false or misleading statements or omitting material information. To avoid the commission of offences, monitor statements made by employees on social media sites to ensure that they are not false or misleading. Such statements may be seen as manipulating the market and may be attributed to the company. In addition, monitor links to third-party sites or content. Use of the links could be perceived as the company's endorsement of this information and the company could be held liable for any false or misleading statements by the third party.
  • Monitor statements made by employees to ensure that they are not tipping off investors by disclosing inside information otherwise than in the proper performance of their employment (section 118(3), FSMA).
  • Prohibit selective disclosure via social media of inside information (in the same way as the company regulates disclosures in other media) so as to comply with DTR 2.2.1R of the Disclosure Rules and Transparency Rules, which requires disclosure of all inside information directly concerning the company to a Regulatory Information Service, as soon as possible and in a complete and effective manner. Also, if desired, synchronise the release of any information on social media with more traditional news releases.
  • Ensure that social media posts do not constitute unlawful solicitations or offers, so as to comply with the financial promotion regime under FSMA and securities laws that prohibit companies from offering or selling securities to potential investors without first publishing a prospectus.
  • Not make "forward-looking statements" via social media (that is, statements based on management's projections, estimates, expectations or assumptions) about the company or its performance, shares or prospects without also providing required cautionary language, written risk factors and disclaimers.

Obtain consent before using employees' or third parties' names, images or information on social media for commercial purposes

  • Explain to the employee or third party in advance the purpose and extent of the company's intended use of his or her name, image or information, and obtain written consent (eg using a form of consent to use of a photograph.
  • Unauthorised use will expose the company to the risk of claims arising from public disclosure or misuse of personal information, in breach of data protection law.
  • Consider the legal risks associated with use of social media to run background checks
  • Avoid making employment decisions based in any way on a protected characteristic (such as race, religion or sexual orientation) revealed through social media.
  • Use the same protocols for social media screening of applicants or employees regardless of their protected characteristics to avoid liability for discrimination.
  • Avoid gathering information on applicants' or employees' trade union membership or activities that could amount to the creation of a prohibited blacklist, and do not discriminate on the basis of union membership, non-membership, or activities.
  • Ensure any data is obtained and processed fairly and lawfully, in accordance with the eight data protection principles in the Data Protection Act 1998 (DPA). This is likely to include informing the individual of the means by which you are conducting background checks.
  • Do not access password-protected electronic resources without proper authorisation from the owner(s), as this may breach website terms of use and will be highly unlikely to amount to fair and lawful processing of personal data under the DPA.
  • Ensure the company is in compliance with the "terms of use" policies of social media websites in any background check activities.
  • Make employment decisions using reliable and accurate information, and be aware that information posted on social media sites may be false or misleading.

C.  References to company on affiliated social media sites

Disclose all material connections with third-party bloggers

  • The Consumer Protection from Unfair Trading Regulations 2008 (SI 2008/1277) (CPRs) came into force on 26 May 2008 and introduced a general duty not to trade unfairly. In particular, the CPRs provide that:
    • A commercial practice is unfair if it is a misleading omission (regulations 4(b) and 6).
    • It is unfair to use editorial content in the media to promote a product where a trader has paid for the promotion without making that clear in the content or by images or sounds clearly identifiable to the consumer (regulation 4(4)(d) and Schedule 1).

The Office of Fair Trading enforces these rules.

  • If the company pays a blogger or provides free products to review, the company should:
    • advise the blogger of his obligation to disclose that he was given such consideration;
    • monitor the blog to ensure compliance; and
    • monitor the blog to ensure that any claims made by the blogger about the company's products or services can be substantiated and are not deceptive or misleading.


Commercial general liability insurance policies may not cover liability arising out of certain online activities. Review existing insurance policies to ensure appropriate coverage and consider whether any additional insurance is desirable and appropriate. Additional insurance could include, for example:

  • Cyber-liability insurance that covers data breaches, privacy and data security;
  • Business interruption; and
  • Liability for website content.

In summary


  • Establish clear, written terms of use and privacy policies for all social media sites, services and applications the company offers.
  • Understand the legal issues associated with allowing users to post user-generated content and take steps to minimise risk related to that content.
  • Review terms of use and privacy policies of third-party social media sites, services and applications before using them.
  • Ensure that the company's use of social media complies with all applicable laws.
  • Provide clear guidance to all staff on company-related use of social media, preferably in the form of a comprehensive policy.
  • Consider using social media as a legal tool.
  • Understand that use of social media can affect the way litigation is conducted.
  • Disclose all material connections with third-party bloggers.
  • Review corporate insurance policies to ensure appropriate coverage.

Do not:

  • Impose unnecessary or impractical restrictions on staff regarding use of social media.
  • Use names, images or information of employees or third parties for promotional or other commercial purposes via social media without first obtaining such parties' consent.
  • Use social media to run background checks on applicants for employment and candidates for promotion without first considering the associated legal risks.

Key contacts at DMP for further advice and assistance on these matters are:

Bill Montague, partner                                
direct dial:    0118 960 5786                                                  

Asim Munir, associate
direct dial: 0118 960 5788

main office:  0118 939 3999

The contents of this article are for the purposes of general awareness only. They do not purport to constitute legal or professional advice. The law may have changed since this article was published. Readers should not act on the basis of the information included and should take appropriate professional advice upon their own particular circumstances.

comments powered by Disqus