Social Media Policy: What Most Companies Get Wrong

A social media policy is a set of guidelines that defines how a business and its employees use social media, covering everything from brand voice and content approval to employee conduct and crisis response. Done properly, it protects the business, gives the team clarity, and prevents the kind of incidents that end up in the trade press for the wrong reasons.

Most companies treat it as a compliance document and file it somewhere no one reads. That is the wrong way to think about it. A good social media policy is an operational tool, and the difference between having one and enforcing one is where most businesses quietly fall apart.

I have worked across more than 30 industries in agency leadership roles, and the social media incidents I have seen damage brands almost always had one thing in common: there was a policy, but no one had genuinely operationalised it. It existed on paper. When something went wrong, the team had to improvise, and improvisation under pressure is where reputations take damage.

What Should a Social Media Policy Actually Cover?

Before getting into the specifics, it is worth being clear about scope. A social media policy is not just about what the brand posts. It covers three distinct areas: what the business publishes on its own channels, how employees behave on their personal accounts in relation to the business, and how the business responds when something goes wrong on either front.

Companies that focus only on the first area tend to get caught out by the second or third. The brand account is the easiest thing to control. Employee conduct and crisis response are where the real exposure sits.

If you are building or reviewing your broader social media approach, the social media marketing hub at The Marketing Juice covers channel strategy, content, and measurement in more depth. This article is focused specifically on policy, governance, and the operational side of keeping things from going sideways.

The core sections a functional social media policy should contain are:

• Brand voice and content standards
• Approval and publishing workflows
• Employee personal account guidelines
• Confidentiality and disclosure requirements
• Crisis and incident response protocols
• Legal and compliance considerations
• Review and update schedule

Each of these needs to be specific enough to be actionable. Generic statements like “employees should behave professionally online” are not a policy. They are a wish.

Brand Voice and Content Standards: More Specific Than You Think

Brand voice guidelines often live in a separate document, but the social media policy needs to reference them clearly and add platform-specific context. The way a brand communicates on LinkedIn is not the same as how it communicates on Instagram or X, and the policy should acknowledge that without leaving so much room for interpretation that every post becomes a negotiation.

When I was running an agency and we took on a new client with a complex stakeholder structure, one of the first things we did was audit their existing social content against whatever brand guidelines existed. Almost always, there was drift. The guidelines said one thing, the actual content did another, and no one had noticed because there was no process for checking. The policy had no teeth because the workflow did not enforce it.

Content standards in the policy should define:

• Topics the brand will and will not comment on
• Tone parameters by platform
• Visual standards and what requires design review
• Rules around third-party content, resharing, and user-generated content
• How the brand handles comments, including negative ones

That last point is underrated. Comment moderation is a content decision, and it should not be left to whoever happens to be monitoring the account that day. Optimising social media content is not just about what you publish, it is also about how you respond to what comes back.

Approval Workflows: Where Policies Go to Die

This is the section of most social media policies that is either too loose or too rigid, and both extremes create problems.

Too loose, and the policy is essentially decorative. Anyone can post anything, approvals are informal, and accountability is unclear. Too rigid, and you create a bottleneck where every piece of content needs three sign-offs before it can go live, the social team spends more time chasing approvals than creating content, and the workaround becomes posting first and asking forgiveness later.

I have seen both. The rigid version is more common in regulated industries, which is understandable, but the effect is often a social presence that is so sanitised it has no commercial value. Content that takes two weeks to approve is not social media. It is a press release with a thumbnail.

A more functional approach is tiered approval. Routine content, posts that fall within pre-approved formats and topics, can be published with a single sign-off or even autonomously within defined parameters. Content that touches sensitive areas, involves external partnerships, or deviates from standard formats requires a second review. Crisis-related content requires senior sign-off before anything goes out.

The policy should define what falls into each tier clearly enough that the social team does not have to guess. When people have to guess, they either over-escalate (slowing everything down) or under-escalate (creating risk). Neither is what you want.

Tools like scheduling platforms and content calendars help enforce workflow discipline without adding friction. Social media management tools that include approval routing can make tiered workflows practical rather than theoretical, particularly for teams managing multiple channels or multiple markets.

Employee Personal Account Guidelines: The Section Most Companies Write Badly

This is where most social media policies are either vague to the point of uselessness or so restrictive that they create resentment without providing protection. Getting this section right requires thinking carefully about what you are actually trying to prevent and what you are not.

The goal is not to stop employees from having opinions online. The goal is to prevent three specific things: disclosure of confidential information, statements that could be attributed to the company without authorisation, and conduct that creates legal or reputational liability.

The policy should be explicit about what counts as confidential. Client names, campaign performance data, financial information, internal personnel matters. If employees do not know what is confidential, they cannot be expected to protect it. I have seen cases where someone posted a screenshot of an internal dashboard thinking it was innocuous, and it contained data that was commercially sensitive for a client. No malice, just a gap in what the policy communicated.

Disclosure requirements are equally important. If an employee posts about the company, its products, or its clients in a way that could be seen as endorsement or commentary, they should be required to identify their relationship to the business. This is not just a courtesy, in some jurisdictions it is a legal requirement.

The policy should also be clear about what it does not cover. Employees have a right to express personal views on matters unrelated to the business. A policy that attempts to govern all employee online behaviour will create legal exposure of its own and will not survive a challenge. Be precise about the boundaries.

Crisis Response: Decide Before You Need To

The crisis response section of a social media policy is the one most likely to matter and the one most often written as an afterthought. It tends to be vague (“escalate to senior management”) when it needs to be specific (“the social media manager contacts the head of communications within 30 minutes of identifying an incident, using the defined escalation channel”).

Speed matters in social media crises, but not in the way most people think. The speed that matters is not how fast you post a response. It is how fast you make a decision. A response that goes out two hours after an incident, having been properly assessed and approved, is almost always better than a response that goes out in twenty minutes without proper context. But a response that takes six hours because no one could agree on who had authority to approve it is damaging in a different way.

Early in my career I watched a client mishandle a social media incident not because they said the wrong thing, but because the internal process for deciding what to say was so unclear that by the time they posted anything, the story had already been framed by others. The content of the response was fine. The timing made it look defensive.

The crisis protocol in your policy should define:

• What constitutes a crisis versus a complaint or a difficult comment
• Who has authority to approve crisis communications at each level of severity
• The escalation chain and contact details
• Whether to pause scheduled content during an incident and who makes that call
• Whether to respond publicly, move to direct message, or hold
• Who speaks to media if the incident attracts press attention

Run a tabletop exercise once a year. Sit the relevant people in a room, present a hypothetical scenario, and work through the protocol. You will find the gaps quickly, and finding them in a meeting room is considerably less painful than finding them during an actual incident.

Legal and Compliance Considerations That Actually Apply

This section varies significantly by industry and geography, but there are a few areas that apply broadly enough to be worth addressing in any policy.

Copyright and intellectual property are the most common source of inadvertent violations. Using images found via Google search, sharing music in video content, reposting third-party content without permission: these are all potential infringements, and the fact that they are common does not make them safe. The policy should be explicit about what sources of imagery and media are approved for use and what the process is for obtaining permission when something falls outside those sources.

Advertising disclosure is increasingly regulated across markets. Paid partnerships, sponsored content, and affiliate relationships all require disclosure in most jurisdictions, and the standards for what counts as adequate disclosure have tightened. If your business uses influencers or brand ambassadors, the policy should cover their obligations as well as your own. Social media advertising guidelines from platforms themselves are a useful reference point, but they do not replace legal advice for your specific situation.

Data privacy is another area where social media intersects with legal obligation. Running competitions that collect personal data, using social media for customer service in ways that involve account details, targeting practices in paid social: all of these have privacy implications that the policy should at minimum flag and direct employees toward the appropriate internal resources.

If you operate in a regulated industry, financial services, healthcare, legal services, the compliance requirements will be more specific and the policy needs to reflect that. General guidance is not enough in those sectors. The policy should be reviewed by someone with relevant regulatory knowledge, not just the marketing team.

How to Write a Policy People Will Actually Read

Most social media policies are written by legal or HR teams with minimal input from the people who will actually use them. The result is a document that is technically comprehensive and practically useless. It covers everything and communicates nothing, because the language is designed to protect the business from liability rather than to help employees make better decisions.

The social team needs to be involved in drafting the policy. Not to override legal or compliance requirements, but to ensure the document reflects how social media actually works in practice. Someone who has never managed a brand account in real time will write a policy that does not account for the speed and ambiguity of real decisions.

Format matters. A policy that is forty pages of dense text will not be read. A policy that is structured with clear sections, decision trees for common scenarios, and a one-page summary of the most critical points has a much better chance of being used. A well-structured social media strategy and a well-structured policy have something in common: they are both only valuable if people engage with them.

Consider a quick-reference card for the social team that covers the most common decisions: what requires approval, who to contact in an emergency, what is never acceptable to post. This does not replace the full policy, but it makes the most operationally relevant parts immediately accessible.

Keeping the Policy Current

A social media policy written in 2020 is not a social media policy in 2025. Platforms change their rules, new platforms emerge, team structures evolve, and the legal landscape shifts. A policy without a review cadence becomes a liability rather than a protection, because it may reference processes or platforms that no longer exist, or miss requirements that have since come into effect.

Build a review schedule into the policy itself. Annual reviews as a minimum, with a trigger for ad hoc review when there is a significant platform change, a regulatory update, or an incident that reveals a gap in the current document. Assign ownership. Someone specific should be responsible for initiating each review, not the organisation in the abstract.

When the policy is updated, the update needs to be communicated, not just filed. If employees are expected to comply with a policy, they need to know when it has changed and what has changed. A version number and a change log at the front of the document is a simple way to make this visible.

Training is part of this. New employees should receive policy orientation as part of onboarding, not three months in when they have already been posting on behalf of the brand. Existing employees should be reminded of key policy points at least annually, and any significant update should be accompanied by a briefing rather than just an email with a PDF attached.

The Policy as a Commercial Tool, Not Just a Risk Document

There is a tendency to frame social media policy purely in terms of risk mitigation, and risk mitigation is genuinely important. But a well-written policy also has a positive commercial function. It gives the social team confidence to act within defined parameters without constant escalation. It enables faster content production because the decisions about what is acceptable have already been made. It protects the brand consistently across channels and team members, which has brand equity value over time.

When I grew an agency from around 20 people to over 100, one of the things that had to scale was operational clarity. Individual judgment works when a team is small and everyone is in the same room. It does not scale. Policies, workflows, and documented standards are what allow a larger team to operate consistently without every decision going to the top. Social media policy is part of that infrastructure.

The brands that handle social media well over the long term are not the ones with the most creative teams or the biggest budgets. They are the ones where the operational foundations are solid enough that the creative work can actually land. Policy is part of that foundation. It is not glamorous, but neither is most of what makes a business run properly.

Resources like a more integrated approach to social media marketing and social media strategy for smaller businesses can help you think about the broader context your policy needs to fit within. Policy does not exist in isolation from strategy. The two need to be coherent with each other.

For more on building a social media approach that connects to real business outcomes, the social media marketing section of The Marketing Juice covers strategy, content, channel selection, and measurement across the major platforms.

About the Author

Keith Lacy is a marketing strategist and former agency CEO with 20+ years of experience across agency leadership, performance marketing, and commercial strategy. He writes The Marketing Juice to cut through the noise and share what works.

Frequently Asked Questions