Increasingly businesses are reliant on social media as an advertising channel, a way to connect with customers, and a means to gain valuable market insights. The reputational risks of social media are one aspect, with a few social media campaign 'fails' causing uproar over the years. Yet there are legal risks too. Though the legal risks are not necessarily unique to an online platform, when considering how quickly and easily social media can 'go viral', it is important that businesses put in place both preventative and reactive ways of mitigating these risks.

The terms and conditions of the social media platform are one aspect that needs to be explored. Material which is not compliant may be removed by the social media networks and companies are exposed to potential legal liability to the social media network. In this article, though, we explore five potential legal risks external to the platform that can occur where a business uses social media, including copyright infringement, misleading conduct, privacy & confidentiality, defamation and non-compliance with advertising standards.

1. Copyright infringement

Businesses may be led into thinking that because a photograph, for example, is made available on the internet or is subject to a creative commons licence only, it is free for them to use, no further questions asked. Rarely is this the case. Whilst exceptions to copyright law and within a licence may make material available for certain uses including for personal use, usually these restrictions will not apply for commercial use, including where used in an advertising or branding campaign. Also, if the business is using music on its social media platforms, always consider whether a music licence is required and has been obtained.

Clearances for all third party materials should be obtained where used as part of a social media campaign, just as they would be for a print campaign. Be somewhat sceptical of anything claimed to be 'free', and consider having the licence terms reviewed for conditions around attribution or restrictions on commercial use. Businesses should also consider whether the talent featured in any photographs or videos, for example, have provided the required clearance. This would also apply to posting photographs or videos of customers or participants at an event run by your business.

2. Misleading Conduct

An offer made via social media still needs to go through all the usual checks. Consumer protection laws which prohibit businesses from making false, misleading and deceptive claims about their products or services are still applicable. Claims made on social media should be substantiated, as should any comparisons with competitors. If the offer is for a limited time, or conditions apply, the phrasing of the offer should be considered. Reviews or testimonials should be not falsified or otherwise misleading. The Australian Competition and Consumer Commission (ACCC) expects companies to regularly monitor their social media pages, including for content posted by users that the business knows or should know is misleading.  The ACCC can require companies to substantiate claims and can take court action or issue an infringement notice where it identifies a breach of the law.

Be careful when conducting campaigns that may imply an affiliation with or endorsement by (for example) a celebrity, a movie or a government body. If a business does not have such an affiliation or endorsement, this content could be considered misleading and the third party could take issue.

Conversely, where a business is paying or otherwise sponsoring a celebrity or organisation to endorse its products or act as a brand ambassador using the third party's social media channels, it may be misleading for the third party to post the paid social media content without somehow disclosing the affiliation.

3. Privacy and Confidentiality

Personal information is any information that can reasonably identify an individual. This could include name, phone number or email address. A business subject to privacy laws cannot collect, use, disclose or store such information without complying with these laws. Privacy regulation mandates the notification of individuals when personal information is being collected, and prevents disclosure of such information unless it is for certain purposes.

Online company Freelancer, received an adverse decision from the Privacy Commissioner last year when it publically identified a user when it responded on social media, including Facebook, to negative feedback the consumer had been posting, either anonymously or using a pseudonym. The complainant was awarded $20,000 in damages. Whilst this was an extreme example of an individual who took this issue all the way to the Commissioner, there is no doubt this occurs more regularly than reported.

All business personnel that deal with personal information should receive training as to their obligations, and a business should consider whether its privacy policy accurately discloses its practices with regard to collection, use and disclosure of personal information, including with respect to social media.

Disclosure of information that was imparted in confidence can also lead to legal issues. An example that is particularly relevant to companies is the non-disclosure clauses sometimes present in business to business contracts. They might outline that any public disclosure of the relationship between the businesses is not allowed or is only allowed with permission of the other party. But will the excited sales team member posting on social media about landing a big deal with a well-known company be aware of those clauses? 

4. Defamation

Potentially also actionable as misleading and deceptive conduct, defamation is where content is published or broadcast that injures a third party's reputation. There are defences where that content is true, or an honest opinion, amongst other grounds. Most companies do not have standing to sue others for defamation and would need to rely on other causes of action but a business can potentially defame an individual or small company. The risk with social media is that defamation could potentially occur by 'liking' or 'sharing' a defamatory comment made by someone else, especially where this introduces a new and broader audience to the content. And we all know how quick and easy it is to hit these ubiquitous buttons.

5. Advertising Standards

Even if it just branding or profile building, content posted on the social media platform of a business will usually be advertising material. The Advertising Standard Bureau (ASB) has, for example, determined that content on the Facebook page of a business can be an advertising or marketing communication. Therefore the codes administered by the ASB will apply. These codes generally govern the use of strong language, portrayal of sex, sexuality, nudity, violence and other content that may offend prevailing community standards. There are also codes which apply specifically to the marketing of food and beverages (including alcohol) or motor vehicles, and marketing communications to children. It is good to pause and consider whether the content is 'age appropriate' (if age restrictions can be put in place, some issues can be resolved), and whether the guidelines are otherwise complied with.

As with the other risks, social media exacerbates advertising standard compliance risks because of the comments that members of the public can publish on a business' social media platform. The business should consider its 'house rules' where inviting members of the public to comment in relation to a campaign. Any social media platform should also be frequently monitored for non-compliant content. If a comment or other post is made that contains offensive content, this content should be removed. There is a fine line to be walked here, as regulators such as the ACCC would not approve of a business removing comments to the extent they were critical of a business with no other reason. There will often be some recognition by regulators that a business cannot completely control the public. However, a business would be expected to take reasonable efforts, viewed in the context of the particular campaign and resources available to the business, to manage the content which it instigates.  

What can a business do to mitigate risks?

The appropriate steps will differ depending on the business and the industry in which it operates, but some recommended compliance procedures include:

  • a company policy for digital communication and social media
  • terms of use or house rules for users who post or upload content
  • regular monitoring and moderating of online and social media sites to remove inappropriate and unlawful content, including allocation of site monitoring responsibilities to individual staff members who report to a suitably experienced manager
  • regular staff training on company policy and legal requirements
  • internal digital security measures (for example, password access to company sites)
  • online filters (for example, age restrictions and/or language restrictions)
  • a current privacy policy which is easily accessible to consumers and which clearly outlines how the company will use personal information, including collection of unsolicited personal information
  • legal review of campaigns including obtaining copyright clearances.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.