Facebook, Instagram, Twitter & co.: An Overview of the Risks in Social Media

Legal Notice Obligation in Social Media 

If you are active in social networks for business purposes, you also have a legal obligation to publish a legal notice (also known as an imprint). That means you also have to make your legal notice available in your social media channels.

Facebook: Including a Legal Notice

Facebook fan pages have their own field under the “Info” tab where you can easily store the legal notice (preferably with a link to the legal notice on your website).

Instagram: Including a Legal Notice

Instagram profiles themselves do not have a field for the legal notice. However, you can add a link to it on your website under “Profile”. It’s important that the users can clearly see that the link is to the legal notice. Either you use the word legal notice (speaking link) in the link itself or write “legal notice” in front of the link.

Twitter: Including a Legal Notice

There is no separate field for the legal notice on Twitter. You should include the link to the legal notice in the “Biography” field in your profile. Since the number of characters is limited, you can also use a link shortener, for example bit.ly, to save space.

TikTok: Including a Legal Notice

TikTok doesn’t have its own field for the legal notice either – so you should integrate it into your profile description, just like on Twitter and Instagram. It is also important here that it is clearly recognisable that this is the legal notice - either via a legible headline or a meaningful link.

Instagram, Facebook, YouTube & Co: Watch Out for Copyrights!

Regardless of whether you use image and video content on your own website, in your online shop or on social networks: Copyright applies everywhere. So if you use a product image for your Facebook or Instagram post, accompany your YouTube video with product images or use a GIF on Twitter: ALWAYS make sure beforehand that you own the rights to the image or video content used or that the image or video is license-free. In addition, for all third-party content (e.g. purchased images from a database such as Adobe Stock or iStock or product images from the manufacturer), check whether the acquired rights also include publication in social media (extended social media licenses).

Watch out for Music Rights!

Copyrighted material can also be found on social networks beyond images or videos. This also includes music! For example, if you add music to a short reel on TikTok or Instagram, this can also result in a fine – because there are also license rights for music. So always make sure that you either own the rights to the music pieces used or use license-free music. YouTube, Facebook, Instagram and TikTok now have their own libraries with a selection of music and sounds that you can use.

GDPR and Social Media: Plug-ins

As on your own websites, the General Data Protection Regulation (GDPR) also applies to social networks. Whenever personal data is processed, the rules of the GDPR must be complied with. However, social networks such as Facebook often collect personal data without you as the site operator being able to influence this and without the users noticing. There are social media plug-ins that also enable functions from the networks such as liking, sharing or commenting on websites. Just like any plug-in, this is also an external add-on program that extends an existing application. It’s actually a practical function, but it can quickly become a problem when it comes to transferring user data.

The European Court of Justice (ECJ) has already issued a landmark judgment on the Facebook Like button (ECJ, judgment of 29 July 2019, Az: C-40/17) which states: Site operators are jointly responsible for a Like button integrated on their website within the meaning of the GDPR. Because this plug-in collects personal user data and transmits it to the provider (in this case Facebook). Therefore, users must explicitly agree to this data collection, according to the ECJ. Responsibility for the collection and transmission of the data lies with the site operator – the subsequent processing and use of the data, on the other hand, lies with the data recipient. The conclusion of this judgment can be extended to plug-ins in other social media channels such as Twitter, Instagram, YouTube and so on.

What Does the ECJ Ruling Mean for Site Operators?

If you use plug-ins from social media (for example the Facebook Like button), you should deactivate them until the user agrees to the data collection. You can integrate the consent in the cookie banner that is displayed to the visitors of your website when they call up your website, where they can select whether and to what extent they consent to the data collection and processing.

Another option is the two-click solution: Here you first integrate the button (for example the Like button) as a pure image so that no user data is transmitted. You can use a mouseover text to inform the user about the data protection issue before the first click. The user activates the plug-in first when the click on it; the actual button is then reloaded and a server connection to the social network is established. If the user clicks on it a second time, the actual function of the button is triggered, a window opens and the user has to log into the social network, for example on Facebook. Only then will the user’s data be transmitted.

In addition, you must also have a data processing agreement with the providers of the plug-ins in accordance with Art. 26 GDPR, which regulates who is responsible for responding to user inquiries. In your privacy policy (also known as a “data protection declaration”) you must also specify all the services you use on your website (social plugins, tracking tools, etc.).

GDPR and Facebook Fan Pages

In 2018, the ECJ made a landmark judgment not only on social plug-ins, but also on the operation of a Facebook fan page (ECJ judgment of 5 June 2018 – C-210/16). This states that the operators of a Facebook fan page are jointly responsible with Facebook for processing the personal data of visitors to this page. As a result, Facebook has included an agreement on data protection, the so-called Insights Supplement, in the terms of use. You should definitely stick to this supplement. In addition, you have to store a data protection declaration on Facebook (you will find out how to do this below) and include a separate passage on the subject of social media in the data protection declaration linked on your website.

Data Protection Declarations in Social Media

You can find out here how you can store your data protection declarations on Facebook, Instagram or Twitter:

Storing a Data Protection Declaration on Facebook

On Facebook, there is the option of including a link to your data protection declaration in the “Privacy Policy” field under the page information. Data protection experts also recommend adding the link in the legal notice field, for example with the note “You can find our data protection declaration here”.

Storing a Data Protection Declaration on Twitter

You can also only include the data protection declaration for Twitter – like the legal notice – in the “Biography” field, ideally with a shortened link. You only have 160 characters available for the description of your profile, the link to the legal notice and the link to the data protection declaration.

Storing a Data Protection Declaration on Instagram

Just like the legal notice, you can insert the data protection declaration in the “Profile” field on Instagram.

Storing a Data Protection Declaration on TikTok

TikTok makes it particularly difficult for operators of professional profiles to integrate the data protection declaration (as well as teh legal notice). Both can only be integrated in the profile description, but this has a character limit of a maximum of 80 characters. One solution is here is to use link shorteners or to simply place a link that redirects to the legal notice and data protection declaration on an external website.

GDPR and Personal Rights: Photos of Events and Employees

Caution is also advised with photos of company events. If you want to publish such photos on social networks, under the GDPR you have to obtain permission from the people who are depicted. This also applies to employees, clients or partners.

In any case, you will be on the (legally) safe side if you obtain written permission from every visitor allowing you to take photos and stating the purpose for which the pictures will be used (Art. 6 (1) GDPR). Since this often isn’t practical, especially for larger events, a lot of people make do by indicating in the letter of invitation to the event that photos will be taken at the event and that and where they will be published. In addition, you can attach a notice to a sign at the entrance to the event.

Legal experts disagree about whether this meets the requirements of the GDPR. The issue is whether it falls under legitimate interest according to Art. 6 (1) (f) GDPR. There is no case law on this yet. Therefore: Everyone has to weigh up for themselves what effort and what risk they want to accept when it comes to photos and events.

Personal Rights of Employees

Regardless of events, the following also applies: If you want to publish pictures of employees on social networks, always get written consent. This applies to postings as well as stories or reels, even if the people can only be seen in the background.

LinkedIn: The Risks of Business Social Media

Business networks like LinkedIn differ from Facebook and Co. in that the focus here is clearly on making new business contacts. You can use these channels to network with other self-employed people, but also to look for new clients. But be careful: LinkedIn has very clear rules about about making contact.

LinkedIn: Own Profile and Business Page

On LinkedIn, you can introduce yourself as a person. The most important thing here is that you not only make sure to keep your profile up to date, but also highlight your work experience and portfolio, for example. A link to your website is also recommended. Since this is your personal profile, there is no obligation to publish a legal notice, nor is there a link to the data protection declaration. However, when posting pictures, you must also observe the personal rights of employees, business partners and clients, as on other networks.

If you create your own page for your business, the same rules apply as on other social networks: You must provide a legal notice and a data protection declaration (preferably via a link) and observe copyrights for images and videos. It’s generally always possible to create a business page on LinkedIn – but you have to pay for additional services (advertisements).

Conducting Social Media Competitions in a Legally Compliant Manner

Competitions on social media are popular with companies to raise awareness of products or services and attract new customers. But there are also risks lurking when running a competition. In general, the same applies to competitions in general as to social media networks: Participants must always be informed about the conditions of participation and the data protection information and also agree to them. You can either integrate this directly into your competition post on the respective platform (e.g. as a second image or in the text) or you can include a link to a website in the post.

Each social network also requires that you include a release letter, either in the post itself or in the competition terms and conditions, that excludes any liability of the respective channel. It can look like this: “The competition is in no way sponsored, supported or organised by [Platform]. The sole contact person and person responsible for the competition is ... (Name and address of the company).”

In addition, there are some special features for every social network that need to be considered:

Facebook Competitions

The following are not permitted when running a competition on Facebook:

• Requesting users to share the post in their own or a friend’s page in order to take part in the competition or to increase the chances of winning
• Requesting the user to tag a friend in the competition post in order to take part in the competition

On the other hand, liking the post is permitted as a prerequisite for participating in the competition and leaving a specific comment under the post.

Instagram Competitions

Again, you may not ask users to tag themselves or their friends in the competition.

Twitter Competitions

Twitter wants to prevent the network from being flooded with spam or from artificially increasing the reach of a post. That is why you are not allowed to ask for a retweet of the respective post in your competition. The chances of winning the competition must also not increase if users participate with multiple accounts – this is to prevent the creation of fake accounts. You should also list both conditions in your competition terms and conditions of participation.

Summary: Risks in Social Networks

Protect Yourself Against Risks in Social Networks Now

As you can see: Social media opens up lots of opportunities, but also harbours risks such as violations of the law and warnings. If you receive a warning due to your social media activities or if you violate the rights of others, Professional Indemnity Insurance from exali is at your side. The insurer first investigates claims at its own expense. Unjustified claims are defended against, while justified claims for damages will be paid.

You can take out our insurance online in just a few minutes. Any questions? There’s no call centre or queue with us – our customer advisors are there for you personally. You can reach us by telephone from Monday to Friday from 9 a.m. to 6 p.m. on  +49 (0) 821 / 80 99 46 – 0.