California Med Spa Advertising Rules 2026 — What You Must Include

California has stricter advertising requirements for medical practices than most operators realize. The most common violation: running social media, Google ads, and a website without the supervising physician's name anywhere in the content. This isn't optional. California Business and Professions Code section 650.1 and related Medical Board rules require it — and the Medical Board actively investigates advertising complaints.

This guide covers everything your California med spa's advertising must include, what you cannot claim, and the photo and testimonial rules that trip up operators every day.

The Supervising Physician Name Requirement

California Business and Professions Code requires all med spa advertising to include the supervising physician's name or the facility's fictitious name permit. The name used must be the exact name as it appears on the physician's California medical license — not a nickname, not a shortened version, and not the name of a physician who previously served as your medical director.

This disclosure must appear in every piece of advertising — not just on your website's "About" page or buried in the footer. If you run an Instagram ad, the physician's name must be in the ad or clearly in the linked landing page. If you send an email campaign promoting services, the physician's name must be included. The requirement applies to each individual advertisement, not just your overall marketing presence.

If you want to advertise under a business name rather than the physician's personal name — for example, as "Glow Medical Spa" instead of "Dr. Smith's Med Spa" — you can obtain a fictitious name permit from the Medical Board of California. A valid fictitious name permit number substitutes for the physician name requirement in advertising. This is a common and practical solution for branded practices, but the permit must be current and registered to your specific facility.

Most operators miss this requirement because they think of it as applying to formal print advertisements. It doesn't. It applies to Instagram posts, TikTok videos, email subject lines, Google Business Profile descriptions, and any other public-facing content that promotes your services. For full context on the medical director relationship that underlies this requirement, see our guide to California med spa medical director requirements.

What Counts as "Advertising"

Under California law, advertising is everything visible to the public that promotes your services. The scope is broader than most operators expect. The following are all considered advertising and must comply with California's disclosure requirements:

Your website — every page, not just the home page. If your services page doesn't include the physician's name and your about page does, each services page is independently non-compliant. Social media posts, including organic posts — the law does not distinguish between paid and unpaid promotional content. If you post about a Botox special on Instagram, that post is advertising. Google Business Profile posts and your business description. Email marketing, including newsletters and promotional emails. In-office signage visible from outside your facility. Business cards that describe your services. Yelp and other directory listings where you describe your services.

What is NOT advertising: internal staff communications, patient medical records, and direct one-on-one patient consultations. A text you send to a current patient in the context of their treatment is not advertising. A mass SMS promotional blast to your entire patient list is.

Before & After Photo Rules (FTC)

The Federal Trade Commission's rules on before/after advertising apply nationwide, including California. These rules operate independently of — and in addition to — California's state advertising rules. An ad can comply with California's physician name requirement and still violate FTC rules.

Photos must show real patient results — your actual patients, not stock photos, models, or results from other providers. The FTC treats using stock photos or another provider's photos as if they are your patients' results as deceptive advertising. This is a common and serious mistake. Device manufacturers and product companies frequently provide before/after photos for marketing use, but these cannot be presented as your patients' results.

Every before/after photo must include the disclaimer "Results may vary" or similar language in clear, readable text — not in 6-point font at the bottom of an image. The disclaimer must be visible and legible without enlarging the image.

You cannot use misleading angles, lighting, or photo editing to exaggerate results. This includes adjusting skin tone, smoothing texture, or changing the lighting between the before and after image in ways that create the appearance of greater improvement than the treatment actually produced. If a photo shows results from a specific product or treatment protocol, that must be disclosed — you cannot use a result achieved with a specific device and present it as a general outcome of your standard treatment.

All before/after photos must have written patient authorization before publication. This is both an FTC requirement and a HIPAA requirement, covered in the next section.

Patient Photo & Testimonial HIPAA Rules

Using a patient's photo or testimonial in marketing requires specific written HIPAA authorization — and this authorization must be separate from your general treatment consent form. A general consent that says something like "your information may be used for marketing purposes" is not sufficient under HIPAA. The authorization must be specific.

A compliant HIPAA photo and testimonial authorization must specify exactly what will be used — this specific photo taken on this date, this specific quote — and where it will be published: your Instagram account, your website, your print materials. Vague authorizations that say "social media" without identifying your specific accounts are legally questionable. The authorization must also state how long it is valid and must clearly inform the patient that they can revoke authorization at any time, and explain the process for doing so.

Posting a patient's before/after photo or testimonial without a properly executed, specific HIPAA authorization is a HIPAA violation subject to enforcement by the Office for Civil Rights. OCR penalties range from $100 to $50,000 per violation depending on the nature of the breach and whether it was willful. Keep all signed photo and testimonial authorizations on file indefinitely — there is no statute of limitations on HIPAA violations that have been published and remain publicly accessible.

What You Cannot Claim in California

California and federal law prohibit specific categories of claims in aesthetic medicine advertising. The most common violations involve FDA approval language. You cannot claim "FDA-approved" for any off-label use of a drug or device. Botox, for example, is FDA-approved for specific cosmetic indications — glabellar lines, crow's feet, and forehead lines. It is not FDA-approved for jawline slimming, lip flips, neck bands, or many other uses for which it is routinely and legally administered. Describing an off-label use as "FDA-approved" is false advertising, even if the treatment itself is legal.

You cannot use the word "cure" in connection with any aesthetic procedure. Med spas treat conditions — they do not cure them. This applies to language like "cure acne," "cure rosacea," or "cure stubborn fat." Treatments may reduce, improve, minimize, or address these conditions, but cure is a medical claim that aesthetic procedures cannot make.

You cannot claim a procedure is "painless," "risk-free," or "guaranteed." All medical procedures carry risks. Claiming otherwise is both false advertising and a violation of patient informed consent standards. Similarly, you cannot guarantee specific outcomes — outcome guarantees in medicine are inherently deceptive because individual results vary.

You cannot use another provider's results or photos as your own, as addressed in the FTC section above. And you cannot use a physician's name in advertising if that physician is not your current, actively serving medical director. If your medical director changes and you have not updated your advertising — your website, your Google Business Profile, your printed materials — you are in violation. There is no grace period for updating advertising when a medical director relationship ends.

Social Media Compliance Checklist

Before posting, run through this quick checklist.

See our California compliance checklist for the complete compliance picture beyond advertising.

California Website Compliance Requirements

Your med spa's website is advertising under California law — every service page, every landing page, every blog post that promotes your services. Most operators put the physician's name on their About page and assume that satisfies the requirement. It doesn't. Each page that promotes services must independently satisfy California's disclosure requirements.

At minimum, every California med spa website must include:

• Supervising physician's name or fictitious name permit number — on every page that describes or promotes services, not just the About or Contact page
• Physical business address — California law requires this in physician advertising; a P.O. box is not sufficient
• No false or misleading claims — every statement about treatment outcomes, pricing, or clinical capabilities must be accurate and verifiable
• Procedure descriptions that are accurate to scope — if your website describes a service that your credentialed staff cannot actually perform under California law, the description itself may constitute misleading advertising

Website pricing pages require extra care. A price listed on your website creates an expectation. If your actual pricing is different — because of additional fees, consultation costs, or per-unit pricing that differs from an estimated package price — the discrepancy between advertised and charged prices can trigger patient complaints. If you list prices, be complete and accurate. If prices vary significantly by patient, it is better to say "starting from $X" with a clear note that pricing is determined at consultation than to list a number that most patients will not actually pay.

Google Business Profile (GBP) is frequently overlooked. Your GBP is advertising. The business description must include the physician's name or fictitious name permit number. Posts on your GBP promoting services are advertising. Reviews you respond to — particularly responses that describe your services or make clinical claims — can also constitute advertising content.

The Fictitious Name Permit — What It Is and How to Get One

A fictitious name permit from the Medical Board of California allows a medical practice to advertise under a business name rather than under the physician's personal name. Without the permit, a practice named "Pacific Wellness Med Spa" must include the physician's name in all advertising in addition to the business name. With the permit, the permit number can substitute for the physician name requirement.

The fictitious name permit is separate from a county Fictitious Business Name (DBA) registration. Both are required if you operate under a business name different from your PC's legal name — but they serve different legal purposes. The county DBA establishes your right to use the business name commercially. The Medical Board fictitious name permit authorizes the use of that name in medical advertising without separately disclosing the physician's name.

To obtain a fictitious name permit, apply through the Medical Board of California. The application requires: the proposed fictitious name, the physician's (or 104 NP's) California license number, the practice's physical address, and confirmation that the name does not mislead patients about the nature or ownership of the practice. The Medical Board will not approve names that imply a specialty the practice does not have (e.g., "Advanced Surgical Center" for a med spa that does not perform surgery) or names that are confusingly similar to other permitted practices.

Keep the fictitious name permit current. If your medical director changes, you may need to update the permit. If you open a second location, a separate permit is required for each facility. Operating under a fictitious name without a valid permit is itself an advertising violation.

Enforcement: What Actually Happens When Advertising Rules Are Violated

The Medical Board of California receives advertising complaints from patients, competitors, and anonymous tipsters. Unlike some regulatory violations that require a direct patient harm before enforcement action, advertising violations are self-evident — an inspector can visit your website or Instagram without you knowing and document the violation before any formal complaint is filed.

The Medical Board's enforcement response to advertising violations ranges by severity:

• First offense, easily correctable — typically a written notice requiring correction within 30 days, with follow-up verification that the violation was remedied
• Repeat violations or more serious claims — formal citation with monetary fine; fines under California Business and Professions Code can range from hundreds to thousands of dollars per violation, and each non-compliant ad or post can be treated as a separate violation
• Willful deception or patient harm — disciplinary action against the medical director's license, up to and including suspension or revocation; in extreme cases, referral for criminal prosecution

The FTC operates separately from the Medical Board. The FTC does not need to wait for a complaint — it monitors advertising in the aesthetics industry and has issued warning letters and enforcement actions against aesthetic practices for misleading before/after photo use, unsubstantiated efficacy claims, and paid endorsements not disclosed as advertising. FTC civil penalties can reach tens of thousands of dollars per violation.

HIPAA's Office for Civil Rights (OCR) enforces patient photo and testimonial authorization violations. OCR penalties range from $100 per violation for unknowing violations to $50,000 per violation for willful neglect not corrected within 30 days. A single unauthorized before/after photo that remains publicly accessible after OCR notification is a continuing violation, with penalties accumulating daily.

Summary: California Med Spa Advertising Rules in Plain Terms

• Every advertisement — including organic social posts — must include the supervising physician's name or your Medical Board-issued fictitious name permit number
• "Advertising" includes your website, Instagram, Facebook, TikTok, Google Business Profile, email campaigns, and physical signage
• Before/after photos must show real patient results (not stock photos), include "results may vary" disclaimers, and have specific written HIPAA authorization for each image
• Patient testimonials require their own standalone HIPAA authorization — not bundled in general consent
• Do not claim treatments are "guaranteed," "painless," "risk-free," or "FDA-approved" for off-label uses
• If you operate under a business name, obtain a fictitious name permit from the Medical Board before advertising under that name
• Each website page that promotes services must independently satisfy the physician name disclosure requirement
• Violations can be cited by the Medical Board, FTC, and HHS Office for Civil Rights — each independently

This article is for informational purposes only and does not constitute legal advice. California advertising requirements for medical practices are complex and subject to change. Consult a California healthcare attorney before launching new advertising campaigns.

Frequently Asked Questions