Is your business’s social media policy still fit for purpose?

14 September 2023

When did your business last review or update its policy on employee social media use? Does it reflect the way that social media is being used on a day-to-day basis in your organisation?

Deploying social media is now deeply embedded in many employees’ job descriptions, whether for the purposes of promotion and marketing, recruitment, or communicating with customers and suppliers. The use of social media is no longer confined to the marketing team, and employers need to manage the risks that come with wider access to such a powerful tool. Employees’ use of social media creates a wide range of potential liabilities for any business, from vulnerability to losing important contacts to problems accessing corporate accounts when employees leave.

Although social media platforms appear to be informal means of communication, extracts from social media accounts now regularly appear in evidence before courts and tribunals. Employers whose staff engage in any social media activity on behalf of the business should therefore give employees clear guidance. It may be necessary to specify which individuals can use social media on behalf of the company and which need to obtain prior authority before posting any material.

In this article, we highlight some key risks to consider in deciding whether you need to review any contractual terms, policies, templates, or training.

Who owns the account?

The legal ownership of each social media account will be determined by the terms of the provider. For example, LinkedIn’s terms state that the account holder owns the account.

It is not uncommon for employees to set up work accounts on behalf of an employer using their own login credentials, but employers’ policies need to be worded to ensure that ownership remains with the organisation and that passwords are shared or transferred as part of an exit process.

Who owns contacts gathered via social media?

The courts have found that the contacts gathered by an employee on a work account during employment belong to the employer.

It has long been established that departing employees cannot take a database of their employer’s contacts with them in order to set up in competition. This principle was applied to social media in Whitmar Publications v Gamage [2013]. A former employee was ordered by the High Court to give her previous employer the login details of four LinkedIn groups that she had managed for the employer. The former employee had used the groups to promote a new business set up by her with two former colleagues. This case provides some comfort for employers, but case law in this area is only in its infancy.

Using personal accounts

The situation is less clear when employees use their personal accounts for work purposes, for example, where the employee has a number of relevant prior contacts on a personal account which they use on behalf of a new employer. Employers should clearly define acceptable employee use, if any, of personal social media accounts for work purposes. To avoid risking the loss of business contacts on termination, employers can decide that the use of personal accounts is simply not permitted. Any prohibition needs to be made clear to employees in a policy, as discussed below, and could also be included in employment contracts.

If you do allow the use of personal accounts, the social media policy should state that any business connections made in the course of employment belong to the company. The policy should require an employee to comply with arrangements for providing this information when they leave and to delete relevant contacts from their personal accounts without making copies. However, such a provision may be difficult to enforce, particularly if it is difficult to determine which contacts were made through work-related activities and which in their personal capacity or through a previous employer.

What to address in your policy

We recommend having a social media policy which is implemented through training at induction and regularly reviewed and updated. It should tie in with other relevant policies, such as:

  • data protection;

  • confidentiality;

  • equality, diversity, and inclusion; and

  • IT and electronic communications.

There are many potential risks entailed by employees’ online activities which a policy can address to the extent that they are relevant to the business. Points which may need to be considered include the following:

  • Employees should be respectful and professional at all times. Aside from reputational damage, an online spat with a competitor or making degrading comments about a previous supplier could risk claims of defamation or malicious falsehood or, depending on the circumstances, a discrimination claim.

  • Employees should not engage in false advertising or unethical marketing practices such as posting fake reviews.

  • In their eagerness to share good news involving a third party, such as a potential new deal, investor, business associate or customer, employees need to be careful not to breach confidentiality, data protection law, or the terms of any non-disclosure agreement relating to negotiations, or to endanger legal privilege. Employees also need to protect the confidentiality of the employer’s sensitive business information, such as that relating to the performance of the business.

  • Employees should ensure that they are familiar with and comply with the terms of use of the social media platform.

  • When reproducing text or copying a trademark or brand, employees need to be aware that if they do so without the consent of the owner, they could infringe intellectual property rights.

  • If publishing comparisons with other businesses to advertise services or products, employees need to ensure that they comply with the rules on comparative advertising. 

  • Employees should use company social media accounts, where applicable, and should use a work email address to open accounts such as LinkedIn. The employee should share the access details with a colleague so that they are not the sole gatekeeper to such a powerful asset. The account should be deemed to belong to the employer and the connections made through that account to be part of a database of information belonging to the employer.

  • If the employee is allowed to use their personal account, any conditions for this should be set out, for example, requiring the employee to make it clear when they are posting on behalf of the company and when in their personal capacity.

  • A crucial practical step that will help protect any business is to ensure that up-to-date login details are always shared with the employer – especially on departure.

  • Depending on the business, employees could also be required to add contacts made through social media to a database held by the employer.

Contractual provisions

In addition to having a well-drafted policy, relevant contractual provisions need to be fit for purpose and bespoke to your business. Outdated or generic clauses are less likely to be effective.

Existing clauses that may need to be updated include confidentiality and data protection provisions. If there is a risk that an employee could use contacts after their employment has ended to compete or poach customers, restrictive covenants limiting their activities post-termination could give you further protection. These can include specific requirements in relation to social media accounts.

Contractual rights allowing you to restrict employees’ work activities during notice periods – usually known as ‘garden leave’ clauses – can serve a similar aim to a restrictive covenant.

How we can help

We can help you to ensure your policies and employment contracts protect your business as its use of social media evolves.

For further information, please contact the team at Synchrony Law.

This article is for general information only and does not constitute legal or professional advice. Please note that the law may have changed since this article was published.

Chris Tutton