pdf

Post/Tweet/Pin/Snap/Share/Etc. with Confidence: Crafting Social Media Policies to Survive Consumer and Regulatory Scrutiny

Date: Jul 14, 2015

It is a common refrain in advertising that you have to go where the eyeballs are. These days, many advertisers have concluded that the eyeballs are in and on social media- whether on desktop computers, tablets, or mobile devices like smartphones and smart watches so thats where many are spending an ever-growing part of their ad spend. While the relevant platforms change frequently, basic principles of truthful advertising do not, so crafting a robust social media policy for advertisers is a must. The policy should address (1) the Federal Trade Commissions (FTC) basic truth in advertising principles, and requirements for endorsements and online advertising; (2) privacy concerns implicated by social media advertising and related data security considerations; and (3) sweepstakes and contest requirements, including related laws on unsolicited communications administered by the FTC and Federal Communications Commission (FCC).

The FTC's Endorsement and .Com Disclosure Guides

There is one basic rule to follow when it comes to advertising: be truthful, not misleading, in your ads. From that all other obligations flow, including the obligation that claims are appropriately substantiated, regardless of the media involved, at the time they are made.

The FTC has elaborated on the specifics of what that admonition means in a number of particular contexts, including the Endorsement and Testimonial Guides, most recently updated in 2009. [1] The FTC staff released a set of FAQs responding to common marketer questions earlier this year, [2] and also updated guidance on how to make disclosures in the new digital media, the .Com Disclosure Guide, in 2013. [3] These guides are key to navigating regulatory compliance in the context of social media.

An endorsement from any person paid to speak positively about a marketer must be disclosed if the connection between the marketer and the endorser might materially affect the weight or credibility of the endorser. The FTC has explained that statements orendorsements in advertising, including blogs, social media posts, tweets, or personal appearances, that result from payment in any form on behalf of a marketer, including most product giveaways, must be treated asendorsements.

The connection between a marketer and an endorser must beclearly and conspicuously disclosed wherever an ordinary consumer might not understand that the endorser is compensated for promoting company products. Clear disclosure must be geared to the specific medium, as the FTCs staff made clear in the .Com Disclosures.

In brief, disclosures must be as close as possible to the triggering claim, including being in the claim, if possible; must take account of the platform and device used to communicate the marketing message, including constraints such as word/character count and space limitations; where links or multiple screens/windows/popups are used, the link should be obvious and should appropriately convey the importance, meaning, and relevance of the information linked to/subsequently presented. Disclosures must also be timely (for example, appearing when an endorsement is made or before a consumer can engage in a transaction). [4] The FTCs staff also recommended keeping abreast of empirical research about consumer perception, among other recommendations.

The FTC is also keeping a watchful enforcement eye on endorsements. The FTC contended that Sony Computer Entertainment America LLC and its advertising agency Deutsch LA, Inc. both failed to tell the truth and failed to disclose endorsement arrangements in advertisements launching Sonys PlayStation Vita (PS Vita) in 2012. [5] The PS Vita is a handheld device that was marketed as a mobile gaming platform that, among other things, enabled consumers to transfer game play from Sonys PlayStation 3 platform to the PS Vita via remote play or cross-save features. Around the time of the products launch, Deutsch encouraged its employees to post about the game on Twitter with the hashtag #gamechanger, but with one big omission: Deutsch failed to advise its employees to disclose their connection to Deutsch or Sony. Encouraged by the company-wide e-mail, Deutsch employees posted tweets such as:

One thing can be said about PlayStation Vita&its a #gamechanger

PS Vita [ruling] the world. Learn about it!

us.playstation.com/psvita/#GAMECHANGER

Thumbs UP #GAMECHANGER check out the new PlayStation Vita

This is sick. . . .See the new PS Vita in action. The gaming #GameChanger

Got the chance to get my hands on a PS Vita and Im amazed how great the graphics are. Its definitely a #gamechanger!

According to the FTC, absent a disclosure that the employees worked for Sonys advertising agency, these tweets meant Deutsch has represented, directly or indirectly, expressly or by implication, that these comments about the PS Vita were independent comments reflecting the views of ordinary consumers who had used the PS Vita, in violation of the FTCs guidance in the Endorsement Guides. Further, the FTC said the advertised features were extremely limited, contrary to Sonys claims. For example, ads indicated that PS Vita users could pause PlayStation 3 games any time and continue playing them on the PS Vita. In reality, saving capabilities varied widely from game to game; in one baseball game, saved games could only be transferred to the PS Vita after finishing nine innings.

The FTCs closing letter to Cole Haan sent last year in connection with a social media contest is also instructive. There, the FTC determined that requiring entrants to pin images of Cole Haan products as part of their entries for a chance to win a prize amounted to endorsements of the companys products and created a material connection between entrants and the company that must be disclosed. According to the FTC, the #WanderingSole hashtag that entrants were required to use for entries did not adequately communicate the material connection and the fact that the pins were made in connection with a contest. The FTC did not provide examples of disclosures that would satisfy the requirements for endorsements, but some reference to the fact of the contest was required.

Although the FTC did not take enforcement action in Cole Haans case, the FTC has subsequently noted in its recently-updated FAQs that, even though it has not mandated any particular wording in the context of social media ads, disclosures can be exceedingly brief and still comply:

[T]he same general principle that people get the information they need to evaluate sponsored statements applies across the board, regardless of the advertising medium. The words Sponsored and Promotion use only 9 characters. Paid ad only uses 7 characters. Starting a tweet with Ad: or #ad which takes only 3 characters would likely be effective.[6]

Other pertinent disclosures that the FTC singled out in its recent advice include the suggestion that if a company tells a consumer that their statement in a description of their own experience with a product might be mentioned in an ad, then the use of the statement in the ad should say something like, Consumers were told in advance that they might be featured in an ad. The staff reasoned that this alone, even without payment or promise of payment, could be construed as a benefit.[7] Paid employees of a company were also advised to disclose their relationship to their employer each time they wrote a post or item about the company that implies endorsement, even if they already note the connection on a profile page. The staff reasoned that readers would not see the disclosure if the endorsement appeared solely in a tweet that appeared in the regular stream of tweets.[8]

The who is behind an endorsement is central, but timing, in the digital world, may be everything when it comes to disclosures. Properly crafted, timed, and displayed disclosures ensure that users get the intended message, and that the message hits home.

Privacy Issues in Social Media Ads

Among the most important disclosures to consumers and regulators these days is the privacy policy, and the related issue of how a company deals with the personal information of consumers. FTC Chairwoman Edith Ramirez has repeatedly spoken of privacy by design. Companies engaging in advertising through social media may have access to a great deal of information about the readers or viewers of their ads, or little to none. Part of this will depend on the policies and practices of the social media platform, part of it will depend on the device, and part of it will depend on the marketers own technological capabilities.

For example, even if a company technically has no access to the personal information of ad viewers, it may be able to compare markers such as cookies, installation profiles, or device identifiers to its own records and thus identify a user. How and whether this is appropriate will vary even on a single platform as it changes its policies and offerings but a few privacy principles should be followed regardless of which platform a company is using and what policy it is operating under. And remember: As focused as the FTC has been on privacy, it is equally focused on data security, recently issuing additional guidance on basic data security precautions for businesses.[9]


  • Transparency: Tell the consumer what is being collected and what will be done with it. And remember, sometimes state laws apply. For example, California requires that websites tell the consumer whether a Do Not Track option is being honored or not.[10]
  • Consumer choice: Give consumers choice over the types of information that are collected. If certain information will be collected regardless of whether a consumer opts in or out, say that.
  • Limit sensitive data collection and limit retention: Data may be the lifeblood of online advertising, but it must be obtained, used, and maintained with care. Identify the purpose behind the collection of each type of data, and limit the data collection to the information necessary to the purposes identified. Limit the time period for which the data is held to the minimum duration necessary. Limit the personnel with access to sensitive data to those who actually need the data to perform their duties. Use industry standard security to protect sensitive data, and deploy industry standard security measures to ensure the integrity of the entire system.
  • Consent for material changes to policies and practices: When a material change to current policy or practice is planned, give consumers sufficient notice to enable them to opt out, including if necessary withdrawing from the service you are providing. Changing the way data is handled retroactively isnt just bad form, it can lead to enforcement actions, as was most recently illustrated by the bankruptcy of Radio Shack.[11] The company acquiring the assets of Radio Shack agreed to abide by earlier privacy promises, following the example of earlier instances where the FTC had sought to prevent the sale of consumers information in connection with an acquisition.[12]
  • Assure compliance: Perform privacy and security checks regularly. While no security is perfect, it makes sense to try to find holes in your systems before malicious actors do.

Not only should these principles be incorporated into your policies, they should be reflected in agreements with your suppliers, contractors, and others. Your privacy policy should be part of employee training for individuals with responsibilities for personal data, and a growing number of companies are reporting to their board of directors on privacy and security issues, particularly as data breaches, and the attendant costs of managing them, grow.

It is also important to fully understand the applicable legal framework under which you might be operating. Yelp ran afoul of this last year, when it collected birthdate information on users who registered through its mobile app, but failed to follow through. The Childrens Online Privacy Protection Act (COPPA) prohibits collecting personal information on users under 13 years old without their parents consent. While Yelps service is not directed to children, by failing to implement or act on a functional age screen it ended up collecting information from children under 13 in violation of the FTCs COPPA Rule, because it had actual knowledge, based on the age screen, that it was collecting information from children under 13.[13]

Marketing in the digital age requires engagement with consumers, and that means collecting data from consumers. When it comes to privacy, we advise that business follow three simple rules: Know what you do, Say what you do, and Do what you say. Properly constructing a privacy policy, developing websites, apps and campaigns aligned with the points above, and periodically checking to confirm compliance will help ensure that a marketer gets the needed information to run great marketing campaigns while meeting consumers and regulators expectations and applicable legal requirements.

Sweepstakes and Contests

Finally, contests and sweepstakes are popular ways to interact with customers, but they present a number of pitfalls that must be avoided. After all, not only do the same laws that apply to traditional forms of advertising apply to social media, but all promotions conducted through social media must comply with the policies, terms, and guidelines for the particular platform. Those guidelines vary and are constantly changing, so you should revisit them periodically. It is also prudent to consult each sites brand guidelines before using trademarks owned by the platforms. In addition to the sorts of disclosures required in all ads, most states require Official Rules for contests and sweepstakes, and that all promotional materials (which include websites, tweets, and Facebook posts) display the Official Rules, or at least abbreviated rules with the material terms. Communicating the material terms in social media and banner ads can be challenging given character and space limitations. Many states also regulate the activities of commercial co-venturers (for-profit entities who advertise that a portion of the purchase price of a product or service will be paid to a charitable organization), and require certain disclosures in their advertising.

It is also important to determine whether the promotion will require registration, bonding, or both in any states well in advance of the start date, as this can take time to secure. Some states require sponsors of contests and sweepstakes to post bonds or register the promotion, or both, and commercial co-venturers must register in some states before engaging in cause-related marketing.

Most importantly, companies must avoid running illegal lotteries, which are defined by having all three of the following elements present:


  • A prize;
  • A game of chance; and
  • Consideration (pay to play).

Marketers can avoid running illegal lotteries by either making the game one of skill or, if purchase of an item is a method of entry, providing an alternative method of entry that does not require a purchase. Social media policies should be written to ensure that promotions comply with applicable rules governing contests and sweepstakes.

In addition to general sweepstakes and contest rules, marketers should consider whether their promotions have COPPA implications. The CAN-SPAM Act[14] and the Telephone Consumer Protection Act (TCPA)[15] may also apply to sweepstakes and contests. It is important for marketers to familiarize themselves with how these laws may apply to aspects of their promotions. For example, sweepstakes and contests that offer extra chances to win if entrants refer a friend may be viewed to constitute consideration and require CAN-SPAM compliance. The TCPA and the FCCs implementing rules restrict certain calls and texts to wireless and residential lines using autodialers unless made for emergency purposes or with the called parties prior express consent.[16] The FCC recently adopted a significant Declaratory Ruling and Order that clarified, among other things, that consumers must be able to opt-out of automated calls and messages at any time and through any reasonable means, and adopted a broad interpretation of the term autodialer that covers predictive dialers, Internet-to-phone text messages to wireless numbers via e-mail or a carriers web portal and text messages from messaging apps.[17] Thus, marketers must take steps to obtain the requisite consent.

Dos and Donts

A few simple rules should help companies craft social media policies that address these considerations.


  • Remember that anyone paid or offered products or other benefits in exchange for positive statements about a company or its products or services is an endorser, regardless of the media involved.
  • If that relationship might affect the weight or credibility of the endorsement it is a material connection and must be disclosed.
  • Where a connection is material, and the ordinary consumer might not understand the connection, it must be clearly and conspicuously disclosed. Disclosures should be in close proximity to the without excessive scrolling or linking.
  • Celebrity endorsements in advertising often do not need to include disclosure of the material connections because consumers understand and expect that a celebrity is paid to promote the products or services, but where the setting raises doubt about whether the material connection would be known, a disclosure should be made.
  • Disclosures are required even in space-constrained media. Character limits and similar restrictions are not an excuse for inadequate disclosures; use of #Ad or #Sponsored may be needed.
  • Agreements with endorsers should require them to make disclosures, and establish that any testimonials reflect their true and accurate experiences. Disclosures by bloggers and others can be made naturally as part of a posting (I got this cool product from company x to try and loved it), or in a general fashion (I get paid or get free products to review). It is important to make sure that third party endorsers offer disclosures that are clear and conspicuous by periodically checking compliance.
  • The breadth of social media promotions can vary widely. Your policies should establish that your social media initiatives comply with relevant laws. At a minimum, you should consider whether any social media initiative triggers questions about compliance with COPPA, CAN-SPAM, TCPA and state laws, and take steps to modify the program accordingly.

* * *

Social media advertising is popular because it offers a uniquely effective way to reach key demographics. To be successful, marketers must bear in mind the unique requirements affecting business on social media platforms to ensure successful deployment in a manner that minimizes legal exposure.

For more information, contact Sheila A. Millar atmillar@khlaw.comor +1 202 434-4143 or Tracy P. Marshall atmarshall@khlaw.com
or +1 202 434-4234. Follow privacy, advertising, and data security developments and similar topics on Keller and HeckmansConsumer Protection Connection blog.



[1] Final Rule, 74 Fed. Reg. 53,138 (Oct. 15, 2009), codified at 16 C.F.R. Part 255.

[2] FTC Staff, The FTCs Endorsement Guides: What People Are Asking (May 2015), available at https://www.ftc.gov/system/files/documents/plain-language/pdf-0205-endorsement-guides-faqs.pdf.

[4] See .Com Disclosures at ii.

[5] See FTC, Sony Computer Entertainment America to Provide Consumer Refunds to Settle FTC Charges over Misleading Ads for PlayStation Vita Gaming Console: FTC Also Charges Los Angeles Ad Agency with Promoting Console Through Deceptive Twitter Endorsements (Nov. 25, 2014), available at https://www.ftc.gov/news-events/press-releases/2014/11/sony-computer-entertainment-america-provide-consumer-refunds.

[6] See The FTCs Endorsement Guides: What People Are Asking at 12.

[7] See id. at 15.

[8] See id. at 6.

[9] See FTC Staff, Start with Security: A Guide for Business (June 2015), available at https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf.

[11] See Letter, Jessica Rich to Elise Frejka, Esq., In Re: RadioShack Corporation, et al., No. 15-10197 (BLS) (Bankr. D. Del.). (May 16, 2015), available at https://www.ftc.gov/system/files/documents/public_
statements/643291/150518radioshackletter.pdf
.

[12] See, for example, FTC v. Toysmart, No. 00-11341-RGS (D. Mass. 2000), available at https://www.ftc.gov/enforcement/cases-proceedings/x000075/toysmartcom-llc-toysmartcom-inc.

[13] See FTC, Yelp, TinyCo Settle FTC Charges Their Apps Improperly Collected Childrens Personal Information (Sep. 17, 2014), available at https://www.ftc.gov/news-events/press-releases/2014/09/yelp-tinyco-settle-ftc-charges-their-apps-improperly-collected; see also 16 C.F.R. Part 312.

[14] Pub. L. 108187, 117 Stat. 2,699 (Dec. 16, 2003).

[15] Pub. L. 102243, 105 Stat. 2,394 (Dec. 20, 1991).

[16] 47 U.S.C. Ǡ227; 47 C.F.R. Ǡ64.1200.

[17] Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CG Docket No. 02-278, Declaratory Ruling and Order, FCC 15-72 (rel. July 10, 2015).