OMG! #SocialMedia & #Compliance? ROFL!

“We don’t have a choice on whether we DO social media,” says digital marketing guru Erick Qualman. “The question is how WELL we do it.”¹

Indeed, an estimated 74 percent of adults online in the U.S. now use social networking sites.² And the boom is global: Facebook, for example, boasts 1.3 billion monthly active users—more than half the world’s online population, with 81 percent of its active daily users located outside the U.S. and Canada.³ With smartphones offering easy and ubiquitous Internet access, content is by no means restricted to text. The fastest-growing social network currently is Instagram, where an average of 60 million photos are shared each day.⁴

Companies and their ethics and compliance professionals are clearly responding to this ongoing explosion in social media. In one recent survey, some 88 percent of corporate respondents indicated they have a policy related to employees’ use of social media, up from 65 percent in 2013.⁵ These policies merit regular attention as technologies change and, perhaps more importantly, as more companies increase their use of platforms such as Facebook and Twitter to increase brand exposure, boost web traffic and gain market insight. By one estimate, social media marketing budgets are projected to double in the next five years.⁶

The efficacy of any social media policy will therefore depend in large measure on how well it is integrated into day-to-day business operations and corporate culture; the size and complexity of a company’s social media policy should reflect the scope of the organization’s involvement with these new communications platforms.

Policies and Practices

As we’ve written in prior Risk Forecast Reports, an effective social media policy should be simple, consistent and tightly aligned with a company’s code of conduct. Whatever the company guidance for in-person encounters, and whatever the rules for general good behavior, they apply in the online world as well. Examples of thoughtful policies are those developed by IBM⁷ and The Coca-Cola Company.⁸

But there’s no accounting for bad-taste status updates, the oversharing of personal information or photos by employees or inadvertent leaks of confidential information on social media. So companies need to be vigilant, yet not overly prescriptive in their policies. And even the best organizational policies should be reviewed regularly to ensure they stay abreast of legal and regulatory developments. The social media landscape changes daily; what follows are a few things to keep in mind.

Employee social media postings regarding an employer are often “protected” communications. While corporate policies can and should preclude employees from disparaging the company or fellow employees, the context of an online post is critical. The U.S. National Labor Relations Board (NLRB) has shown a consistent tendency over several years to treat many employee social media postings as “protected concerted activity” under Section 7 of the National Labor Relations Act.⁹ In an August 2014 ruling, for example, the NLRB ruled that “liking” a Facebook comment could be protected activity. The case involved the Triple Play Sports Bar and Grille in Connecticut, where an employee complained in a profanity-laced post that the employer had incorrectly filled out tax forms and the employee had to pay higher than anticipated state income tax.¹⁰ Another employee liked the original post. Triple Play fired the original poster as well as the employee who liked the post. The NLRB concluded that because the initial post was protected activity, liking the post was “an expression of approval of the initial status update,” and, as such, was also protected activity.

Social media marketing posts are subject to most of the same regulatory restrictions as traditional advertising. High-end shoe retailer Cole Haan found itself slapped with a warning by the Federal Trade Commission (FTC) in 2014 following its promotion on Pinterest, a social media site where users can save and organize images knows as “pins” in collections known as “boards.” Pinterest followers had been invited to post images of Cole Haan shoes with the hashtag “WanderingSole” (#WanderingSole), with a $1,000 shopping spree promised to the contestant with the most creative entry.¹¹ Unfortunately, the promotion did not disclose that the “pins” may have been motivated by the possibility of winning a shopping spree and thus ran afoul of FTC guidelines which state that if there is a connection between the endorser and the marketer of a product that would affect how people evaluate the endorsement, it should be disclosed. Social media marketers should consult the FTC’s guidance for mobile and other online advertisers which explains how to make disclosures clear and conspicuous to avoid deception.¹²

Social media practices are often the subject of industry-specific guidelines and regulations. In June 2014, for example, the Food and Drug Administration issued draft guidance on social media for pharmaceutical and medical device companies.¹³ The guidance would require companies to post both the benefits and the main risks associated with a product, potentially with a hyperlink taking the reader directly to a more detailed list of risks. The FDA draft was widely criticized by the industry, including by a leading trade association that argued that the FDA’s “own use of social media is decidedly not the way the agency claims that companies should use these platforms.”¹⁴ Banking and finance companies are subject to strict industry social media guidelines as well.

Legislators and regulators are increasingly taking action regarding how companies use the data gathered through social media applications. Social media networks are commonly viewed as broadcast media—a way for individuals or organizations to transmit messages to individuals or groups. But corporate marketing campaigns often also harvest personal information related to a broad range of demographic criteria including age, ethnicity, health and socioeconomic status. If the data is used improperly, an organization could be exposed to considerable legal and regulatory risk.

The state of California, for example, in September 2014 enacted a landmark law, the Student Online Personal Information Protection Act (SOPIPA),¹⁵ which restricts the ways education technology companies can use the information they collect about elementary through high school students. The law prohibits websites and online applications from using, disclosing or compiling the personal information of a minor for the purpose of marketing or advertising and “knowingly engaging in targeted advertising to students or their parents or legal guardians, using covered information to amass a profile about a K–12 student, selling a student’s information or disclosing covered information.” Following enactment of the California law, a number of major educational companies pledged to adopt similar data protections throughout the U.S.¹⁶

Separately, in June 2014, a working group appointed by President Obama to examine data practices warned that “…big data analytics have the potential to eclipse longstanding civil rights protections in how personal information is used in housing, credit, employment, health, education and the marketplace.”¹⁷

Expect more controversy regarding the European Union’s new data regulation and the “right to be forgotten.” While aspects of the EU’s General Data Protection Regulation (GDPR) continue to be debated, most observers expect its adoption by sometime in 2015. The regulation, which would be in force in every EU member state, establishes a “right to be forgotten,” which allows people who are mentioned in data to obtain the erasure of that data and prohibits further dissemination of such data once the person exercises their right.¹⁸ A May 2014 ruling by the Court of Justice of the European Union focused attention on search engines and intermediaries such as Google, which has received more than 140,000 requests to have links removed. However, the right to be forgotten could have important implications for any company or data controller that hosts user-generated content; they could be subject to compelled take-down orders.¹⁹

Risk Management

Addressing the risk management challenges presented to an organization by social media requires input from specialists in compliance, technology, information security, legal, human resources and marketing.

Some helpful approaches to developing a comprehensive risk management system for social media practices can be found in guidance published by the U.S. Federal Financial Institutions Examination Council (FFIEC), whose recommendations could also easily apply to companies outside the financial sector.²⁰ The guidance encourages companies to consider adoption of:

• a governance structure with clear roles and responsibilities whereby the Board of Directors or senior management of a firm directs how using social media contributes to the strategic goals of the organization;
• policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations;
• a risk management process for selecting and managing third-party relationships in connection with social media;
• an employee training program that incorporates the organization’s policies and procedures for official, work-related use of social media and potentially for other uses of social media, including defining impermissible activities;
• an oversight process for monitoring information posted to proprietary social media sites administered by the organization or a contracted third party;
• audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations and incorporation of guidance as appropriate; and
• parameters for providing appropriate reporting to the organization’s Board of Directors or senior management.

Despite all of this social media activity, data indicates that ethics and compliance professionals have not yet fully embraced these new platforms as a means for spreading the compliance message. One recent survey found that only half of the respondents (51 percent) use internal social media channels to communicate about compliance and ethics issues. And only 41 percent use external social media to communicate with investors, the general public, government and other stakeholders about their compliance and ethics efforts and outcomes.²¹

If they’re not doing it already, ethics and compliance executives might do well to engage personally and professionally with at least some of the various social media platforms. There’s a lot to be learned, especially as younger employees, customers and stakeholders continue to turn to social media for news and information and as a method of communicating their product likes and dislikes. It’s a dynamic and increasingly important method of understanding how a corporate reputation is understood by others.

Michael Connor is an expert with LRN’s  Ethics & Compliance Alliance (ECA). The ECA is an online community of thought leaders and practitioners that provides unique resources and support to enhance enterprise-wide knowledge, mitigate risk, support collaboration with experts and implement program components. It provides a unique opportunity to interact and collaborate with leading subject-matter experts across all the major ethics and compliance risk areas and provides an extensive library of hands-on resources and tools to include model policies and program materials, risk assessment procedures, legal research, analyses of recent legal developments and educational materials such as the ECA Risk Forecast Report.

The ECA Risk Forecast Report is an annual publication of the most significant risks facing organizations today, as reported upon and analyzed by 12 leading ethics and compliance experts. These individuals—leading specialists whose articles are featured in the body of the Report—provide insight into the regulatory and compliance challenges we face in 2015 and the developments that are likely to result.

¹ http://www.socialnomics.net/2010/05/05/social-media-revolution-2-refresh/

² http://www.pewinternet.org/fact-sheets/social-networking-fact-sheet/

³ http://newsroom.fb.com/company-info/

⁴ http://www.socialmediatoday.com/content/instagram-fastest-growing-social-network-4-brands-riding-wave

⁵ http://www.pwc.com/us/en/risk-management/state-of-compliance-survey/assets/pwc-state-of-compliance-2014-survey.pdf

⁶ http://socialtimes.com/infographic-20-marketing-trends-and-predictions-to-consider-for-2014_b137315

⁷ http://www.ibm.com/blogs/zz/en/guidelines.html

⁸ http://www.coca-colacompany.com/stories/online-social-media-principles

⁹ http://www.nlrb.gov/news-outreach/fact-sheets/nlrb-and-social-media

¹⁰ http://www.nylaborandemploymentlawreport.com/wp-content/uploads/sites/37/2014/09/TriplePlay.pdf

¹¹ http://www.ftc.gov/system/files/documents/closing_letters/cole-haan-inc./140320colehaanclosingletter.pdf

¹² http://www.ftc.gov/news-events/press-releases/2013/03/ftc-staff-revises-online-advertising-disclosure-guidelines

¹³ https://www.federalregister.gov/articles/2014/06/18/2014-14220/draft-guidance-for-industry-on-internetsocial-media-platforms-with-character-space-limitations

¹⁴ http://www.regulations.gov/#!documentDetail;D=FDA-2014-D-0397-0018

¹⁵ https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB1177

¹⁶ http://www.nytimes.com/2014/10/07/business/microsoft-and-other-firms-pledge-to-protect-student-data.html

¹⁷ http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf

¹⁸ http://ec.europa.eu/justice/data-protection/

¹⁹ http://bits.blogs.nytimes.com/2014/10/09/google-provides-details-on-right-to-be-forgotten-requests/?_php=true&_type=blogs&_r=0

²⁰ http://files.consumerfinance.gov/f/201309_cfpb_social_media_guidance.pdf

²¹ http://www.pwc.com/us/en/risk-management/state-of-compliance-survey/assets/pwc-state-of-compliance-2014-survey.pdf