Social Media Law Basics

A few years ago a British tabloid reported on a woman so absorbed in her phone that she strolled off the end of a pier, plunged into the harbor, and had to be fished out — still clutching the device, still, presumably, mid-scroll. It is a tidy little parable, and not only about watching where you walk. Social media has a way of pulling our attention so completely that we forget there is a whole world of consequences just past the edge of the screen.

Those consequences are legal as often as they are physical. The post that took ten seconds to write can implicate copyright law, defamation law, advertising regulation, labor law, privacy statutes, contract law, and — if you happen to be a government official or a platform the size of a small nation — the First Amendment to the United States Constitution. None of this is obvious from the friendly interface. The "share" button does not warn you that you are about to grant a worldwide license, republish someone else's defamation, or run an illegal lottery.

This article is a field guide to the law that lives underneath the feed. It is written for three readers at once: the small-business owner trying to run a giveaway without breaking the law, the lawyer who needs a quick but accurate refresher on Section 230 after the 2023 and 2024 Supreme Court terms, and the curious person who just wants to know whether they can get sued for a one-star Yelp review. We will define every term of art the first time it appears, lean on the actual statutes and cases, flag the places where the law is genuinely unsettled, and use a few invented companies — say, Acme Bakery and Nimbus Apps — to make the abstractions concrete. (Every "Acme" and "Nimbus" scenario in this piece is a hypothetical, offered to illustrate doctrine rather than to describe real events.)

By the end, you will understand the big load-bearing pillars of social media law: the immunity statute that made the modern internet possible (and that everyone now wants to reform), the constitutional rules that govern platforms and public officials, the advertising rules that govern influencers and reviews, the labor rules that protect employees who gripe online — and constrain the bosses who want to read their accounts — the question of who actually owns a company Twitter handle when its custodian quits, and the everyday doctrines (copyright, defamation, privacy, impersonation, contests) that catch ordinary users off guard. Let us start with the single most important statute most people have never heard of.

Section 230: The Twenty-Six Words That Built the Internet

If you want to understand why the internet looks the way it does — why anyone can post almost anything, instantly, to a global audience, on a service that did not write or pre-screen the content — you have to start with Section 230 of the Communications Decency Act, codified at 47 U.S.C. § 230.

The operative language is short enough to memorize: "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." 47 U.S.C. § 230(c)(1). Journalist Jeff Kosseff famously called these "the twenty-six words that created the internet," and the description is not hyperbole. Without that sentence, every platform that hosts your words — Facebook, YouTube, Reddit, Yelp, a newspaper's comment section, the review tab on Acme Bakery's listing — would face the constant risk of being sued as the "publisher" of everything its users say.

Why Congress wrote it

To appreciate Section 230 you have to understand the problem it solved. Under traditional defamation law, a "publisher" (a newspaper, a book house) is liable for the defamatory content it puts out, while a mere "distributor" (a bookstore, a newsstand) is liable only if it knew or had reason to know the content was defamatory. Early online services fell into an unhappy trap. In Cubby, Inc. v. CompuServe Inc., 776 F. Supp. 135 (S.D.N.Y. 1991), a service that did not moderate user content was treated as a mere distributor and escaped liability. But in Stratton Oakmont, Inc. v. Prodigy Services Co., 1995 WL 323710 (N.Y. Sup. Ct. 1995), a service that did try to moderate — that exercised some editorial control to keep its boards family-friendly — was treated as a "publisher" and held responsible for a defamatory user post.

The perverse lesson was: if you moderate, you become liable; if you ignore everything, you are safe. That is exactly backward from what anyone wants. Congress responded in 1996 by writing Section 230, whose twin goals are spelled out in the statute itself — to promote the continued development of the internet and to remove disincentives for "Good Samaritan" content moderation. 47 U.S.C. § 230(b). The second half of the immunity, § 230(c)(2), specifically protects services that, in good faith, restrict access to material they consider "obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable."

What Section 230 does and does not cover

In plain terms, Section 230 means a platform generally cannot be held legally responsible for what its users post, and generally cannot be sued merely for taking down (or leaving up) user content. The landmark case is Zeran v. America Online, Inc., 129 F.3d 327 (4th Cir. 1997), which read the immunity broadly to bar claims that treat a service as the publisher of third-party content — even claims based on the service's failure to remove content after notice. Courts have since distilled Zeran and its progeny into a three-element test: immunity applies where (1) the defendant is a provider or user of an interactive computer service, (2) the claim treats the defendant as the publisher or speaker, and (3) the information at issue was provided by another information content provider. See, e.g., Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009).

But the immunity is not a force field around the whole company. Several limits matter:

It does not cover the platform's own content. If a service creates or develops the unlawful content itself, it is the "information content provider" and § 230 does not apply. The Ninth Circuit drew this line in Fair Housing Council v. Roommates.com, LLC, 521 F.3d 1157 (9th Cir. 2008) (en banc), holding that a site that required users to answer discriminatory questions had helped "develop" the illegal content and lost immunity for it. The court warned, memorably, that § 230 is not "a lawless no-man's-land."
It does not cover federal criminal law or intellectual property claims. Section 230(e)(1)–(2) expressly carves out federal criminal prosecutions and "any law pertaining to intellectual property." That is why copyright and trademark claims against platforms ride on different rails (the DMCA and the Lanham Act), discussed below — and why our sibling article on Section 230 reform and platform liability for user-generated IP infringement exists at all.
It does not cover sex-trafficking claims after FOSTA. The Allow States and Victims to Fight Online Sex Trafficking Act of 2017 (FOSTA-SESTA) amended § 230(e)(5) to remove immunity for certain sex-trafficking claims — the first significant statutory rollback of the immunity since 1996.
It does not immunize a platform's own promises or product design in every case. Courts have allowed some claims to proceed where the theory does not depend on treating the service as a "publisher" of third-party speech. In Barnes v. Yahoo!, the Ninth Circuit let a promissory-estoppel claim survive because it rested on Yahoo's own promise to remove content, not on its role as publisher. Other courts have entertained certain product-design and defective-design theories on the same logic. This is a contested and rapidly evolving frontier.

The Supreme Court finally weighs in: Gonzalez and Taamneh

For more than two decades the Supreme Court never directly interpreted Section 230, leaving the lower courts to build the doctrine. That changed in 2023. In Gonzalez v. Google LLC, 598 U.S. 617 (2023), the families of terrorism victims argued that YouTube's recommendation algorithm — its choice to surface certain videos to certain users — should fall outside Section 230 because the platform was doing something more than passively hosting content. The Court took the case but ultimately ducked the Section 230 question. In a companion case decided the same day, Twitter, Inc. v. Taamneh, 598 U.S. 471 (2023), it held that the plaintiffs had failed to state a claim for aiding and abetting terrorism under the Anti-Terrorism Act, which meant the Gonzalez claim failed too and the Court did not need to decide the scope of § 230. The headline for our purposes: the algorithmic-recommendation question — does Section 230 protect a platform's ranking and recommending, not just its hosting? — remains formally open at the Supreme Court level, even as most lower courts continue to apply the immunity broadly.

The reform debate (and why it is so hard)

Section 230 is, improbably, one of the few things both major political parties dislike — for opposite reasons. One camp argues platforms remove too much lawful speech and hide behind the immunity to censor; the other argues platforms remove too little harmful content and hide behind the immunity to avoid responsibility. Proposals range from conditioning immunity on "neutral" moderation, to carving out specific harms (as FOSTA did), to repealing § 230 outright. Each proposal collides with the First Amendment and with the practical reality that, without broad immunity, services would face crushing litigation over billions of user posts. We explore the reform landscape in depth in Section 230 reform and platform liability for user-generated IP infringement. For present purposes, remember three things: Section 230 protects platforms from liability for your speech; it does not protect you from liability for your own; and it does not touch intellectual-property claims at all.

Can the Government Tell Platforms What to Moderate? Moody v. NetChoice

Here is a question that sounds academic until you realize how much money and politics ride on it: when a social media platform decides to take down a post, suspend an account, or push one video higher in the feed than another, is the platform exercising its own First Amendment rights, or is it just running a neutral pipe that the government can regulate like a phone company?

Texas and Florida both passed laws in 2021 aimed at large social media platforms, generally restricting the platforms' ability to remove or downrank certain user content (especially political speech) and imposing transparency and explanation requirements. The trade association NetChoice challenged both laws as violations of the platforms' own First Amendment rights. The cases split in the lower courts — the Eleventh Circuit largely enjoined Florida's law while the Fifth Circuit upheld Texas's — and they landed at the Supreme Court together.

In Moody v. NetChoice, LLC, 603 U.S. 707 (2024), the Court did not strike down or uphold the statutes outright. Instead — in an opinion by Justice Kagan — it vacated both lower-court decisions because the parties and lower courts had treated the laws as facial challenges without doing the hard work of analyzing the laws' full range of applications. That is the procedural holding. But the reasoning is what practitioners care about, and it is significant: the Court strongly signaled that a platform's content-moderation decisions — its curation of a feed, its choices about what to display and what to exclude — are a form of protected editorial judgment, akin to a newspaper deciding what to print or a parade organizer deciding who marches. The Court drew on the editorial-discretion line of cases, including Miami Herald Publishing Co. v. Tornillo, 418 U.S. 241 (1974), and Hurley v. Irish-American Gay, Lesbian & Bisexual Group of Boston, 515 U.S. 557 (1995), reaffirming that the government generally may not force a private speaker to carry messages it would rather not.

The practical upshot for now is a kind of doctrinal compass rather than a finished map. Moody tells us that when a platform compiles and curates third-party content into a feed, it is generally engaged in expression the First Amendment protects, which makes it hard for the government to force platforms to host speech they would rather exclude. But because the Court vacated and remanded rather than ruling on the merits of every application, the precise boundaries — especially for functions that look less like curation and more like neutral conduit (think direct messaging, or event scheduling) — remain to be worked out on remand and in future cases. If you are advising a platform, a regulator, or a heavy user of these services, treat Moody as the current north star and watch the lower courts closely. The interaction between platform free-speech rights and government regulation also touches campaign-finance and political-speech questions explored in our sibling piece on Citizens United v. FEC and the future of federal campaign finance reform.

When a Public Official Blocks You: Lindke v. Freed and the State-Action Problem

Now flip the perspective. Section 230 and Moody are about private platforms. But government officials use social media too — mayors tweet, city councils run Facebook pages, agencies post on Instagram. When a government official blocks a constituent or deletes a critical comment, can that be a First Amendment violation?

The First Amendment restrains the government, not private parties. So the threshold question is whether the official, when blocking you, was acting as the government (what lawyers call "state action") or merely as a private citizen who happens to hold office and also has a personal account. That is the precise issue the Supreme Court resolved in Lindke v. Freed, 601 U.S. 187 (2024).

James Freed, the city manager of Port Huron, Michigan, ran a Facebook page that mixed personal posts (his family, his faith) with city business (COVID-19 updates, municipal information). When a resident, Kevin Lindke, posted critical comments, Freed deleted them and blocked him. Lindke sued under 42 U.S.C. § 1983, the statute that lets people sue state actors for constitutional violations.

The Court, in a unanimous opinion by Justice Barrett, announced a clean two-part test. A public official's social media activity counts as state action only if the official (1) possessed actual authority to speak on the State's behalf on a particular matter, and (2) purported to exercise that authority when speaking on social media. Lindke, 601 U.S. at 198. Both prongs must be met. If either fails, the account is private, the First Amendment does not apply to the blocking, and the constituent has no § 1983 claim. The decision rejected the broader, more impressionistic "appearance and function" approaches some lower courts had used and replaced them with a focus on genuine governmental authority and its apparent exercise.

The decision is gloriously practical. It means a city official's purely personal account — vacation photos, opinions about the local sports team — can block anyone for any reason, because there is no governmental authority being exercised. But an account the official uses to conduct the public's business, speaking with the apparent authority of the office, becomes a kind of public forum, and viewpoint-based blocking or comment deletion may violate the First Amendment. The Court vacated and remanded the case (decided alongside a companion case, O'Connor-Ratcliff v. Garnier) for application of the new test.

The takeaways are concrete. If you are a government official: keep a clearly personal account separate from any official one; if you must mix, understand that the "official" portions can convert the whole thing into a forum; add a disclaimer that the page is personal if it truly is; and think hard before deleting comments or blocking critics on any account that does government business. If you are a citizen who got blocked: you can challenge the block only if the official was wielding governmental authority — a private politician's private account is not a public forum.

Who Owns What You Post? Terms of Service, Licenses, and Copyright

Let us come back down to earth, to the most common and most misunderstood question on social media: when you upload a photo, a video, a witty caption, who owns it?

The reassuring news first. Under United States copyright law, you generally own the copyright in original works you create — the photograph you snapped, the short film you shot, the essay you wrote — the moment you fix them in a tangible form, with no registration required. 17 U.S.C. § 102. Posting something to Instagram does not transfer your copyright to Instagram.

The catch is the license. When you click "I agree" to a platform's Terms of Service ("TOS" — the contract you almost certainly did not read), you typically grant the platform a broad, royalty-free, worldwide license to host, display, reproduce, adapt, and sublicense your content for the purpose of operating and promoting the service. You still own it; the platform just has sweeping permission to use it. That is why a platform can show your photo to your followers, generate a thumbnail, and surface it in search without owing you a dime — and, depending on the precise language, why it sometimes can do considerably more. Read the license grant in any platform's TOS the way a lawyer would: scope (what uses), duration (often surviving until you delete the content, and sometimes beyond if others have re-shared it), and sublicensing rights (can the platform let third parties use it?).

It is worth pausing on whether those terms even bind you. Courts treat online agreements as ordinary contracts, which means there must be an offer, acceptance, and reasonable notice of the terms. "Clickwrap" agreements — the ones that make you click an "I agree" box next to a conspicuous link before proceeding — are routinely enforced. "Browsewrap" terms — buried in a footer link you never had to acknowledge — are enforced far less often, because a user cannot assent to terms they had no reason to see. The leading exposition is Specht v. Netscape Communications Corp., 306 F.3d 17 (2d Cir. 2002), and the principle still governs the modern "sign-in wrap" interfaces that dominate mobile apps: enforceability turns on conspicuous notice and a clear manifestation of assent. For a business that runs its own platform, the drafting lesson is to present terms conspicuously and capture an affirmative click.

Two practical traps follow for everyone else:

Sharing is not owning. Finding a beautiful cupcake photo on Pinterest, a meme on Reddit, or a clip on TikTok does not make it yours to repost wherever you like — especially in a commercial context. Most photographs are copyrighted by whoever pressed the shutter, and "I found it online" is not a defense. If you want to reuse someone else's content beyond the platform's own re-share buttons, find the source and get permission, or rely on a genuine fair-use or licensed basis. For how the underlying rights work, see Copyright FAQs — answers to common copyright questions and our deep dive on registering web content in Copyright registration of websites and website content.
Embedding and the "server test." Courts are split on whether embedding a social media post (pulling in an image hosted on another server) can infringe the display right. The Ninth Circuit's "server test" from Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007), suggested no display infringement where the image is served from a third party. But several district courts, especially in New York, have rejected or limited that test for embedded social posts — see, for example, Goldman v. Breitbart News Network, LLC, 302 F. Supp. 3d 585 (S.D.N.Y. 2018). The safe course for a business is to license images directly rather than relying on embeds.

If your business creates substantial original content for its social channels — original photography, branded video, written guides — consider formal copyright registration. Registration is a prerequisite to filing an infringement suit, Fourth Estate Public Benefit Corp. v. Wall-Street.com, LLC, 586 U.S. 296 (2019), and timely registration unlocks statutory damages and attorney's fees under 17 U.S.C. § 412. The mechanics are covered in Copyright registration — a comprehensive guide.

User-Generated Content and the DMCA Takedown

If your business runs a platform of any size — a comment section, a review board, a community forum, a marketplace where users upload listings — you are hosting user-generated content ("UGC"), and you need to understand the Digital Millennium Copyright Act's notice-and-takedown system.

Remember that Section 230 expressly does not cover intellectual-property claims. So if a user uploads someone else's copyrighted photo to your site, § 230 will not save you from a copyright claim. What saves you instead is the DMCA "safe harbor" at 17 U.S.C. § 512. In broad strokes, a service provider that hosts user content can avoid monetary liability for user infringement if it: designates an agent to receive takedown notices (and registers that agent with the U.S. Copyright Office through its electronic registration system); responds expeditiously to remove or disable access to material when it receives a proper takedown notice; lacks actual knowledge of the infringement and does not turn a blind eye to obvious "red flags"; does not receive a financial benefit directly attributable to infringing activity it has the right and ability to control; and adopts and reasonably implements a policy to terminate repeat infringers. The Second Circuit's decision in Viacom International, Inc. v. YouTube, Inc., 676 F.3d 19 (2d Cir. 2012), is the canonical gloss on the knowledge and "red flag" requirements: generalized awareness that infringement happens on a site is not enough; the knowledge must be of specific infringing material.

The notice-and-takedown dance has two sides. A copyright owner who finds their work on your site sends a takedown notice that complies with § 512(c)(3) — identifying the work, the infringing material, and a good-faith statement under penalty of perjury. The user whose content was removed can fire back a counter-notification under § 512(g), and if the copyright owner does not sue within the statutory window, the material goes back up. Crucially, § 512(f) penalizes abuse of the system: a person who knowingly materially misrepresents that content is infringing can be liable for damages, and the Ninth Circuit held in Lenz v. Universal Music Corp., 815 F.3d 1145 (9th Cir. 2016) — the "dancing baby" case — that a copyright holder must consider fair use in good faith before sending a takedown. We walk through both sides of the process in How to file a DMCA takedown notice and respond to one.

A worked example. Suppose Nimbus Apps runs a community gallery where users post screenshots. A photographer notices their licensed image in a user's post and sends a complete DMCA notice. Nimbus, to keep its safe harbor, should remove the image promptly, notify the user, and log the complaint as a strike under its repeat-infringer policy. If the user counter-notices with a sincere fair-use or licensing argument, Nimbus passes it along, and if the photographer does not sue, the image returns. What Nimbus must not do is ignore the notice, leave the content up, and assume Section 230 covers it — because for copyright, it does not.

Defamation, Reviews, and the Limits of Online Venting

Social media is, among other things, a global megaphone for opinions about people and businesses — which means defamation law is never far away. Defamation is a false statement of fact, communicated to a third party, that harms someone's reputation. The two flavors are libel (written, which covers virtually all social media posts) and slander (spoken).

Three principles do most of the work in the social media context.

First, truth is a complete defense, and pure opinion is generally protected. Saying "Acme Bakery gave me food poisoning" is a statement of fact — defamatory if false, fine if true. Saying "Acme Bakery's croissants are the saddest pastries I've ever eaten" is opinion and protected, because it cannot be proven true or false in the way a factual claim can. The Supreme Court declined to recognize a separate wholesale exemption for anything labeled "opinion" in Milkovich v. Lorain Journal Co., 497 U.S. 1 (1990), holding that the dispositive question is whether a statement implies a provably false factual assertion. The line between fact and opinion is therefore where most review disputes live, and it is genuinely fact-specific; loose, hyperbolic, plainly subjective language on the freewheeling terrain of social media tends to read as opinion.

Second, public figures and matters of public concern carry a higher bar. A public official or public figure suing for defamation must prove "actual malice" — that the speaker knew the statement was false or acted with reckless disregard for the truth — under New York Times Co. v. Sullivan, 376 U.S. 254 (1964), and Gertz v. Robert Welch, Inc., 418 U.S. 323 (1974). A private business suing over a customer review usually faces a lower standard, but still must prove falsity and (often) fault. Many states also have anti-SLAPP statutes ("Strategic Lawsuits Against Public Participation") that let defendants quickly dismiss meritless defamation suits aimed at protected speech, sometimes with a fee award — a real deterrent to businesses tempted to sue critics.

Third, the consumer's right to review is increasingly protected by statute. Businesses sometimes tried to muzzle criticism with "non-disparagement" clauses — also called gag clauses — buried in their terms, fine-print promises that a customer would never post a negative review. The genre had a notorious moment in 2014, when a New York inn purported to fine wedding parties $500 for each negative review left by any guest. Congress shut the practice down nationally with the Consumer Review Fairness Act of 2016 ("CRFA"), 15 U.S.C. § 45b, which voids form-contract provisions that bar or penalize honest consumer reviews of a company's products, services, or conduct — and, notably, also voids provisions that try to claim copyright ownership of, or an exclusive license in, a customer's review (a clever workaround the statute anticipated). Using such a clause is treated as an unfair or deceptive practice the FTC and state attorneys general can pursue; in FTC v. Roca Labs, Inc., 345 F. Supp. 3d 1375 (M.D. Fla. 2018), a court found a weight-loss seller's gag-clause campaign against unhappy customers unlawful. Two caveats worth knowing: the CRFA does not create a private right of action (enforcement runs through the FTC and the states), and it does not reach individually negotiated contracts like employment or contractor agreements. Several states, California among them, have parallel protections that predate the federal law (see Cal. Civ. Code § 1670.8). The net effect: a customer who leaves an honest one-star review is generally exercising a protected right, and a business that retaliates with a gag clause is more likely to be the one in trouble. The mirror image — fake reviews planted by businesses — is also unlawful, as discussed in the FTC section below.

For businesses on the receiving end of genuinely false, factual attacks, the remedies are real but should be deployed carefully: a measured response, a request for correction, and — only where warranted — a demand letter or suit. Aggressive overreaction tends to trigger the "Streisand effect," in which the attempt to suppress criticism amplifies it, and an anti-SLAPP fee award can turn a face-saving lawsuit into an expensive own goal. Our guide on Writing a demand letter — the basics covers how to draft a firm-but-not-reckless demand, and Advertising FAQs — a guide for small business addresses the related rules on fake and incentivized reviews.

Anonymous Speech and the Art of Unmasking

A close cousin of defamation is the problem of the anonymous poster. Much of social media's value — and much of its venom — comes from the ability to speak without revealing your identity. The First Amendment protects anonymous speech; the Supreme Court said so squarely in McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995). But anonymity is not absolute immunity. If "GhostUser88" posts a demonstrably false, reputation-destroying factual claim about Acme Bakery, Acme may be able to find out who that is.

The mechanism is a subpoena to the platform or internet service provider seeking the poster's identifying information — but courts will not simply hand over a person's identity on demand, because doing so could chill protected speech and enable harassment of mere critics. Instead, most courts apply a balancing test before unmasking. The most influential standard comes from Dendrite International, Inc. v. Doe No. 3, 775 A.2d 756 (N.J. Super. Ct. App. Div. 2001), refined by the Delaware Supreme Court in Doe v. Cahill, 884 A.2d 451 (Del. 2005). In broad outline, a plaintiff seeking to unmask an anonymous speaker typically must: make reasonable efforts to notify the anonymous poster (often by posting on the same forum); identify the specific allegedly actionable statements; state a viable, prima facie legal claim that could survive a motion to dismiss (or, under Cahill, even produce evidence sufficient to survive summary judgment); and satisfy the court that the need for the identity outweighs the speaker's First Amendment interest in anonymity.

The practical lesson cuts both ways. For would-be plaintiffs: anonymous critics are not untouchable, but you will need a real, well-pleaded claim — a genuine false statement of fact, not just hurt feelings — and you should expect a fight before any identity is disclosed. For anonymous speakers: the shield is strongest for opinion and true statements; it is weakest when you cross into knowingly false factual accusations. The interaction of online speech, anonymity, and personal privacy also surfaces in our companion article Smile — cell phone camera privacy and the law.

Influencers and the FTC: The Law of #ad

If you have ever wondered why your favorite creator suddenly started captioning posts with "#ad," "#sponsored," or "Paid partnership," the answer is the Federal Trade Commission. The agency's core authority is Section 5 of the FTC Act, 15 U.S.C. § 45, which prohibits "unfair or deceptive acts or practices in or affecting commerce." Undisclosed paid endorsements are deceptive, the theory goes, because consumers weigh a recommendation differently when they know money or free product changed hands.

Two foundational advertising principles sit underneath all of this, and they apply to a TikTok video exactly as they apply to a Super Bowl spot. First, an advertiser must have a reasonable basis to substantiate every objective claim it makes — including claims a reasonable consumer would imply from the ad, even ones the advertiser did not intend. The FTC weighs substantiation using the long-standing Pfizer factors (the type of product and claim, the consequences of a false claim, the cost of substantiation, the consumer benefit of a truthful claim, and the amount of proof experts in the field would require). See Pfizer, Inc., 81 F.T.C. 23 (1972). Second, if a disclosure is needed to keep an ad from misleading, it must be clear and conspicuous. The same self-regulatory machinery that polices television claims polices social posts: the National Advertising Division (NAD) of the Advertising Self-Regulatory Council hears advertising disputes and applies the same standards online that it applies anywhere else. So an influencer's bold weight-loss or income claim is not just an endorsement problem; it is a substantiation problem the brand will own.

The detailed disclosure rules live in the FTC's Guides Concerning the Use of Endorsements and Testimonials in Advertising, 16 C.F.R. Part 255, which the Commission substantially updated in 2023, alongside its plain-language FAQ "The FTC's Endorsement Guides: What People Are Asking" and a chart of do's and don'ts aimed directly at influencers. The Guides are not a statute and not strictly "law" in the binding sense, but they explain how the FTC interprets Section 5 — and the FTC enforces Section 5 vigorously. The headline principles:

Material connections must be disclosed. If there is a connection between an endorser and the brand that a consumer would not expect and that might affect how much weight the consumer gives the endorsement — payment, free or discounted product, a family or employment relationship, an affiliate commission, even a chance to win a prize — it must be disclosed. 16 C.F.R. § 255.5.
Disclosures must be clear and conspicuous. Burying "#ad" at the end of a forest of hashtags, hiding it behind a "more" link, or flashing it on screen too fast to read does not cut it. The disclosure should be hard to miss and in the same medium as the endorsement (say it aloud in a video; superimpose it legibly in a Story).
Endorsements must reflect honest opinions and real experience. An endorser should not tout a product they have not used or do not actually believe in, and may not make claims the advertiser itself could not substantiate.
Brands, agencies, and platforms share responsibility. The advertiser that runs an influencer program can be liable for its influencers' deceptive posts, which is why sophisticated brands now adopt a written social media endorsement policy, require disclosure in their creator contracts, train their influencers, and monitor compliance — correcting or cutting off creators who do not follow the rules.
Fake and incentivized reviews are squarely targeted. In 2024 the FTC finalized a rule on the use of consumer reviews and testimonials (16 C.F.R. Part 465) prohibiting, among other things, the buying or selling of fake reviews and testimonials, the purchase of positive or negative reviews, and certain undisclosed insider reviews — with civil penalties available. Combined with the Consumer Review Fairness Act discussed above, the message is symmetrical: businesses may not silence honest critics, and they may not manufacture fake praise.

A worked example. Suppose Acme Bakery sends a popular local food influencer a free dozen croissants and pays her $300 to post about them. If she posts a glowing video with no disclosure, both she and Acme are exposed under Section 5. The fix is simple and cheap: a clear "Acme paid me to try these — opinions are my own" at the start of the video, plus "#ad" where viewers will actually see it. If the influencer also claims the croissants are "the healthiest pastry in town," Acme had better be able to substantiate that — the disclosure cures the conflict-of-interest problem but not the unsupported-claim problem. We treat advertising compliance comprehensively, including substantiation and the rules for email and texts, in Advertising FAQs — a guide for small business; the email-specific rules for any promotional message you send carry their own federal regime, covered in The CAN-SPAM Act — a comprehensive guide for businesses and marketers. Where an endorsement also uses a celebrity's identity, the right-of-publicity rules discussed below come into play; see Right of publicity basics.

Employees, Bosses, and the NLRA Protected-Speech Line

Now to a corner of social media law that surprises nearly every employer: an employee who blasts the company on Facebook may be exercising a federally protected right, and firing them for it can be illegal — even if the company has no union.

The statute is the National Labor Relations Act, 29 U.S.C. § 151 et seq. Section 7 of the NLRA, 29 U.S.C. § 157, protects employees' right to engage in "concerted activities for the purpose of collective bargaining or other mutual aid or protection." The phrase "or other mutual aid or protection" is the key — it reaches far beyond unions. And Section 8(a)(1), 29 U.S.C. § 158(a)(1), makes it an unfair labor practice for an employer to interfere with those rights. Critically, these protections cover most private-sector employees, union or not. (They generally do not cover public-sector employees, supervisors, managers, or independent contractors — so the first question in any case is whether both the employer and the worker are even within the NLRA's reach.)

The operative concept is "protected concerted activity." Two ideas are baked in:

Concerted. The activity must be engaged in with or on behalf of other employees, not solely for the individual. Two coworkers complaining to each other online about scheduling, one employee voicing a group grievance, or a post that seeks to induce group action is typically concerted. A lone employee airing a purely personal beef usually is not — though the Board has held that some subjects (like wages) are "inherently concerted" even when first raised by one person.
Protected. The subject must relate to wages, hours, or other terms and conditions of employment. Pay, safety, supervisors' treatment of staff, workload — protected. Pure product disparagement, threats, or maliciously false statements untethered from working conditions can lose protection.

The National Labor Relations Board has applied this directly to social media. In a well-known line of cases — including Hispanics United of Buffalo, Inc., 359 NLRB 368 (2012), and Three D, LLC (Triple Play), 361 NLRB 308 (2014), enforced, Three D, LLC v. NLRB, 629 F. App'x 33 (2d Cir. 2015) — the Board held that employees who took to Facebook to discuss and support each other over workplace grievances (including, in Triple Play, simply "liking" a coworker's critical post) were engaged in protected concerted activity, and that firing them was unlawful. The Board has also repeatedly scrutinized overbroad social media policies that would reasonably chill protected discussion of wages and working conditions.

There is nuance, and the law shifts with the Board's changing composition. The framework for whether otherwise-protected conduct loses protection because of its manner — profanity, an outburst, an offensive remark — has moved between standards over the years (the Board returned to the older, context-sensitive Atlanta Steel factors in Lion Elastomers LLC, 372 NLRB No. 83 (2023)), and the standard for judging facially neutral handbook rules has likewise evolved (most recently under Stericycle, Inc., 372 NLRB No. 113 (2023), which asks whether a reasonable employee would read a rule to chill Section 7 activity). The durable lesson for an employer is restraint and precision: before disciplining anyone for a social post, ask whether the post is a group complaint about working conditions. If it is, discipline is risky. Draft social media policies to expressly protect employees' right to discuss wages and terms of employment, and avoid blanket bans on "negative" or "disparaging" commentary about the company. For the discrimination and leave-law backdrop that often surrounds these disputes, see Age discrimination basics and Drafting a maternity leave policy — five things you should know.

A worked example. Nimbus Apps sees two customer-support employees publicly trading Facebook comments — "they keep changing our shifts with no notice and won't pay overtime." A reflexive firing would likely be an unlawful interference with protected concerted activity, because the posts are a group complaint about hours and pay. Contrast a lone employee posting "my manager is an idiot and our app is garbage" with no connection to any group concern and gratuitous product disparagement — that may fall outside the protection. The line is real but fact-bound, which is exactly why these cases reach the Board.

Can Your Boss Demand Your Password? Employer Access to Personal Accounts

A related and surprisingly common question runs the other direction: may an employer read your private social media account — by demanding your username and password, asking you to "friend" a manager, or requiring you to log in during an interview? For years some employers did exactly that as a screening tactic. State legislatures pushed back hard.

More than two dozen states now have laws restricting employer access to employees' and applicants' personal social media accounts. The details vary, but the typical statute prohibits an employer from requiring, requesting, or coercing a worker or applicant to disclose the username and password to a personal account, to add the employer to the account's contacts, or to change the account's privacy settings — and bars retaliation against those who refuse. (Arkansas's law, A.C.A. § 11-2-124, is a representative example.) These statutes generally carve out important exceptions: an employer may still view information that is genuinely public, may access accounts and devices the employer itself provides or pays for, may comply with other legal and regulatory obligations, and may investigate specific suspected misconduct or the leak of proprietary information. Several federal laws sit in the background as well, including the Stored Communications Act (18 U.S.C. §§ 2701–2712), which courts have applied to penalize employers who accessed an employee's private posts without authorization.

The practical guidance is symmetrical. Employers should never demand personal account credentials, should confine background screening to genuinely public information, and should put both rules in writing and train recruiters accordingly — the line between "looked at a public profile" and "coerced access to a private one" is exactly where liability lives, and it intersects with discrimination law too, because a recruiter who browses a candidate's profile may learn protected-class information they then cannot un-know. Employees should understand that the protections reach personal accounts, not accounts the company issued or that are used to do company business — a distinction that leads directly to our next topic.

Who Owns the Company Account? Custody, Followers, and the Exiting Employee

Picture a marketing manager at Nimbus Apps who builds the company's Twitter following from zero to 90,000, posting in a chatty first-person voice under the handle @NimbusManager. She quits, renames the account, keeps the followers, and starts promoting a competitor. Who owns those 90,000 followers — Nimbus, or the person who cultivated them?

This is one of the genuinely unsettled frontiers of social media law, and it sits at the intersection of trade-secret law, conversion, breach of contract, and restrictive covenants. Two early cases frame the problem. In PhoneDog v. Kravitz, No. C 11-03474 (N.D. Cal. 2012), an employer sued a departed employee who kept a work-related Twitter account and its followers, advancing theories including misappropriation of trade secrets and conversion; the case survived early motions and ultimately settled, leaving the ownership question tantalizingly unresolved but signaling that courts will at least entertain such claims. In Eagle v. Morgan, No. 11-4303 (E.D. Pa. 2013), an executive locked out of her own LinkedIn account when she left a company won on several claims but recovered no damages because she could not prove their amount — a cautionary tale about valuation. Courts wrestling with these disputes tend to look at practical indicia of ownership and control: who created the account, who paid for it and the tools around it, whose name and branding it carries, who controlled the password, and whether the content and contacts amount to a protectable business asset.

The lesson for businesses is that ownership should be settled before anyone leaves, not litigated after. A well-run organization decides up front which accounts are corporate assets, registers them under company control with company-held credentials, addresses account and follower ownership expressly in employment agreements and social media policies, and — where state law permits — uses carefully drafted restrictive covenants to address post-employment solicitation through social media (a returning theme, because a casual LinkedIn "I've moved to a new firm — let's connect" can edge toward a prohibited solicitation depending on its wording and the covenant's scope). These same questions echo the impersonation problems discussed below, since a renamed-but-not-returned account can shade into trading on the former employer's name and goodwill. For the brand-protection toolkit, see Brand protection online — a strategic guide for businesses and Trademark basics.

Privacy, Biometrics, and the Data Underneath the Post

Every social media interaction generates data — who you are, where you are, what you look like, who your friends are. A growing thicket of privacy law governs how that data may be collected and used, and several pieces intersect with everyday social media.

Children's privacy. The Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501–6506, and its implementing rule (16 C.F.R. Part 312) require verifiable parental consent before online services knowingly collect personal information from children under 13. Platforms and businesses marketing to kids must take COPPA seriously; the FTC has extracted nine-figure penalties for violations, and a wave of state "age-appropriate design" laws is pushing protections to teenagers as well.

Biometric data. Faces are data too. Several states regulate the collection of biometric identifiers — most prominently Illinois's Biometric Information Privacy Act ("BIPA"), 740 ILCS 14, which requires informed, written consent before collecting biometric data (like the faceprints used in photo-tagging) and, crucially, creates a private right of action with statutory damages per violation. BIPA litigation over social media photo-tagging and face-recognition tools has produced enormous settlements, and the Illinois Supreme Court's decision in Cothron v. White Castle System, Inc., 216 N.E.3d 918 (Ill. 2023), held that a separate claim can accrue each time biometric data is scanned — multiplying exposure dramatically. The Texas and Washington analogues add to the patchwork. We explore this frontier — and its collision with AI training — in Biometric data privacy laws and their impact on AI development.

Comprehensive state privacy laws. California's Consumer Privacy Act (as amended by the CPRA), and a growing roster of similar state statutes (Virginia, Colorado, Connecticut, and many others), give consumers rights to access, delete, correct, and opt out of the sale or sharing of their personal information. A business running social media advertising — which often involves "sharing" data with ad platforms through tracking pixels and custom-audience tools — may have obligations under these laws even if it never thinks of itself as a "data company."

Right of publicity. Distinct from privacy in the data sense, the right of publicity protects a person's commercial interest in their own name, image, likeness, and voice. It is a state-law creature with wide variation; California's statute (Cal. Civ. Code § 3344) is a leading example. On social media, the issue arises when a business uses a real person's photo or identity to promote a product without consent — including, increasingly, AI-generated "deepfake" likenesses, a fast-moving area we examine in The right of publicity meets digital doubles — deepfakes, AI avatars, and celebrity likeness. The basics are covered in Right of publicity basics. And the broader question of when you may photograph or record other people — the consent rules that vary state to state — is the subject of Smile — cell phone camera privacy and the law.

Impersonation, Fake Accounts, and Identity Abuse

A particularly nasty corner of social media is impersonation — fake accounts pretending to be a real person or business. The harms range from embarrassing to fraudulent: a fake "Acme Bakery" account that scams customers, a parody account that crosses into defamation, a romance-scam profile built on a stranger's stolen photos.

The legal tools are scattered. Most platforms prohibit impersonation in their terms and will remove a verified-false account on report — often the fastest remedy. Beyond that, victims may have claims for trademark infringement (if a business's name or logo is used to confuse consumers — see Trademark basics), false endorsement and false association under Lanham Act § 43(a), 15 U.S.C. § 1125(a) (for the false suggestion that a person or brand sponsors the account), right-of-publicity violation (for misuse of a person's likeness), and defamation or false light (for fabricated statements attributed to the victim). Several states have specific online-impersonation statutes, some criminal (California's Penal Code § 528.5 is a prominent example). Where the impersonation is used to defraud, computer-fraud and wire-fraud statutes may apply. Parody and satire complicate the picture: a clearly labeled parody account is often protected speech, while a deceptive look-alike account that fools reasonable readers is not — the dividing line, as always, is whether a reasonable viewer would be deceived.

If your business discovers an impersonating account, the efficient playbook is usually: (1) report it to the platform under its impersonation policy with proof of your identity and rights; (2) document everything (screenshots with timestamps, URLs, dates) in case litigation follows; and (3) escalate with a cease-and-desist or suit if the platform is slow and the harm is real. Our guides on Drafting a trademark cease-and-desist letter and Brand protection online — a strategic guide for businesses walk through the brand-defense side.

Contests, Giveaways, and the Accidental Illegal Lottery

Few things feel more harmless than a social media giveaway — "Like, follow, and tag three friends to win a free cake!" Yet promotions are a surprisingly law-heavy activity that trips up well-meaning businesses constantly.

The first rule is structural. A "lottery" — illegal for private parties to run without a license — has three elements: a prize, chance, and consideration (something of value the entrant gives up). If your promotion has all three, you may be running an unlawful lottery. The standard fix is to eliminate one element. Most promotions remove either chance (a contest judged on skill — best photo, best caption) or consideration (a sweepstakes with a free method of entry, the familiar "no purchase necessary"). Get the structure right and the rest is execution. One subtle point: whether requiring a "like," a follow, or a tag counts as legal "consideration" is itself unsettled and varies by state, so prudent sponsors build in a free alternate method of entry rather than betting on the answer.

The second rule is disclosure and rules. Almost every promotion needs official rules covering eligibility, start and end dates, how to enter, how winners are chosen, prize details and approximate retail value, the sponsor's identity, and any "no purchase necessary" alternate entry method. Some states require registration and bonding for sweepstakes above a value threshold — New York and Florida being the classic examples (compliance under New York and Florida law involves registration, a surety bond, and winners-list obligations once the prize pool crosses the statutory dollar line). Tax reporting obligations attach to larger prizes.

The third rule is the one the original version of this very article got right years ago: follow the platform's promotion guidelines. Each platform sets its own rules for running promotions on its service — restrictions on requiring shares, tagging, or using personal timelines to administer entries, and required disclaimers stating the promotion is not sponsored, endorsed, or administered by the platform. Violating those guidelines will not usually get you sued, but it can get your post or account removed, which defeats the entire point.

And do not forget the FTC overlay: if your giveaway requires entrants to post about your product, those posts are endorsements, and the entrants should disclose that they are entering a contest (a "#contest" or "#sweepstakes" tag signals the material connection). A worked example: Acme Bakery runs "post a photo of your favorite Acme treat with #AcmeContest to win a year of free pastries." Acme should publish official rules, ensure entry does not require a purchase (or offer a free alternate entry), comply with the platform's promotion policy and disclaimer requirement, check whether any state registration applies given the prize value, and instruct entrants to include "#AcmeContest" precisely because it signals the material connection. For the broader marketing-compliance picture, including email and text rules, see The CAN-SPAM Act — a comprehensive guide for businesses and marketers and Advertising FAQs — a guide for small business.

Putting It Together: A Practical Checklist for Living Online

Social media law is sprawling, but the day-to-day risks reduce to a manageable set of habits. The unifying theme is that the casual surface hides real legal substance, and a few seconds of forethought prevents most problems.

For individuals: assume photos and videos you find are copyrighted; treat your own posts as published statements that can be quoted and screenshotted forever; remember that opinions are protected but false factual claims are not; and know that "anonymous" is a thin shield against a well-pleaded defamation claim.

For businesses and marketers: disclose every material connection in influencer and review programs and substantiate every objective claim; build a DMCA agent and takedown process if you host user content; never plant fake reviews and never use gag clauses against real ones; structure every giveaway to avoid the prize-chance-consideration trifecta and follow platform rules; settle ownership of corporate accounts before anyone is hired and again before anyone leaves; and register copyrights in your most valuable original content.

For employers: tread carefully before disciplining employees for social posts about pay, hours, or working conditions, because the NLRA may protect them; never demand passwords to personal accounts; draft social media policies that respect protected concerted activity; and train managers not to retaliate.

For government officials: keep personal and official accounts genuinely separate, and remember that an account doing the public's business can become a forum where blocking critics violates the First Amendment under Lindke v. Freed.

And for everyone: the law here is moving fast — Section 230's scope after Gonzalez and Taamneh, the constitutional status of content moderation after Moody v. NetChoice, the reach of state privacy and biometric laws, the unresolved ownership of work accounts, and the looming questions about AI-generated content and deepfakes are all genuinely unsettled and will keep evolving. Paying attention as the law develops is, to borrow the metaphor we opened with, the best way to keep from walking off the pier.

Frequently Asked Questions

Can a social media platform be sued for what its users post? Usually no. Section 230, 47 U.S.C. § 230, generally bars treating a platform as the publisher of third-party content, so the platform is not liable for most user posts and is protected when it removes content in good faith. But there are important exceptions: federal criminal law, intellectual-property claims (copyright and trademark run on the DMCA and Lanham Act instead), and sex-trafficking claims after FOSTA. And Section 230 never protects you from liability for your own posts.

If I post a photo to Instagram, does Instagram own it? No. You keep the copyright in your original work. But by agreeing to the Terms of Service, you grant the platform a broad license to host, display, and often sublicense your content while you use the service. Read the license grant — scope, duration, and sublicensing — to understand exactly what permission you are giving.

Can my employer fire me for complaining about work on Facebook? It depends on whether the post is "protected concerted activity" under Section 7 of the National Labor Relations Act, 29 U.S.C. § 157. If you and coworkers are discussing wages, hours, or working conditions — a group concern — firing you for it may be an unlawful unfair labor practice, even with no union. A purely individual gripe or gratuitous product disparagement unconnected to working conditions is more likely to fall outside the protection. The line is fact-specific.

Can my employer make me hand over my social media password? In most of the country, no. More than two dozen states prohibit private employers from requiring or requesting the credentials to a worker's or applicant's personal social media account, or from retaliating against those who refuse. Employers may still look at genuinely public information, may access accounts they themselves provide, and may investigate specific suspected misconduct. The protection is for personal accounts, not company-issued ones.

Who owns the company's social media account if the employee who ran it quits? It is genuinely unsettled and turns on the facts — who created and paid for the account, whose branding it carries, who held the password, and whether the followers and contacts are a protectable business asset (see PhoneDog v. Kravitz and Eagle v. Morgan). The fix is to settle ownership up front in an employment agreement and social media policy, register corporate accounts under company control, and address post-employment solicitation in any restrictive covenant.

Do influencers really have to write "#ad"? Yes, in substance. The FTC treats undisclosed paid endorsements as deceptive under Section 5 of the FTC Act, and its Endorsement Guides (16 C.F.R. Part 255) require clear and conspicuous disclosure of any material connection — payment, free product, family ties, affiliate commissions. The disclosure has to be easy to notice, not buried at the end of a hashtag pile. Both the influencer and the brand can be liable, and the brand also has to be able to substantiate any objective claims the influencer makes.

Can a government official block me on social media? Only sometimes. Under Lindke v. Freed, 601 U.S. 187 (2024), blocking is "state action" subject to the First Amendment only if the official had actual authority to speak for the government on the relevant matter and was purporting to exercise that authority on the account. A genuinely personal account can block anyone; an account used to conduct government business may not engage in viewpoint-based blocking or comment deletion.

Someone is trashing my business in fake or false online reviews. What can I do? Distinguish opinion from false fact. Honest negative opinions are protected, and the Consumer Review Fairness Act (15 U.S.C. § 45b) voids contract clauses that try to gag honest reviews. But provably false factual statements may be defamatory, and fake reviews — including ones a competitor or seller plants — are squarely targeted by the FTC's 2024 reviews rule (16 C.F.R. Part 465). For an anonymous poster, you can seek to unmask them via subpoena, but courts apply a balancing test (the Dendrite/Cahill line) and require a viable claim first. Beware of anti-SLAPP statutes if you sue a genuine critic.

Can someone in another country see and use a post I made? Does U.S. law even apply? Social media is global, and so are its legal headaches. Your post can be viewed — and copied, screenshotted, and re-shared — anywhere. U.S. law governs U.S.-based conduct and platforms, but other countries' privacy, defamation, and data-protection laws (the EU's GDPR being the headline example) can reach businesses that target users abroad. If you operate internationally, get jurisdiction-specific advice.

Is it legal to run a giveaway that requires people to tag friends and share my post? Maybe, with two cautions. Legally, make sure you are not running an unlawful lottery — eliminate either chance (judge a contest on skill) or consideration (offer a free entry method) — and publish proper official rules, checking state registration thresholds in places like New York and Florida for larger prizes. Practically, each platform sets its own promotion rules, and some restrict or prohibit requiring shares or tags. Follow the platform's guidelines or risk having your post removed.

Key Takeaways

Social media law is not one subject but a dozen overlapping ones stacked under a deceptively simple interface. Section 230 is the foundation that lets platforms host your speech without being sued for it — powerful, but riddled with carve-outs and the subject of intense reform debate the Supreme Court flirted with but did not resolve in Gonzalez and Taamneh. The 2024 Supreme Court term sharpened two pillars: Moody v. NetChoice signaled that platforms' content-moderation choices are protected editorial judgment, and Lindke v. Freed gave us a clean test for when a public official's blocking becomes a First Amendment violation. Around those pillars sit the everyday doctrines — copyright and the DMCA for content, defamation, anti-SLAPP, and anonymous-speech rules for reputation, the CRFA and the FTC's endorsement and fake-review rules for marketing, the NLRA and state password-protection laws for employee speech and privacy, the unsettled law of work-account ownership, and privacy and biometric statutes for data. The through-line is that a post is never just a post. A little forethought — disclose the sponsorship, substantiate the claim, check the platform rules, settle who owns the account, separate the personal account from the official one, pause before firing over a Facebook gripe — prevents the overwhelming majority of trouble.

This article provides general information about social media law and is not legal advice. The law in this area varies by jurisdiction and is changing rapidly; please consult qualified counsel about your specific situation before acting.