The Legal Dos and Don’ts of Social Media Marketing

The Legal Rules of Social Media Marketing in the UK

Published by Legal Foundations. Last reviewed: March 2026.

Social media marketing is one of the most heavily regulated areas of UK advertising law — and one of the most frequently breached. The ASA upholds more complaints about social media and influencer content than almost any other advertising category. Brands, agencies, and content creators who treat Instagram, TikTok, and X as a disclosure-free zone are taking a serious legal risk. This guide sets out what the law actually requires.


The ASA, the CAP Code, and Why They Apply to Social Media

The Advertising Standards Authority (ASA) administers the UK Code of Non-broadcast Advertising and Sales Promotion (CAP Code). Rule 2.1 of the CAP Code is the foundation: “Marketing communications must be obviously identifiable as such.”

This applies to social media posts, stories, reels, TikToks, Tweets, YouTube videos, and any other format where a commercial relationship exists between the content creator and a brand. The ASA has confirmed this repeatedly — most recently in its 2023 enforcement programme targeting influencers.

The CAP Code applies to “marketing communications” — defined broadly as any communication by a business (or anyone acting on a business’s behalf) intended to promote products or services. Content posted by a brand on its own channels is an ad. Content posted by an influencer who has been paid or gifted product is an ad. Content where an affiliate link generates commission is an ad. The test is whether there is a commercial relationship that has given rise to the content, not whether money changed hands.


Influencer Disclosure: The #Ad Requirement

The Basic Rule

Where a commercial relationship exists, the content must be clearly and prominently labelled as advertising. The ASA has confirmed that “#ad” at the start of a post is sufficient labelling, but “#ad” buried in a list of hashtags at the end is not. Placement and prominence matter.

For video content, a verbal disclosure (“this is an ad” or “I’m working in partnership with [brand]”) must be made at the start of the video, not at the end, and must not be fleeting.

What Counts as a Commercial Relationship?

  • Paid post: Obviously covered. Any payment, whether cash or contra, for the creation or posting of content
  • Gifted product: If a brand sends a product for free with a genuine expectation of coverage, disclosure is required even if there is no direct payment. If the creator received a product with no expectation attached and chooses to review it, disclosure is not technically required — but the ASA will look at the circumstances, not just the label.
  • Affiliate links: If a creator earns commission on sales generated by a link in their content, this is a commercial arrangement and the content must be labelled “#ad” (or equivalent)
  • Brand ambassador relationships: Long-term commercial arrangements with a brand require disclosure on every piece of content in scope, not just the initial announcement
  • Family and friends: If a brand pays a celebrity and that celebrity’s partner then posts about the same product, the ASA may treat the partner’s post as part of the same marketing campaign

Common Mistakes Brands Make

Brands often believe that compliance is the influencer’s responsibility. This is incorrect. The CAP Code holds both the brand (the “advertiser”) and the creator (the “publisher”) responsible. A brand that briefs an influencer on a campaign and fails to brief them on disclosure requirements, or fails to check the influencer’s posts before publication, is in breach of the Code.

Brand briefing documents should specify that all content must be labelled “#ad” where required, and post-publication checks should be part of campaign management.


Defamation Risks in Social Media

Brand Defamation

Publishing a false statement of fact that causes serious harm to a business’s reputation is actionable as defamation under the Defamation Act 2013. The serious harm threshold for a business requires proof that the publication has caused, or is likely to cause, serious financial loss (s.1(2) Defamation Act 2013).

Negative reviews are not automatically defamatory — an honest expression of opinion about a genuine experience is protected as honest opinion under s.3 of the Act. But a false factual allegation — for example, falsely claiming a restaurant had a food hygiene closure — is actionable.

Social media accelerates defamation risk: a false statement shared by multiple accounts, with the brand tagged, can spread rapidly. Businesses that discover defamatory content should act quickly. The limitation period for defamation is one year from publication (s.4A Limitation Act 1980), running from each new publication.

Employee Social Media

Employee posts on personal accounts can create defamation exposure for the employer where the post is made in the course of employment. Even where the post is on a personal account, courts have found an employment connection where the employee references their employer or uses employer-related information.

Monitoring and responding to defamatory employee posts requires a careful balance against the employee’s Article 10 ECHR right to freedom of expression. Employers should have clear social media policies that set out what is and is not permissible on personal accounts where the employer is identifiable.


Copyright in Social Media Content

Who Owns User-Generated Content?

User-generated content (UGC) — photos and videos created by customers and posted to their own social media accounts — is the creator’s copyright. A brand that reposts, reuses, or incorporates UGC into its own marketing without a licence is infringing the customer’s copyright.

Reposting on Instagram: Sharing (“reposting”) an Instagram post does not grant a copyright licence. The act of posting to Instagram grants Meta a licence to host and display the content on the platform; it does not grant third parties a right to repost it.

Using customer photos in ads: Running a customer’s photo as part of a paid advertising campaign without their explicit consent risks not only copyright infringement but potentially a data protection claim (the image may contain personal data, including special category data if it reveals health or ethnicity).

Best practice: Before using customer content in any commercial context, obtain written permission. A DM saying “Can we use your photo? Please reply YES to consent” is a minimum; a proper consent form is better for any significant use.

Copyright in Original Social Media Content

Content created for social media by employed staff belongs to the employer. Content created by freelance agencies or social media managers belongs to the creator unless assigned. Brands commissioning agencies to produce social media content should ensure their contract includes an IP assignment of all deliverables. Without this, the agency retains copyright in the copy, graphics, and video it produces.


GDPR, Data Protection, and Social Media

Running Competitions

Social media competitions are a popular marketing tool, but they generate personal data obligations. When a competition requires entrants to like a post, follow an account, tag a friend, or submit an entry form, the brand becomes a data controller for that personal data.

A clear privacy notice must be provided at the point of entry, setting out what data is collected, for what purpose, the legal basis (usually legitimate interests or consent), and how long it is retained. Repurposing competition entrant data for email marketing requires separate consent.

The ICO has been clear that “follow us and like our post” competitions where the condition of entry is following an account do not, of themselves, constitute consent to marketing — the competition entry does not implicitly authorise future contact.

Pixel Tracking and Social Media Data

Meta’s Pixel and equivalent tracking tools on brand websites collect personal data about site visitors and send it to Meta’s advertising platform. This is personal data processing under the UK GDPR, and requires a lawful basis. Cookie consent banners must correctly disclose third-party tracking and obtain consent before firing the pixel.

Deploying the Meta Pixel without a valid consent mechanism — which requires genuinely informed, freely given, specific, and unambiguous consent — is a breach of the Privacy and Electronic Communications Regulations 2003 (PECR) as well as UK GDPR. The ICO has issued enforcement notices against cookie consent non-compliance and the fine potential is significant (up to 4% of global annual turnover under UK GDPR).


Platform-Specific Terms and Legal Compliance

Meta (Facebook and Instagram)

Meta’s Terms of Service and Advertising Policies prohibit certain commercial uses. Advertisers running paid ads must comply with Meta’s advertising policies (which overlap with but are distinct from ASA requirements) and with Meta’s community standards for organic content. Key restrictions include prohibitions on misleading claims, promotion of certain regulated products, and use of “before and after” imagery for health and wellness products.

Meta’s terms also restrict the use of data collected via its platforms. The platform’s Graph API terms of service limit how customer data extracted from Meta (such as email addresses from lead generation forms) can be used.

TikTok

TikTok’s Branded Content Policy requires creators to use TikTok’s Branded Content toggle when posting commercial content. Failure to use the toggle when required is a breach of TikTok’s terms and may result in content removal. TikTok’s advertising policies for paid ads include sector-specific restrictions — financial services, health products, and alcohol are subject to enhanced requirements.

X (formerly Twitter)

The verified (blue tick) system on X has changed since Elon Musk’s ownership. The blue tick no longer guarantees that an account is an authentic brand account — it can be purchased by any subscriber. This creates brand impersonation risks. Brands that hold blue ticks should monitor for impersonator accounts and use X’s reporting system. Impersonation on social media can constitute a trade mark infringement where the impersonator creates confusion about origin of goods or services, and potentially passing off.


Employee Social Media Policies: What You Can and Cannot Restrict

An employer can lawfully restrict employees’ social media use in the following ways:

  • During working hours: Restricting personal social media use to breaks or lunch is a legitimate workplace rule
  • Confidential information: Prohibiting disclosure of confidential business information on social media is enforceable
  • Bringing the employer into disrepute: Disciplinary action for posts that are objectively damaging to the employer’s reputation is potentially fair, but context matters — a single angry tweet venting about a bad day at work is different from sustained defamatory content
  • Restricting disclosure of legal proceedings: Employees involved in ongoing tribunal or court proceedings can be restricted from public comment

What employers cannot do:

  • Prohibit all social media activity in personal time (this would be an unjustifiable invasion of private life, potentially breaching the implied term of mutual trust and confidence)
  • Dismiss an employee for protected disclosure made via social media — whistleblowing on social media may be a protected act under the Public Interest Disclosure Act 1998
  • Monitor employees’ personal social media accounts covertly without lawful authority and a privacy impact assessment

Any social media policy should be proportionate, clearly communicated, and reviewed by employment lawyers before implementation.


Crisis Management: Legal Obligations When Things Go Wrong

When a crisis breaks on social media — a product recall, a customer complaint going viral, allegations of misconduct — the legal obligations include:

  • Defamation: If false statements are spreading, early correspondence to the originator and platform may stop the spread. Legal Letters Before Action can prompt platforms to take content down, particularly if it breaches their terms.
  • Data breach: If the crisis involves personal data — for example, a hack resulting in customer data being posted publicly — the ICO must be notified within 72 hours under UK GDPR Article 33 if the breach is likely to result in a risk to individuals’ rights.
  • Regulatory disclosure: Listed companies must consider whether information spread on social media constitutes inside information requiring market announcement under the Market Abuse Regulation.
  • Employment: If the crisis involves employee misconduct, the disciplinary process must still follow ACAS guidance and natural justice principles — do not dismiss or discipline based solely on a social media post without a proper investigation.


Further Reading

Free Templates & Documents

Scroll to Top