Many companies have a corporate policy stating that employees cannot use personal social media accounts for work. In some regards, this makes sense as it is a priority for the business to conduct corporate social media monitoring on corporate accounts. It’s also good practice to use work accounts for work and personal accounts for other interests. However, when corporate social media monitoring comes into play, some platforms make this impossible — specifically Facebook and LinkedIn.
Both platforms allow for a separation of work and personal presence (e.g. a personal Facebook Account and a Business Page). However, it is against Facebook’s rules to create a fake Facebook Account to manage a Business Page or to access a Facebook Business Manager Account. The same is true for LinkedIn. To authenticate yourself to your platform or to be given access to a business property (a.k.a. “point-of-presence”), one is required by these platforms to log in with a real personal account. If either platform detects that you’ve created a fake account (to keep out any personal connection with corporate property), the platform will disable it.
It’s certainly understandable that one does not want employees wasting time at work by accessing personal social media accounts and companies want employees to have a professional persona from which they perform company business. This is why employees should avoid posting work content to their personal accounts but why it is necessary for employees to post work content to a professional (i.e. business/company) page via their personal account.
Additionally, since the Cambridge Analytica scandal, the platforms have become more restrictive on access to their APIs. The gist is now any application that is attempting to do work with a platform on behalf of a company needs one or more authorization tokens (e.g. OAuth token, bearer token, etc.) to do that work. This includes common MarTech stack tools such as social media monitoring, listening, analytics, and publishing SaaS solutions. No longer can an application register and make as many calls as it needs to perform the work on behalf of their corporate customer. Access to each APIs is protected and metered and any access an application is making to a platform needs to be on behalf of (i.e. authorized by) a user. How this access is granted varies by platform. Some platforms are primarily credential-based on an individual account basis (e.g. Twitter), while others are more complex, like Facebook, which have User Accounts, Business Pages, and Business Manager Pages, each with their own access tokens.
Facebook is actually the hardest to understand and manage because the permission structure is so complex. Some API calls need to be made with a User token, while others can be made with a Page token…and sometimes the type of token needed depends which fields on an API endpoint (e.g. of a page’s info) are being retrieved. Additionally, the user authorizing a Page token generally must have the right permissions to the page in order to provide a usable token.
On top of this, Facebook requires that a User demonstrate that s/he still has an active relationship with the application making requests on their behalf. It used to be that tokens were valid until revoked. For many platforms, this no longer true; now many tokens have a default lifespan that can be measured in days or weeks and unless a user demonstrates that the user is still using the application (e.g. by signing in to that application via “Facebook Login”), Facebook will invalidate the token. This will terminate the rights of the application to do work on that person’s, or company’s, behalf…and any access to business pages the user may have authorized.
For the average person, this is probably more information than one wants to know but it’s the byzantine world in which social media management and particularly social media governance lives. Implementing a rule that employees may not use personal social media accounts for work is just not viable in today’s social media environment. Governance teams need to implement a change to the corporate policy so it is clear that one should:
- not publish content to their personal accounts.
- not represent the company while acting as themselves, personally, (unless the company has an ambassador program);
- but it is acceptable to perform work on behalf of the company via their personal accounts (e.g allow their user token enablement and page OAuth) as long as the end product shows up in or on a corporate application, property, or presence.
Since social media monitoring and governance SaaS solutions must access social networks in order to provide services for corporations, it is necessary, per the rules of Facebook and LinkedIn and other platforms, that a person enable their User tokens and OAuth corporate social media pages to the SaaS solutions. Otherwise, services such as monitoring, governance, and compliance will not be implemented. This is the unfortunate and confusing truth about corporate social media monitoring; just when everyone was pretty clear on the division of personal and business social media, Facebook (which includes Instagram) and LinkedIn have changed the rules.
If you’d like to learn more about creating strong social media monitoring and governance procedures, this e-book lays out a best-in-class global enterprise practice.
Originally published here.