Social Media Marketing: The 411 on Legal Risk and Liability

Social media vastly expands the ability of businesses to connect, collaborate and communicate and, ultimately, to compete. While social media built upon so-called Web 2.0 technologies -- such as community forums, blogs, vlogs, wikis, podcasts, video and audio file sharing, widgets, crowd sourcing and geolocation tools, to name just a few -- carry great promise for new ways of facilitating business, the use of such media also poses a special set of legal risks about which businesses should have a greater awareness as they utilize these technologies.

Social media vastly expands the ability of businesses to connect, collaborate and communicate and, ultimately, to compete. While social media built upon so-called Web 2.0 technologies — such as community forums, blogs, vlogs, wikis, podcasts, video and audio file sharing, widgets, crowd sourcing and geolocation tools, to name just a few — carry great promise for new ways of facilitating business, the use of such media also poses a special set of legal risks about which businesses should have a greater awareness as they utilize these technologies.

The legal risks may be usefully grouped into a few overlapping categories:

  • Intellectual property issues
  • Employment-related issues
  • Marketing activity concerns

The first two categories are addressed in greater detail elsewhere in this issue of Trust the Leaders, so this feature focuses on the key legal matters within the last category. Because social media tools utilize multiple technologies and lend themselves particularly well to creative marketing-related activities, there is an acute concentration of legal issues involved with using social media, several
of which are addressed below.


Contractual terms are everywhere within the social media landscape and, while these terms generally are benign, occasionally such terms can have significant bite. Contractual provisions will usually surface in the form of terms of use, privacy policies or community use guidelines, among others, and these contracts may be implemented by a traditional licensing agreement or services contract for use of the application or, more commonly, through an online click-wrap agreement.

Although social media tools are deployed in many organizations so as to allow widespread, decentralized access, agreeing to overall usage terms on behalf of an organization should be reserved to a specific point of contact or function within that organization. Otherwise, a company may find itself unknowingly or inappropriately bound to terms that commit it to obligations or the granting of rights that the company may later regret. Consider, for example, some customary provisions found in the online terms of a few widely used social media applications:

From LinkedIn Privacy Policy:
“To increase the effectiveness of ad delivery, we may include a file, called a web beacon, from an ad network within pages served by LinkedIn. The web beacon allows the ad network to provide anonymized, aggregated auditing, research and reporting for advertisers. Web beacons also enable the ad networks to serve ads to you when you visit other websites.”

From Facebook Privacy Policy:
“Information sent to ‘everyone’ is publicly available information, just like your name, profile picture, and connections. … The default privacy setting for certain types of information you post on Facebook is set to ‘everyone.’ ”

From YouTube Terms of Service:
“Although YouTube will not be liable for your losses caused by any unauthorized use of your account, you may be liable for the losses of YouTube or others due to such unauthorized use.”

For many organizations, terms such as these may be regarded as a fair trade-off for access to a useful online tool, but for others these terms may present significant obstacles that preclude use of a particular social media application. While it is occasionally possible to negotiate around difficult legal terms for online applications, because such terms are typically not negotiable and numerous cases have upheld the enforceability of online terms so long as basic requisites are followed, a review of relevant contract terms should be part of the cost/benefit analysis for use of a given application.


Compliance-related concerns pose some of the biggest challenges with social media activities. By their nature, compliance obligations require a company to do — or not do — specific things to avoid running afoul of a legal obligation imposed by an applicable statute or regulation. Some of the more pressing marketing-related compliance issues a company may encounter are noted below.


The Federal Trade Commission (FTC) has long scrutinized business practices within its broad mandate to regulate “unfair and deceptive trade practices.” Since the advent of the Internet, the FTC has been keenly focused on curtailing deceptive practices, even if unintentional, by businesses engaged in online commerce. While businesses should always ensure that their online advertisements are truthfully conveyed, a business with a social media presence should take particular note of the FTC’s recent efforts concerning online privacy, security and advertising.

With respect to privacy, the rules — so far — within the United States are generally straightforward. Aside from certain regulated industries, such as health care and banking, there generally is no
obligation to maintain a privacy policy for online activity. However, most savvy users of Web sites,and, by extension, users of social media applications accessible from Web sites, expect some basic privacy protections and an online privacy policy will suffice for this purpose.

The FTC’s view is that if a policy is held out to the public, the site or applications operator is
accountable for any failures to comply with its stated commitments. Earlier this year the micro-blog site, Twitter, entered into a settlement agreement with the FTC following the agency’s investigation of Twitter’s failure to fully comply with its online privacy and security commitments. Among other things, Twitter agreed to allow periodic audits of its online security procedures over the next 10 years.

The FTC has also expressed concerns over intrusive online privacy and security practices. Starting in 2007, the FTC issued and later updated the Self-Regulatory Principles for Online Behavioral Advertising, which encouraged companies engaged in “behavioral advertising” activities, such as tracking a user’s online movement from site to site, to follow a set of optional heightened privacy and security practices. However, the FTC has more recently expressed the view that self regulation is insufficient. As a result, it is likely only a matter of time before mandatory privacy and security regulations on the federal level are adopted by the FTC or Congress.

Another development is the FTC’s update in 2009 of its Guides Concerning the Use of Endorsements and Testimonials in Advertising (last updated in 1980), principally to address concerns over deceptive online endorsement practices, including by bloggers. Of particular note is the disclosure requirement of any material connections between the endorser and the seller of a product or service “that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience).” Thus, a company using a blog or third-party bloggers as a component of its marketing activities must take this FTC guidance into account.


Although the FTC is the most prominent authority on online privacy and data security matters, because the U.S. does not have a nationwide data privacy and security law, states have stepped in with various local laws to address related concerns. Virtually every state has a data-breach notification law, which requires notice to individuals whose personal information has been compromised in a data breach.

Beyond this, some states now impose affirmative security obligations prior to a breach incident. The most notable of these, because of their scope and the population of the states, are in California and Massachusetts. California law requires prominent posting of an online privacy policy. Massachusetts adopted a law, effective at the first of this year, that requires all businesses collecting and maintaining covered personal data — including with social media — on Massachusetts residents to implement a security policy satisfying minimum standards or risk penalties and enforcement actions.


The interactive nature of social media tools in most cases includes multiple communication elements. Frequently, e-mail and mobile device text-messaging capabilities are integrated into a company’s interactions with customers and prospects when using such tools.

Two federal statutes dealing with electronic communications, the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM) and the Telephone Consumer Protection Act (TCPA), require particular attention with social media use, especially if there is no pre-existing relationship between sender and recipient, or if the recipient has not affirmatively opted to receive e-mail or text messages.

CAN-SPAM applies to e-mails and requires, among other things, that a sender must provide the ability to unsubscribe, the subject line must be accurate, and the sender’s physical address must be provided. The TCPA, which originally was enacted to prevent unsolicited telemarketing telephone calls and before the widespread use of text messages, has been extended under recent case law to apply to unsolicited text message “calls” where an automatic telephone dialing system is used.


Specific requirements must be met to prevent online social media-based contests and sweepstakes promotions from running afoul of numerous state laws restricting unlawful lotteries. In all cases, this requires the elimination of one of two elements — “chance” and payment of “consideration” — which, when both are present in a promotion, results in a prohibited lottery.

In some states, additional legal requirements must be met, such as registration in Florida, New York and Rhode Island depending on the promotion details.


Let’s assume that your core business activity is the sale of lab equipment or providing consulting services. While you might not consider such businesses as “publishing,” if you use certain social media tools for promotional activities, you can find yourself sorting through a number of publishing liability concerns. This is because the characteristics of forums, blogs, data feeds and other interactive online tools effectively make the business both a limited-purpose online publisher and Internet service provider to the extent of such involvement.

A company engaged in online postings — for example, through a blog or via Twitter — is always liable if such postings are wrongful, most notably, for defamation or infringement of third-party intellectual property rights. Establishing guidelines for permissible online postings by a company’s own personnel, particularly when images, videos and other content created by others are used, will go a long way toward mitigating such concerns. Depending on the nature of the online forum provided by a company for third-party users, user-generated content may also create defamation and infringement concerns. Early in the development of the Web, Internet service providers (ISPs) succeeded in having Congress adopt a liability safe harbor in Section 230 of the Communications Decency Act (CDA), which shields ISPs from liability for the transmission of user-generated content. Section 230 has been judicially extended to operators of Web and blog sites when the operators only act as a “passive” publisher or merely transmit otherwise unlawful content (e.g., defamatory or infringing material) so long as the Web site operator was not responsible, in whole or in part, for creating that content.

A further safe harbor under Section 512(c) of the Digital Millennium Copyright Act (DMCA) protects Web site operators from third-party postings that infringe the copyrights of others. Among other requirements, the site operator must not have received a direct financial benefit from the infringing activity and the infringing content must be promptly removed after the operator becomes aware of an alleged infringement. Taken together, Section 230 of the CDA and Section 512(c) provide broad immunity to companies engaged in social media from unlawful user-generated content. However, because these safe harbors are subject to exceptions under certain facts, user-generated content must always be treated with great care.


As with many innovative technologies within the business enterprise, social media use brings significant benefits, which are tempered, if not properly managed, by myriad liability pitfalls. In due course, the legal rules applicable to these applications will be better sorted out in a manner similar to that seen with the spread of other relatively new technologies. In the meantime, by implementing appropriate safeguards and policies and maintaining an awareness of compliance obligations, the business opportunities with social media use should far outweigh any challenges.

Share via
Copy link
Powered by Social Snap