In the social media world, tagging a friend in a particularly unflattering picture is considered a breach of etiquette. For companies, the stakes are even higher. As tempting as it might be to post a picture of customers or other constituents on your social media account, if you do not have their consent, it is usually a bad idea.

As an initial matter, it is an open question whether the company would generally have any liability. At least one case suggests it might not – in a family law dispute, a Kentucky appellate court ruled that there was no need to obtain permission to photograph, post, and tag a picture of a third party.

However, the result might be different in a commercial context, where the picture is arguably being used to promote the company’s offerings. At a minimum, it is not smart business to do something that might upset your customers or cause a PR blowup. As a best practice, companies, and their paid bloggers, affiliates, and marketers, should obtain permission before posting recognizable photographs of individuals.

Where the Stakes Are Higher…

Meanwhile, in certain industries like healthcare, the legal obligations are better defined. Publicizing a patient’s picture, even without his or her name and with the face obscured, may very well violate HIPAA.

New Jersey even recently made it a criminal violation for a first responder to take or disclose photos at accident scenes or hospitals. The law stemmed from an incident in which a volunteer firefighter posted a picture of a dying woman long before her family had been notified of her involvement in a car accident.

As a result, healthcare employers should confirm that their policies adequately restrict employees from posting images of patients on the Internet. One such policy provision could be to prohibit employees from using a personal cellphone, smartphone, tablet or camera to take or post any photographs or video recordings of patients to the Internet.