What to Include in a Social Media Policy for Small Business
Most small business social media policies fall into one of two categories. The first is the policy that does not exist, i.e., the business that has no written standards for employee social media use and is essentially hoping nothing goes wrong. The second is the policy that overreaches, i.e., a list of prohibitions so broad that it accidentally restricts activity employees have a legal right to engage in.
Both are problems. The first (not having one) leaves you exposed when an employee posts something that damages your business and you have no documented standard to point to. The second (overreaching) leaves you exposed to NLRA unfair labor practice charges when you try to enforce a policy that was illegal to begin with.
Writing a social media policy that is both legal and protects you means understanding where your legitimate business interests end and where your employees' legal rights begin. That line is more specific than most people realize, and getting it right is the whole job. Here is what your policy needs to cover. By the way, if you would rather skip writing a Social Media Policy on your own, we have one ready to go and fully customizable that you can find here.
Start With the Purpose (and Be Honest About It)
Your policy should open with a plain-language statement of why it exists. Not legal boilerplate, but an honest explanation of what the business is trying to accomplish. Something like: “this policy exists to protect confidential business information, maintain professional standards in how the company is represented publicly, and give employees clear guidance on what is and is not appropriate when their social media activity intersects with their employment.”
That language matters because it sets the right scope from the start. You are not trying to control what employees do with their personal lives. You are protecting specific, legitimate business interests. So write it that way. The policy that flows from that purpose will be narrower, more enforceable, and less likely to create legal problems than the policy written by someone who is trying to prevent employees from saying anything negative about the company anywhere.
Define the Scope: What This Policy Actually Covers
Be specific about what social media activity this policy applies to. At minimum it should cover any social media use that involves the company: its name, its clients, its products, its employees, or its confidential information, regardless of whether that use happens on company time or personal time. It should also cover authorized company accounts and anyone who posts on behalf of the business in an official capacity. Those folks have a different set of obligations than an employee posting on their personal account.
What the policy should not do is purport to govern every personal post an employee makes on their own time, on their own device, with no connection to the company. That scope is both unenforceable and legally risky. Employees have lives outside of work, and a policy that implies you are monitoring and judging all of it creates problems you do not want (and honestly, probably didn’t intend).
The NLRA Carve-Out: The Most Important Thing in the Policy
This is where most social media policies go wrong, and the consequences can be significant. The National Labor Relations Act gives employees, almost all private sector employees, union or not, small business or large, the right to engage in concerted activity. That includes discussing wages, working conditions, management decisions, workplace policies, and other terms of employment with coworkers, publicly, including on social media.
An employee who posts on Facebook complaining that your scheduling practices are unfair, or who tweets that the pay is below market, or who discusses a management decision with coworkers in a group chat, that employee is likely engaging in protected concerted activity. You cannot prohibit it. You cannot discipline them for it. They have a legal right to it. A policy that says "employees may not make negative comments about the company, its management, or its business practices" is almost certainly illegal under the NLRA, and the NLRB has pursued employers for exactly this language.
Your policy must explicitly carve out NLRA-protected activity. Not in a footnote. Put it in a prominent, clearly written statement that says something like: "Nothing in this policy prohibits employees from discussing wages, hours, working conditions, or other terms of employment with coworkers or others, as protected by the National Labor Relations Act."
That carve-out does not mean employees can say anything they want. It means the specific category of workplace discussion protected by federal law is off-limits for your policy to restrict. Everything outside that category, like confidential information, false statements of fact, harassment, unauthorized company representation, etc., is still fair game to address.
What You Can Legitimately Prohibit
Once you have established what the policy cannot touch, here is what it legitimately can address:
Confidential and proprietary information: Employees may not disclose trade secrets, client lists, pricing, financial data, personnel information, or other confidential business information on social media. Define what counts as confidential. Do not just say "confidential information" and leave it vague. The more specific you are, the more enforceable the prohibition.
False statements of fact: Employees may not make knowingly false factual statements about the company, its products, its clients, or their colleagues that could damage the business or those individuals. Note the specificity here: false statements of fact, not negative opinions. An employee who says "management here is disorganized" is expressing an opinion. An employee who falsely claims the company is under criminal investigation is making a false statement of fact. Those are two different things, and the distinction matters.
Harassment and discriminatory content: Employees may not post content that harasses, demeans, or targets colleagues based on protected characteristics, like race, religion, sex, sexual orientation, disability, national origin, or any other class protected under applicable law. Conduct that would violate your harassment policy in the workplace does not become acceptable just because it happens on social media.
Unauthorized company representation: Only designated employees may post on behalf of the company or represent that they are speaking for the company. An employee who tweets "speaking as a [Company Name] representative, we believe..." without authorization is creating a real problem. The policy should make clear who is authorized to speak for the business publicly, and require everyone else to clarify when they are speaking personally rather than on behalf of the company.
Personal use on company time: If you have standards for personal social media use during work hours, state them here. This applies to the workday and work equipment, and it connects to your general conduct standards rather than trying to reach into employees' off-hours activity.
Authorized Company Account Standards
If any employees manage company social media accounts (posting on the business Instagram, responding to reviews, running the LinkedIn page, etc.), they need specific guidance that goes beyond the general policy. This section should cover what kinds of content are appropriate for each platform, who approves content before it is posted, how to respond to negative comments or complaints publicly, what to do when a sensitive situation arises on a company account, and what happens to account access when an employee leaves the role or the company.
That last point is practical but important. Company social media accounts and login credentials should never be tied to a single employee's personal email or device. When that employee leaves, you want immediate, clean access to those accounts without negotiation.
Personal Accounts and the Employer Connection
This is the gray area most policies handle poorly. An employee who lists their employer on their personal LinkedIn or Instagram bio has created a visible connection between their personal activity and your business. That does not mean you own their personal account or that everything they post is your business. It does mean there is a legitimate interest in how they represent themselves in spaces where the employer connection is visible.
This can get tricky, but here is a reasonable approach: remind employees that when their personal accounts identify their employer, their personal posts can reflect on the business. Encourage them to include a disclosure like "opinions are my own" when posting personal views in those spaces. This is a best practice guideline, not a prohibition, and framing it that way is both more honest and more legally sound than trying to regulate what employees post personally.
Do not include language suggesting employees must get approval before posting personal opinions, or that personal posts that "reflect negatively on the company" are grounds for discipline without any further definition. That language will not survive NLRA scrutiny and it will not do anything useful for you operationally.
Reporting and Consequences
The policy should tell employees what to do if they see a social media post , whether by a colleague, a client, or a third party, that appears to violate the policy or create a problem for the business. Give them a specific person to contact and confirm that reports made in good faith will not result in retaliation.
For consequences, state clearly that violations of this policy may result in disciplinary action, up to and including termination, depending on the nature and severity of the violation. Connect this to your progressive discipline policy rather than creating a separate consequence structure. Consistency across your policies and within your employee handbook is extremely important.
One thing to be careful about here: the natural impulse when an employee posts something you find objectionable is to terminate immediately. Before you do that, work through the NLRA question. If there is any reasonable argument that the post was protected concerted activity, you need HR or legal counsel review before you act. A termination for protected activity is an unfair labor practice with its own separate damages exposure. That’s not a road you want to go down.
The Acknowledgment
Like every policy that touches employee conduct, this one should be signed. Every employee should acknowledge that they received the policy, read it, and understand it. Keep that acknowledgment in their personnel file.
For employees who manage company social media accounts, consider a separate, more detailed acknowledgment that covers the specific responsibilities and access protocols for those accounts.
One Final Thing: Review It Regularly
Social media platforms change. The legal landscape around employee speech and the NLRA evolves. The NLRB periodically updates its guidance on what policy language is and is not acceptable. A social media policy that was legally sound in 2020 may have language that has since been called into question.
Review this policy at minimum once a year. If you hear about an NLRB decision or a significant legal development involving employee social media activity, look at whether it affects your policy. The ten minutes it takes to review is worth considerably more than the exposure of running on outdated language. If you don’t want to deal with writing one on your own, our Social Media Policy template includes NLRA-protected activity carve-out language, confidential information definitions, authorized representative guidelines, personal account standards, a reporting process, and an employee acknowledgment block, all written to protect your legitimate business interests without overreaching into protected employee rights. The policy is written in an editable Word document that also includes a PDF.
Questions about this or other HR topics? Visit pragmatichrgroup.com for more resources.
