CHAPTER 8
A SOLID SOCIAL MEDIA POLICY

One of the most popular comic strips of the past 20 years has been Scott Adams’s Dilbert. A merciless skewering of corporate culture, Dilbert pokes fun at the mundane, contradictory, and maddening aspects of office life in America today. Just about everyone who works in the office of an organization employing more than 20 people has a favorite Dilbert strip clipped from the newspaper and pinned on the cube wall.

Few subjects are as Dilbert-worthy as policies. (In fact, one of my very favorite Dilbert strips refers to the need to develop a procedure for creating policies, which generates a question about the policy on creating procedures, resulting in the entire team’s looking for a white paper on policies for developing procedures for creating policies.¹ Still makes me laugh every time I look at it.) Nothing quite seems to scream bureaucracy like policies and procedures—and nothing would seem to be more antithetical to the uncontrolled world of social media.

But there may be no more important element of your digital and social program than developing and regularly communicating a social media policy. Ideally, your social media policy should contain some elements of familiarity with FTC guidelines, as well as with social media or digital community etiquette, and elements of corporate or organizational policy that make it consistent with other business guidelines and policies. Without a social media policy, legal and HR may never be comfortable with having any of your employees interacting on the social Web. Your employees may never feel comfortable enough to actually go out and engage on your behalf. And social media really can be the risk many perceive it to be for your organization.

The primary reason for establishing a social media policy is protection. You’re building in precautions for the organization, protection for employees, and clear rules or parameters for all involved. From an organizational standpoint, you’re putting rules in place and communicating them clearly to your employees. It’s no different from providing your employees with a set of rules and expectations around things like expense reporting, business ethics guidelines, and new internal IT tools. Given the speed and reach of social networks, don’t you think that a more formal, more coordinated approach makes even more sense in this realm? In the era of social media, not having a formal and established social media policy is as foolish as not having business guidelines on ethics and conduct.

A solid social media policy also helps to indemnify the organization against charges of inconsistent handling of social media issues or unfair reactions to employees’ social media activity. Having a policy in place as early as possible not only establishes the expectations of the organization but also can help to justify any action necessary against an employee should a violation occur.

Let’s say your policy specifically states that employees are allowed to be critical of “the company” but not of individual company officials out of respect for individuals in general. If an employee writes a blog post or sends out a tweet blasting the CEO, your HR team can point back to the policy and indicate that the employee knew that such a post violated company policy. Without a social media policy in place, the lines become much grayer. Was that employee just exercising her right to free speech? Did the company give its employees fair warning that such criticism would be considered outside the fair or expected bounds of employee conduct? Without a social media policy in place, your case for whatever action you might wish to take becomes at least a little more difficult.

Once your organization has decided what you’re going to allow from employees in the social Web, put it in writing and clearly communicate it to your employees (we’ll talk in the next chapter about how to most effectively do that).

To employees, the policy should be seen as not a tool of the organization but as similar protection against overzealous or inconsistent evaluations of or judgments about social Web activity. An established written policy should be a bulwark against those in management who “don’t get” social media. Every employee has the right to expect that his employer will make the rules and expectations clear. Without a clearly communicated social media policy, an employer could potentially discipline or even terminate an employee over his social media activity, even if the employee has done nothing that strays from accepted norms or etiquette within those networks, or that was considered unacceptable at a previous employer.

Additionally, by spelling out what constitutes unacceptable behavior, an employer is in many ways protecting an employee’s right to be active in social networks within those parameters. In other words, anything that’s not prohibited or frowned upon by that policy is something you’re allowed to do without fear of reprisal or harm to your career. Especially in a space evolving as rapidly as the social media environment, it’s sometimes hard to have a feel for what’s acceptable and what’s not. Dell’s Richard Binhammer puts it this way: “Our policy protects our employees so that they don’t get themselves in trouble over an innocent misstep.”²

If clear boundaries are set and you stay in bounds, there should be no penalty flags thrown at you. A social media policy shouldn’t be seen as a list of things you can’t do; rather, it’s a guidepost for what you can do in social media as an employee.

Get the Right Players on the Field

The first step in developing a solid social media policy that protects the interests of both the organization and its employees is to identify all the parts of the organization with skin in the social media game—especially the stewards of company policy—and get them in the figurative room together. Human resources is a critical partner, as is the legal department, from an employee rights and company policy standpoint. You’re going to want your IT department involved as well, especially if you’re building or incorporating any internal social-sharing platforms—such as an employee blog or blogging platform or an internal microblogging platform like a Socialcast or a Yammer—or allowing employees to access social networking sites from work.

You should also involve the departments that are involved in social media as part of their job responsibilities. While HR, legal, and IT are needed from a policy and support perspective, communications/PR, marketing, and customer service will bring working knowledge of social media to the table. Finding the right balance between institutional understanding of social media and the folks who regularly develop and maintain policies for your organization will be critical if the policy is to be accepted and embraced by the organization, standing up under scrutiny rather than being opposed or rescinded by either camp.

Remember, it’s not always the suits or the leadership who have the best understanding of social media in the organization—or the best grasp of what the culture can handle, for that matter. As Mike Wing, IBM’s VP of strategic and executive communications, wisely puts it, “Understanding what the organization is ready for is not always achieved by asking executives what the organization is ready for.”³ Of the two dozen or so people who contributed to the original IBM blogging guidelines (which have since been updated several times), more than three-fourths were not executives or functional leaders. We were just IBM employees who happened to be involved in blogging on our own and thus knew something about the space. We weren’t in it for money or business at the time. We all blogged because we enjoyed blogging and talking with the communities we’d developed. The guidelines that we helped create together still stand, more than six years later, as some of the industry’s best and most frequently cited. The credit for this goes not only to the people who chose to get involved and worked on these guidelines but also to IBM leadership for being willing to hand over creative control to what Mike Wing calls “a handful of people who were doing it for love.”⁴

That’s not to say that turning the creation of the social media policy over to employees is going to work at every company. But it goes without saying that at least some employees are already active in social media, whether sanctioned or not—and that some of them might have knowledge or perspective that could inform an organization’s policy-making efforts. If you’re aware of employees at your company who have particularly well-read or well-respected blogs or followings online, you should consider including them in the policy-development process as well. Not only will your policy be potentially better informed, but also you could end up elevating a hidden gem of an employee who was just waiting for a chance to shine.

Bring Everyone Up to Speed

You can’t draft a strong, winning policy when starting from zero. So the first step after assembling your policy team is to give them a crash course on social media. Your flash education course should include basic rules of social media etiquette, the expectations of the various audiences, famous “fails” from other organizations, and policies from other organizations that are publicly available and have perhaps won some acclaim as being strong or sensible or progressive. True, what works for a tech company may not work for a pharmaceutical company, and what works for an automaker may not work for a government agency or a nonprofit. But if you study enough of the policies that have won acclaim or are often cited as examples within the social media space, you’re going to find some common threads that you should probably incorporate into your policy in some fashion, even if you have to adjust or tweak them to fit your culture or industry.

The legal team might be able to offer some additional perspective by reviewing recent cases involving social media, especially when large organizations are involved. Instances when other organizations are considered to have failed can provide “teachable moments” for your organization—not just so that you can avoid making the same perceived mistakes, but also so you can anticipate audience reactions to elements you might choose to include in your policy anyway.

Posts and interactions on blogs devoted to your industry can provide some guidance as to what online audiences expect in the way of discussion and candor from an organization in your business. Starting personal Twitter accounts and following prominent social media influencers, your competitors, or journalists who cover your organization can provide some insight as to the kinds of discussions you can expect to have on that platform and others. Almost everyone on your organization’s policy team is going to have some education to contribute to this preparatory period, and everyone involved should devote themselves to soaking in as many of these perspectives, histories, and case studies as possible. The more broadly educated your policy team is before embarking on the actual drafting of your policy, the stronger the end result is going to be.

Find Middle Ground

Once everyone involved has gotten up to speed on as much of the social media world as possible, it’s time to begin drafting the actual policy. There are a few things all parties need to bear in mind before getting to the actual content of the policy.

You want your social media policy to be in the informal, non-corporatespeak language that permeates the social media world. Nothing will make you look more bureaucratic, old school, and as if you just “don’t get it” than a social media policy written in lawyerspeak and seeming as if it were designed as light reading for an HR managers’ convention. But keep in mind that you’re drafting an official corporate or organizational policy at this point, not a jaunty e-mail to a friend or the rules for a private Facebook group. For a while, it was in vogue for companies to have short, pithy social media policies seemingly designed to show how cool or “social media savvy” their organization was; one of the most famous “policies” during the nascent era of social media was the four-word admonition once given to Sun employees: “Don’t do anything stupid.”⁵

While it might earn style points for trusting the common sense of employees, a casual statement like that will not cut it anymore. Your policy may someday need to stand up in a courtroom or with a judge mediating a dispute between the organization and an employee. Do you want to go to court armed with “Don’t do anything stupid,” or “Don’t do anything that you’d be afraid to have your boss find out”? No, you have to make your policy a bit more explicit, a bit more comprehensive, and more in line with other organizational policies. It might seem antithetical to social media, but it’s the reality.

That said, your policy needs to be concise. Four words is too short and pithy, yes. But make it a veritable War and Peace of policies, and none of your employees are actually going to read it. They’ll skim over it long enough to be able to click a little button on the intranet or sign a piece of paper affirming that they read it, but they won’t really bother to take it all in. And that won’t be their fault. Your company’s employees are very busy and have a lot of demands on their time, and they’re not going to take much time out of their day or let something else drop in order to read a policy. As you start drafting your policy, aim for something that can be read in a just a few minutes—something that spells out everything the company needs to yet stays basic enough to not be a chore to read. Think in terms of putting it in a page or two—or, if it must be longer, at least drafting a one-page Cliffs Notes version that distills the policy into something employees can peruse and digest quickly.

Finally, you must accept before you start that no one on your policy team is going to be 100 percent happy with your policy when it is completed. This is normal. The social media experts among the group (probably PR, marketing, or CRM folks) are likely going to believe that the policy is far too restrictive, is out of character with the spirit of social media, and doesn’t give employees enough freedom to truly impact external perspectives of your brand or organization. The organizational support teams (probably HR and legal, mostly) are likely going to be uncomfortable, feeling that the policy is too liberal and grants employees permissions that expose the organization to risk. Each “side,” as it were, is going to look at the end result and find things it wishes would be changed. This isn’t because your organization is particularly dysfunctional (though it might be tempting to believe that anyway!) but is because the nature of social media and organizations pretty much invites this conflict. It is not unexpected and doesn’t represent a failure.

This was one of the hardest lessons I had to learn when General Motors updated its social media policy during most of 2010, a process spearheaded by Mary Henige in corporate communications. When I first read the final policy that was approved after months of discussion, I was dismayed and thought it was far too strict—but I quickly realized that the policy represented a compromise and a lot of willingness to meet in the middle by all sides. A policy as indulgent as what I as a social media person would have liked would never have met approval from the rest of the organization. This is one of the realities of working with a large organization and is something that a social media leader has to accept and understand when taking on the role of leading the social media program at such an organization.

Since it’s understood going in that no one is going to be completely happy with the final policy that results, all parties must accept that perfect can never be the enemy of good when it comes to social media policies. It’s better to have something in place and adjust or amend it as necessary than to delay the implementation and release of a good policy because the team is waiting until everyone involved thinks the policy is fantastic and is comfortable with every aspect of it. If you do that, your organization will never have a social media policy.

Now, the “Easy” Part: Writing the Policy

Finally, you’re ready to draft the policy. Start by asking the toughest legal- and HR-related questions. Here are some examples:

1. Which actions or statements by an employee within a social network or on a blog would constitute a fireable offense? This may include the following:

• Revealing company confidential or legal information. This should be self-evident; the Internet is no place for talking about upcoming product releases or updates. It’s not just a question of inadvertently tipping a product launch; such slips or leaks could in an extreme circumstance end up even affecting stock price if the product or news is significant enough. Other information leaked or posted online could impact pending litigation or expose the company to legal liability. Start with specifically prescribing into the policy the kinds of disclosures that will constitute a fireable offense. You should also probably prepare some sort of review process to build into the details of your policy for identifying whether a leak was inadvertent versus being a case of carelessness or deliberate intent.

• Libeling a competitor or an individual. Any criticism or trash-talking of either a competitor or an individual in a social community would be bad form anyway. But when the smack talk crosses the line into untrue assertions or libel, that’s something your organization can be held legally responsible for—so you have to make clear that not only will an employee face legal repercussions for libeling someone but she’ll also lose her job.

• Promoting hate speech. This is a no-brainer but should be spelled out anyway. There is a fine line between freedom of expression and promoting hatred of or danger to others. That’s a debate for a different book perhaps, but when an employee engages in such talk, it reflects on your organization and can cause you all kinds of headaches. Work with your HR department to develop the right language around what kinds of expression your organization prohibits, and make sure it’s clearly part of your policy.

• Financially compensating an external blogger for positive discussion of the organization or its products. This problem tends to arise not in initial phases of social media programs but in organizations where social initiatives are decentralized or informal—as social media begins to gain traction and employees or departments occasionally develop programs or efforts on their own. While advertising with bloggers or on their sites is a perfectly valid model, crossing the line into the editorial side—where compensation is exchanged for positive writing—puts your organization in an ethically compromised position the ramifications of which can last and hurt your reputation well into the future. If your organization is of the mind-set that you’re going to keep advertising and editorial as separate in the social media as you do with traditional media, you’ve got to spell out in your policy and make clear to all your employees that you don’t pay in exchange for content or positive mentions.

2. What actions would not get an employee fired but would initiate disciplinary action? For example:

• Overtly and publicly criticizing a competitor. Even when commentary doesn’t become libelous, it is still bad form and reflects poorly on your brand to have your employees bashing or overtly criticizing your competition. It’s unbecoming, and it makes your organization look insecure and defensive. (Not to mention it invites potential retaliation from the competitor who’s been bashed, and a social media spitting match involving your brand is a distraction with no benefit to you.) Make sure your employees know it’s not acceptable to aggressively pick fights with a competitor.

• Unauthorized use of company time or computers to access social networks. This is a little touchy, because you are after all in at least some sense encouraging employees to engage in social networks. But not everyone in the company is going to be empowered to engage in social media from work—and every company will have varying opinions about what level of social activity is “acceptable” from employees not working directly in social media. Whatever your organization’s perspective is about accessing social networks from work, make sure you’ve made it clear in your policy.

• Allowing social media interaction to interfere with job duties. Related to the previous item, while you do want your employees engaging in social networks, you don’t want them doing so at the expense of their “day jobs.” Remind your employees of the need to be responsible with their use of these networks—and that permission to engage does not mean allowing other duties to slip.

• Presenting oneself as officially representing the company’s or organization’s position if not authorized to do so. This is an important element because of how quickly word or rumors can spread over the Internet. If your employee isn’t specifically empowered to officially speak on behalf of your organization, he needs to make clear that his thoughts, tweets, and writing are his own and don’t represent company policy or official statements. And you need to make clear in your policy that employees need this kind of a disclaimer.

3. Which actions by an employee might not constitute disciplinary violations of the policy but would be frowned upon? These will vary by organization and thus are harder to prescribe, but areas of concern might include:

• Politics. Cultures might have different impressions about how active or vocal employees should be in politics or political discussions, for example, and thus your policy might include language prescribing conduct or interaction on political sites or subjects.

• Customer service issues. A company might want all its customer service inquiries and issues to route through its customer service department, so its policy should instruct employees to route any customer service issues they encounter in social networks to a specific destination or group.

Each organization will have unique expectations and cultural aspects that determine the conduct it will accept from its employees in social networks. Whatever your organization’s specific rules, just be sure that they are included in the policy. You can’t ask people to adhere to guidelines or rules they’ve never been apprised of.

Start the process by identifying the most egregious and obvious transgressions that you want to protect the organization against and have them defined and ready to be incorporated into the policy once you start crafting it. It’s not always good to start developing a policy based on what people can’t do as opposed to what they can—but because social media is such an emergent space and the list of what’s possible seems to grow every day, in this instance, you’re probably best off starting from what you’re absolutely not going to allow.

Next, look at the legal aspects specific to social media and identify how you’re going to build adherence with those elements into your policy. How will you ensure compliance with FTC social media guidelines—by having only those specifically empowered by the organization interact with influencers on behalf of the organization and carefully managing your “influencer” lists? By embarking on a training program to make as many employees as possible familiar with the FTC’s expectations? Since the FTC will be watching your program, you need to determine how you’re making sure it won’t see anything it doesn’t like.

Also, depending on your industry, you may have specific legal or regulatory requirements within the customer service sphere that will need to be incorporated into your policy. For example, General Motors is obviously in the automotive business. Automakers are bound in the United States by the Transportation Recall Enhancement, Accountability, and Documentation (TREAD) Act—which among other things requires manufacturers to report to the National Highway Traffic Safety Administration (NHTSA) information related to defects in their products or reports of injuries or death related to their products.⁶ TREAD compliance is obviously very important to GM and all automakers in the United States, so when we started expanding into the social media world, we had a lot of discussion as to what our TREAD responsibilities were within the social Web.

We addressed the issue by making TREAD awareness part of the social media education module that all employees receive, building deeper explanations of GM’s TREAD responsibilities into the training for employees who might be expected to engage in social media as part of their job responsibilities, and instructed all employees to direct anyone they observed raising an issue about one of our vehicles straight to GM customer service—either within social networks, by e-mail, or by phone. GM customer service representatives are specifically trained in TREAD compliance as part of their jobs, and we wanted to ensure that customer service and TREAD reporting was handled by the expert team members who knew how to process such reports.

Your organization may or may not be bound by regulatory requirements like this, depending on your industry or business. Or, you may have specific customer service procedures that it is your policy to follow whenever you become aware of an issue. Whatever those requirements or procedures are, you’re going to want to have them explicitly and especially built into your social media policy in order to make sure they’re followed by any of your employees who become active in the social Web.

Of course, the social media policy should remain consistent with your organization’s other conduct and ethics guidelines. The next step in putting together your social policy is to review the larger conduct policy and incorporate any elements that might have ramifications in the online world.

First Things First: Policy Before Etiquette

One of the biggest mistakes I think I made at General Motors was that the first policy I drew up upon arriving in 2007—besides being largely a solo project that I brought to the rest of the organization after having written it—was more focused on social media etiquette issues than on being a solid and lasting “policy.” I was trying to write the next corporate social policy that the social media world would love, respect, and cite often—and I didn’t draw up an actual policy that would work for my organization so much as a social media etiquette guide, full of reminders about the importance of transparency and stating that as a representative of GM, employees should always take the high road in Internet discussions no matter how much they might be goaded or how anyone else was behaving and emphasizing the need to make valuable contributions to conversations rather than simply pushing GM messaging or products. Can you imagine that kind of a document holding up in court if an employee had ever been terminated due to conduct in social networks?

The rules of “social media society” are important to those in your organization who will interact regularly on the social Web, but you can cover many of these in your training programs. Policy planning is the time to discuss the things that the organization will consider violations so egregious that they could warrant punitive action.

What to Include

Among the elements common to many organizations’ social media policies are these:

• A statement that employees are expected to follow company ethics guidelines

• A reminder that all employees will be held individually responsible for their posts and actions in the social Web and that if they violate the law online, they and not the organization are accountable

• That employees should not represent that they are officially speaking on the company’s or organization’s behalf and should make clear that their thoughts are their own

• That employees should strive for transparency in interaction and are thus expected to divulge their employment with the organization when discussing it

• A statement that employees should respect all copyright and fair-use laws

• That employees are not to divulge information that is proprietary or confidential to the organization, including and especially financial information

• A reminder that because they are employees of the organization, their conduct reflects on the organization—so disrespectful conduct like ethnic slurs, insults, or hate speech will not be tolerated

• A privacy reminder that the Internet is forever and that whatever gets posted is usually searchable and findable by someone, so employees should exercise discretion in what they post

What to Put in a Usage Guide Instead of the Policy

Only after you’ve addressed prohibitions and legal or regulatory compliance as well as ensured consistency with your other conduct policies should you turn to matters of “social media etiquette.” “Do unto others” might be a great philosophy to live by, but it’s kind of tough to write that into law. In the same sense, it’s good to share with your employees the things that will go over well in the social Web and help your organization avoid criticism or turning off social audiences—but many of these items have no legal ramifications at all and don’t belong in a legal policy. Instead, consider putting them into a usage guide or some sort of “tips and tricks” document ancillary to the official policy. This guide should contain some of the “unwritten” rules of the social world, adherence to which will make entry or ongoing participation a lot less daunting for employees—and may save your organization some headaches along the way. Among these rules might be the following:

• Acknowledge any mistakes you realize you’ve made, and correct them before anyone calls you out for it. Don’t hope a mistake escapes notice and simply push it off the front page with further updates before anyone sees it. Admit it and fix it.

• Don’t delete any posts or factual errors, under almost any circumstance. Deleting a post that you find after the fact to be embarrassing or controversial only highlights its nature and makes you look far less trustworthy or transparent. If the post or comment has offended, issue an apology and admit to having learned a lesson. If it has generated controversy, acknowledge the controversy even if you opt not to make additional comments on it. Only in circumstances in which proprietary or confidential information has inadvertently been revealed would deleting the post be understandable—and even then you should acknowledge that you’ve removed a post and why. (A word of warning: even if you’ve deleted something, people can usually still access it through caching or sites like Waybackmachine.org; deleting a post rarely makes it wholly inaccessible.)

• Be respectful of others even when respect isn’t being shown to you. People will get unruly and occasionally insulting or downright vicious online—especially if they’ve got the chance to engage with you anonymously. It’s an unfortunate side effect of the Internet. But as a brand representative, you can never win if you allow yourself to get dragged into a spitting match or if you start treating people disrespectfully. When you do, you reflect poorly on your brand and turn the other party into the victim of an arrogant big company. No matter how challenging someone gets, you have to take the high road as a brand representative.

• Link back often to others’ posts. Show a little “link love” when someone makes you think or writes something you want to share, especially if it’s good about your brand. The currency of social networks is connections and sharing. You will be more relevant and trusted the more often you share what others are saying rather than just saying what you have to say.

A usage guide makes a great addendum or corollary to your official policy and will in many cases make your employees feel more comfortable plunging into the social Web than a formal policy. Just be sure to understand what kind of counsel is appropriate to each, and then assign it accordingly.

Prepare—Then Share

Your policy’s been written, pored over, and reviewed a dozen times by everyone involved in its drafting. So you’re done, right?

Not yet. First, go back and rewrite as much of the corporate-speak and bureaucratic language as possible into plain, everyday English. That’s not an easy task, because you need to preserve the intent and meaning of the policy. But social media is a casual platform used by real people, and to the extent possible, the concepts and prescriptions in your policy should be written in the informal way that people talk. This doesn’t mean that we go back to “Don’t do anything stupid”; the goal is just that we don’t sound like a bunch of lawyers.

Once this is done, run the policy past your executive champion to get the imprimatur of one of the senior leaders of the organization. Next, run it by anyone else who needs to approve it before it becomes organizational law.

Finally, when the organization has signed off on the policy, share your policy externally. Put it on your corporate website; link to it from the organizational Facebook page; share it on the company blog.

You do this for three reasons. First, you want to take in and listen to as much feedback as you can, from your employees, customers, investors, and donors. If there’s something too strict, too lenient, or too vague, you’ll hear about it. Second, this keeps with the expectation of transparency in social media. You want to let the world know you have a policy and what it can expect from your people when interacting with your company. Third, if your policy is really solid and well thought-out, publishing it gives the social media influencer class the opportunity to see it and talk about it, potentially. (This happens a little less often now than it did when organizations were first getting into the social Web, but policies do still occasionally provide fodder for blog posts.) If you’re just getting into the social Web, a smart policy can help to announce your presence or arrival.

Your other step is to communicate the policy clearly and effectively to your employees, either by itself or as part of a broader social media education or training effort. Having a solid social media policy is only half the battle. You also have to make sure everybody in the organization knows about it and has the opportunity to learn about engaging in the social Web. Your internal education initiative can be the make-or-break element of your social media program. Get it right, and you kick-start creative thinking and help to create some emerging leaders from your organization. Get it wrong, and you’ve hamstrung your own efforts and perhaps choked the life from your fledgling program before it has the chance to take off.

In the next chapter, we’ll talk about building an effective program to educate your employees on not only your policy but also social media engagement as a whole.