Twenty years ago, the social media world we now live in was the stuff of science fiction. Today, social media is a critical business tool creating unprecedented opportunities for direct consumer interaction, brand awareness, checking the pulse of key constituents and so much more. This incredible opportunity is not risk-free, however, and is the subject of new laws, application of old laws to new situations, and a significant amount of murkiness. Fortunately, the risks can be managed by considering the issues created by social media and that begins with asking the right questions. Below is a discussion of ten important questions every business can start with to better benefit from its social media presence.

1. What is my business agreeing to when it creates a presence on a social media site?
It is usually signing up for more than it thinks. In addition to terms of use and privacy policies applicable to all users of a social media site, each social media network has additional contracts for businesses. A business will at least be subject to a contract governing its page on the social site. If the business has its own website but uses social media plug-ins, widgets, or log-in credentials, a different contract (called Social Developer Rules) will apply. Some of these rules are only seen by the employee setting up the business’ page or downloading a widget—that is a problem because the rules will still apply.

For example, a 2015 Facebook rule says Facebook “can analyze your app, content, and data for any purpose, including commercial.” An older version is more explicit: Facebook “can analyze your app, content, and data for any purpose, including commercial (such as for targeting the delivery of ads on and off Facebook and indexing content for search).”

Failure to abide by the rules can have consequences even if the social media site does nothing. In In the Matter of Jerk LLC et al., the FTC alleged that engaged in deception by creating fake profiles of persons as “jerks” or “not jerks” and then offering a paid service to have the profile changed. Part of the deception charged was’s “improper collection of Facebook data in violation of Facebook’s agreed policies.” 

2. Who has rights in content or data?
Lots of people. Generally, the business owns its own content, but depending on the relevant contracts, the business usually grants the social network or users a range of licenses or permissions that can impact value, including the value of the business’ data that is of interest to the social network or others engaged in “Big Data” collection or analysis.   

What about “user-generated content,” such as photos of happy customers with your product? They are a great way to promote the business’ brand, but are they free for the taking? No. The person creating the content typically owns the copyright in it and merely posting on the business’ page does not transfer the copyright or create a license for re-posting or use in ads, etc. That needs to be done by contracts.  Privacy policies and other laws (such as the rights of publicity that persons in the picture may have) also impact the ability to use user-generated content.

What if the social network collects and provides the content to the business—can the business then assume that it can do anything it wants with it? No. Again, contracts count. To illustrate, the Twitter ad policies say: “Do not include another person’s content in Twitter Ads without the person’s permission. Create your own Tweets, or get permission from the authors of the Tweets and Retweets you use.”[1] That is another way of saying that businesses need to do their own compliance legwork.

3. Are there data privacy and security concerns for the business?
Yes. Privacy and data security laws abound.  Most US businesses are impacted by enforcement actions brought by the Federal Trade Commission (FTC) under its interpretation of its power to prevent unfair acts or deceptive practices. Between the FTC, other federal and state regulators, industry trade organizations codes, contracts, and sector specific laws, privacy and data security rules can heavily impact social media activities (e.g., “Big Data,” behavioral advertising,  mobile apps) and data types (e.g., geolocation information, IP addresses, and device identifiers).

Children have special protections under the federal Children’s Online Privacy Protection Act (COPPA). The act applies to online services not only when they are directed to children, but also when the site or service has actual knowledge that it has obtained online information from a child. Consider an unsolicited photo of an 8-year-old with a kitten and a message indicating the 8-year-old sent it, or the video of and from four young fans at a concert of a child celebrity—actual knowledge? Social developer rules say things like “Don’t knowingly share information with us that you [the business] have collected from children under the age of 13,” i.e., the social network does not want it. Neither should the business unless it can comply with COPPA.

4. Should the business take steps to protect its own trademarks, intellectual property, “new” property, or its reputation?
Yes. For example, the business should not only do the obvious (e.g., register copyrights and trademarks and protect trade secrets) but also deal with emerging types of property or rights (e.g., that popular Twitter handle, those loyal “followers,” and those blogs of employees about the business or its products). Litigation has begun regarding who owns or controls those kinds of “assets,” such as in cases where the employee quits or is fired.

Similarly, new ways of clearing intellectual property rights are emerging and should be considered. Taking months to clear rights while a movie is being made is significantly different from clearing rights in a real-time social media campaign during halftime at a major football game!

5. Can the business face liability for things users or third parties might do on or through its pages?
Yes. However, the business can mitigate some risks, including by qualifying for the federal Digital Millennium Copyright Act’s takedown provisions in case users post infringing items on its social media page. What about users posting defamatory or otherwise offensive comments? The federal Communication Decency Act says that providers of an interactive computer service will not be treated as the source of content provided by a separate content provider. This is a very powerful defense. There are ways to fail to qualify for it or to lose it, however, so relevant procedures and contracts are advisable.

6. Can the technology used by social media networks create an issue?
Yes, and in unexpected ways. Consider In re Hulu Privacy Litigation, 2014 U.S. Dist. LEXIS 59479 (2014). Hulu, an online provider of streamed content was sued for violating the federal Video Privacy Protection Act by releasing personally identifying information (PII) via a Hulu page with a “Like” button for the video on that page. The “Like” technology created by Facebook allowed Facebook to determine which Facebook member was associated with the video, so even though the data actually sent by Hulu did not include PII, the data held by Facebook did. In the court’s view, Hulu could be liable if it knew or should have known what data would go out to Facebook. The decision might not survive appeal, but does illustrate that social media technology can matter.

7. What issues might apply to a contest or sweepstake?
Tons. Social media can make sweepstakes and contests easy to create, but the usual range of issues to consider still applies. A description of some of those issues can be found in K&L Gates LLP’s client alert “Gambling on Promotional Sweepstakes and Contests,” available here.  

8. What issues might apply if users mention the business or its products in social media?
While endorsements or testimonials can be great for a brand, it is important to be sure your business is using them consistently with the law. The FTC has updated its existing guidance (which is really more like a requirement) on endorsements and testimonials to be relevant to social media, including blogging. Failure to comply can sting: in 2011, a company that advertised its products through online affiliate marketers posing as ordinary consumers paid $250,000 to settle with the FTC.[2] We are not just talking about obvious endorsements, such as by a celebrity—regulatory action today tends to center around situations in which “consumers” look like they are recommending a business’ product simply because they love it, but there is actually a connection between them and the business that, if disclosed, would affect how others evaluate the endorsement (e.g., the endorser is receiving free merchandise from the business).

9. Does the business need to retain records related to its social media use?
Yes, if there is a requirement or other reason to do so, such as being able to prove compliance with a law. Some businesses believe that “social” means that somehow a business gets a free pass to do things online that it cannot do offline. Examples would be a bank with a social media page that decides the setting is so informal that it need not provide required legal notices about whether a deposit product is FDIC insured, or a stockbroker that “tweets” information he is forbidden to disclose in a formal setting. Free passes do not exist, and most regulators have issued guidance about how businesses must operate in social media.

What about a sole proprietor that has valuable data on its social media page? At death, will executors and heirs have the passwords they need to get at that data? Some states will be considering a new uniform act, the Uniform Fiduciary Access to Digital Assets Act, which is intended to deal with that issue, but which is also the subject of debate. Regardless of ultimate solutions, the issue should be considered both as to business records and also as to any user records the business may hold (i.e., what obligations the business will have to executors of users).

Finally, do not forget litigation. If the business gets sued and needs to respond to discovery requests for information from its social media pages, it will need to be able to impose a “litigation hold” and comply with the “Electronically Stored Information” rules of the Federal Rules of Civil Procedure. That can be harder than one would think (especially when the data is on a third-party site), so advance planning is key.

10. With all these regulations and potential risks, why should a business bother with social media?
Bank robbers rob banks because that is where the money is. Businesses increasingly use social media because that is where society is.  While there are risks, they can be managed.

[1] (2014).

[2] Firm to Pay FTC $250,000 to Settle Charges That It Used Misleading Online “Consumer” and “Independent” Reviews, Federal Trade Commission (Jan. 21, 2015, 3:07 PM),