A Practical Guide to Social Media Policies in the Age of AI

Author: Lenin Lopez

Increasingly, companies use social media to communicate with customers, investors and the public. Additionally, employees now have access to AI tools that can help draft posts, summarize company materials, generate commentary or respond quickly to online discussions. The developments in AI make it even more important for companies to maintain practical social media policies that reflect how communications are actually created and shared.

Whether public or private, companies of all sizes should consider adopting a social media policy to help avoid common pitfalls. These policies can help protect confidential information, maintain brand integrity and establish expectations for employees conduct online. At the same time, policies should be thoughtfully drafted so they don't create unnecessary legal exposure or prove impractical to enforce.

Catching up with modern times

Many companies initially addressed social media through brief references in employee handbooks or codes of conduct. Over time, it's become clear that this approach may not be enough.

Social media now functions as a business communication channel. Depending on the context, a post may implicate disclosure obligations, advertising rules, employment law considerations or industry-specific regulatory requirements. Regulators have reinforced this point from multiple angles.

The Securities and Exchange Commission (SEC) has made clear that social media may be used for public disclosure purposes, but only where investors have been alerted to the channels a company intends to use.¹ Financial regulators continue to treat business-related social media communications as subject to supervision and recordkeeping requirements.² The Federal Trade Commission has emphasized that endorsements, testimonials and influencer activity, including employee advocacy, must be truthful and properly disclosed.³ In the life sciences space, the Food and Drug Administration (FDA) continues to refine its guidance on communications about regulated products, including updated draft guidance addressing online misinformation.⁴

Altogether, these developments underscore a simple point: Social media policies should reflect how companies actually communicate today and not how they communicated five or ten years ago.

FAQ: Social media policy basics

Why does my company need a social media policy?

A social media policy helps establish expectations and reduce ambiguity. It can:

• Protect confidential and proprietary information
• Promote consistent and accurate messaging
• Clarify who is authorized to speak on behalf of the company
• Reduce the risk of ad hoc or inconsistent responses
• Reinforce compliance with other policies and legal obligations

Who at the company should be involved in drafting the policy?

A social media policy is most effective when it reflects input from multiple stakeholders.

A few to consider:

• Human Resources can focus on employee relations and ensure consistency with employee-related policies and procedures.
• Communications and investor relations teams can address brand voice and external messaging.
• Legal and compliance functions can focus on confidentiality, disclosure, intellectual property and regulatory requirements.
• Information security and privacy teams can address access controls, data handling and platform risks.

Should we involve outside legal counsel?

In many cases, yes.

Employment counsel can help ensure the policy doesn't restrict protected employee activity. The National Labor Relations Board (NLRB) continues to emphasize that employees may use social media to discuss wages, benefits and working conditions, subject to certain limits.⁵

Regulatory counsel may also be advisable, particularly for companies operating in regulated industries. FDA guidance, including its 2024 revised draft guidance on addressing misinformation, remains relevant for companies communicating about medical products.⁴ The SEC's¹ and the Financial Industry Regulatory Authority's (FINRA)² expectations may apply to public companies and financial institutions, particularly with respect to disclosure, supervision and recordkeeping. Federal Trade Commission (FTC) guidance should be considered where endorsements, testimonials or influencer-type communications are involved.³

For companies with international operations, local legal considerations may also be relevant, particularly in areas like privacy, employment law and data retention.

What are some things to think about when creating a social media policy?

A well-designed policy should be practical, clear and aligned with how the company operates.

Some key considerations:

• Scope and applicability

  Define who is covered and when the policy applies. Many companies extend coverage to personal accounts when used in a business or professional context.

• Confidential information and disclosures

  Provide clear guidance on protecting sensitive information and complying with disclosure obligations.

• Authorized speakers

  Clarify who can speak on behalf of the company and when approval is required for external communications. For public companies, referencing and reinforcing Regulation FD principles would be wise.⁶

• Acceptable use and conduct

  Set expectations for professionalism, accuracy and appropriate tone, while avoiding overly broad restrictions that may be difficult to enforce or raise employment law concerns.

• Supervision and recordkeeping

  Consider whether business-related communications are subject to monitoring, supervision or retention requirements, particularly in certain regulated industries.

• Third-party content and endorsements

  Address reposting, endorsements and promotional activity, including disclosure requirements where applicable.

• Integration with other policies

  Align the social media policy with existing frameworks, including codes of conduct, disclosure controls, privacy policies and cybersecurity protocols.

How should companies think about AI when creating social media policies?

AI-enabled tools are increasingly part of how content is created, edited, summarized and shared. Employees may view these tools as convenient when preparing posts, responding to industry developments, drafting captions, summarizing company announcements, translating content or making something technical more accessible. Even when an employee is well-intentioned, the output could be inaccurate, incomplete, off-brand or based on confidential or proprietary information that shouldn't have been entered into the tool in the first place.

AI isn't the primary focus of most legacy social media policies and companies don't necessarily need a separate policy to address these risks. However, they should consider targeted updates within the existing universe of their policies, like those covering social media, confidentiality, communications and information security.

For example, companies may want to consider clarifying that:

• Employees remain responsible for content they post, regardless of whether it's generated or assisted by AI.
• Confidential or proprietary information shouldn't be entered into unauthorized tools.
• AI-assisted communications are subject to the same approval, accuracy and recordkeeping expectations as any other content.

These additions can help reinforce existing obligations rather than creating entirely new ones. That is, the underlying regulatory themes — like accuracy, supervision and accountability — remain unchanged, even as the tools evolve.

When and why should a company refresh its social media policy?

Companies should review their social media policies periodically. More importantly, they should revisit policies when the company's risk profile or communication practices change.

A few common triggers:

• Expansion into new markets or regulated industries
• Increased reliance on social media for business communications
• Use of employee advocacy or influencer-type programs
• Adoption of new technologies or communication tools
• Organizational changes
• Regulatory developments or enforcement activity

Recent updates, including the FDA's 2024 draft guidance,⁴ FTC revisions to endorsement guidance,³ and continued SEC¹ and FINRA focus on digital communications,² underscore the importance of keeping policies current.

Parting thoughts

A social media policy doesn't need to anticipate every scenario or platform. It should, however, reflect the realities of how the company communicates, the risks it faces and the regulatory environment in which it operates.

The most effective policies aren't the longest or most restrictive — they're practical, aligned with business operations and supported by appropriate oversight.

Published May 2026