FTC Before and After Photo Rules for Med Spas: What Changed in 2023 — And What You Must Do Now
Most med spas are still running before and after photos under rules that no longer exist. The FTC's 2023 update changed the legal standard — and the disclaimer you've been using isn't enough anymore.
The Rule Change Most Med Spas Don't Know About
In June 2023, the FTC updated its Endorsement Guides for the first time in 14 years. The core finding: "Results not typical" disclaimers are no longer legally sufficient. Posting before and after photos with that language — or any variation of it — does not protect you. The FTC tested these disclaimers and determined they fail to correct consumer deception. The standard has changed.
Why Before and After Photos Are Your Highest-Risk Marketing Asset
Before and after photos are the most powerful marketing tool in the med spa industry — and simultaneously the most legally exposed. A single non-compliant photo posted to Instagram creates potential liability under two separate federal frameworks: the FTC's Truth in Advertising rules and HIPAA's patient privacy protections. Most practices focus on one or ignore both.
The enforcement landscape has changed materially since 2023. The FTC updated its Endorsement Guides — the first substantive revision since 2009 — and explicitly addressed the failure of common disclaimer language. At the same time, OCR HIPAA enforcement has expanded, with settlements in 2025 specifically targeting patient photos posted to social media without proper authorization. Understanding both frameworks isn't optional. It's the baseline for legally posting any patient result.
The 2023 FTC Rule Change: "Results Not Typical" Is Dead
For years, med spas posted dramatic transformation photos with a small disclaimer at the bottom: "Results not typical" or "Individual results may vary." This felt like legal cover. It wasn't — and as of June 29, 2023, the FTC has explicitly said so.
The FTC's updated Guides Concerning the Use of Endorsements and Testimonials in Advertising (16 CFR Part 255) — the first major revision in 14 years — directly addressed the effectiveness of these disclaimers. The FTC conducted research and found that even strongly worded disclosures like "These testimonials are based on the experiences of a few people and you are not likely to have similar results" failed to correct consumer misimpression. Readers still walked away believing the results shown were representative.
The FTC's conclusion: disclaimers that communicate atypical results do not fix the problem of showing atypical results. The disclaimer approach is the wrong approach.
What the New Standard Requires
Under the updated guides, the requirement has shifted from disclaiming atypical results to disclosing typical ones. Specifically, the FTC states that when an endorsement or testimonial shows an outcome that is not what most consumers achieve, advertisers must "clearly and conspicuously disclose the generally expected performance in the depicted circumstances."
In plain terms: if your best before and after photo shows a patient who lost 40 pounds on a GLP-1 program, you cannot simply say "results not typical." You must tell consumers what a typical patient on that program actually experiences — e.g., the average weight loss over a specific time period, the dropout rate, or the range of outcomes in your patient population.
This is a higher bar. It requires you to know your own outcomes data and disclose it proactively. For many practices, that means conducting a genuine audit of patient results before featuring any before and after content.
FTC Rule #1: Typical Results, Not Best-Case Results
The foundational requirement is that before and after photos must reflect what a typical patient can expect — not your most dramatic case. Using your most exceptional result as the visual centerpiece of your marketing, without disclosing that it's an outlier, is a deceptive act under FTC standards.
This applies to every medium: your website, Instagram feed, Facebook ads, TikTok videos, email marketing, waiting room displays, and print materials. The FTC's rules do not distinguish between digital and physical advertising channels.
Practically speaking, this means practices should maintain a portfolio of results that reflects their actual patient population — not just their most photogenic cases — and be prepared to document the basis for any specific result they feature publicly.
FTC Rule #2: No Misleading Edits or Enhancements
Any photo editing that enhances the apparent result must be disclosed. This includes:
- Lighting adjustments that reduce the appearance of wrinkles, discoloration, or texture
- Color grading that improves skin tone
- Cropping or framing that conceals unflattering areas
- Filters or retouching of any kind
- Posture or positioning differences between the before and after images
Subtle edits that seem innocuous — slightly better lighting in the "after" photo, a small color correction — can constitute deceptive advertising if they materially improve the apparent outcome. The FTC's standard is whether the editing creates a misleading impression, not whether the editing was intentional.
The safe approach: photograph before and after under identical conditions — same lighting, same distance, same camera angle, same time of day. Document your photography protocol in writing.
FTC Rule #3: Material Connections Must Be Disclosed
When any patient, staff member, or influencer receives compensation — including free or discounted treatment — in exchange for sharing before and after photos or testimonials, that relationship must be clearly disclosed.
This applies to:
- Patients who received a complimentary or reduced-price treatment in exchange for their photos or review
- Injectors or aesthetic nurses who post their own results at your practice
- Social media influencers who receive treatment as part of a brand partnership
- Any "brand ambassador" arrangements, even informal ones
The FTC's 2023 update reinforced that vague tags like #ad or #sponsored may be insufficient. The FTC's preferred language is explicit: "Paid partnership with [Clinic Name]" or "Received free treatment from [Clinic Name]." The disclosure must appear before the consumer engages with the content — not buried below the fold or in a hashtag cluster at the end of a caption.
FTC Rule #4: The "Clear and Conspicuous" Standard
Every required disclosure — whether it's about typical results, photo editing, or a material connection — must be "clear and conspicuous." The FTC defines this as: difficult to miss and easily understandable by ordinary consumers.
A disclosure is not clear and conspicuous if it:
- Appears in small print below the image
- Uses vague or technical language the average consumer won't understand
- Is buried in a block of hashtags
- Requires the consumer to click "more" to see it on a social post
- Appears on a separate page or in the fine print of a website footer
Disclosures must be placed close to the claim they relate to, in readable type, in plain language. On a social media post, that means within the caption itself, near the beginning — not appended after fifteen hashtags.
The HIPAA Layer: The Second Compliance Framework Most Practices Miss
FTC compliance governs what you claim. HIPAA governs whether you had the right to use the photo at all. Both apply independently, and violating one does not excuse a violation of the other.
Before and after photos are Protected Health Information (PHI) under HIPAA. They reveal that the subject received medical treatment at your practice — which is health information connected to an individual. This remains true even if the patient's name is not shown. A before and after photo of someone's face, body, or any identifiable feature is PHI.
What This Means in Practice
Before posting any patient photo, publicly or in any marketing context, you must have:
- A signed, HIPAA-compliant patient photo authorization form — separate from your general treatment consent
- The authorization must specify the exact use (social media, website, print ads, etc.)
- It must be signed by the patient before the photo is used, not retroactively
- A copy must be retained in the patient record
Verbal consent is not sufficient. Assuming a patient is fine with it because they came back for more treatments is not sufficient. Posting without identifying the patient by name is not sufficient. A signed, written authorization is the only acceptable documentation.
The Enforcement Reality
In 2025, Cadia Healthcare paid a $182,000 settlement after the HHS Office for Civil Rights found the organization had disclosed patient PHI on its social media account without obtaining valid HIPAA authorizations from affected patients. This case was not about a data breach — it was about posting patient information publicly without proper authorization. Med spas face the same exposure on the same theory.
Separately, FTC fines for deceptive advertising can reach $43,792 per violation. Each non-compliant post is a separate violation. A practice running ten before and after posts without proper FTC-compliant disclosures faces potential exposure in the hundreds of thousands of dollars — before any state enforcement action or civil litigation is factored in.
Platform-by-Platform Compliance Guide
Your Website
Every before and after photo must be accompanied by a disclosure of what typical results look like — not just a "results vary" disclaimer. Photo authorization releases must be on file for every patient pictured. Ensure the disclosure appears on the same screen as the photo, not on a separate page.
Instagram and Facebook
The FTC's rules apply with equal force on social media. Include the typical-results disclosure in the caption itself, near the beginning. If a paid or in-kind relationship exists, disclose it explicitly in the caption. Do not rely on platform features like Instagram's "Paid Partnership" label alone — include a plain-language disclosure in the post text as well.
TikTok and Video Content
Video before and after content must include audible or on-screen disclosures that are visible long enough to be read. The FTC specifically addressed video content: disclosures spoken at normal speed or displayed briefly in small text do not satisfy the clear and conspicuous standard.
Paid Ads (Meta, Google)
Paid advertising using before and after photos carries additional scrutiny. Meta's advertising policies independently restrict certain before and after content, particularly for health and wellness products. Ensure FTC-compliant disclosures appear within the ad creative itself — not just in a landing page disclaimer.
Need a Compliant Patient Photo Authorization Form?
The MedSpa Standards Operations & Compliance Kit includes a HIPAA-compliant patient photo release, social media consent policy, and marketing compliance documentation — professionally written and ready to implement.
Get the Operations & Compliance KitBefore and After Photo Compliance Checklist
Use this checklist before posting any patient result:
Before You Post: Compliance Checklist
Signed patient photo authorization on file
A separate, HIPAA-compliant photo release — not just the treatment consent form. Must specify the intended use (website, Instagram, print, etc.).
Photos show typical results — or typical results are disclosed
If this photo shows an exceptional outcome, you must disclose what most patients actually achieve. "Results not typical" alone is no longer sufficient under the 2023 FTC update.
Before and after photos taken under identical conditions
Same lighting, angle, distance, and time of day. Any meaningful differences between the before and after setup can constitute misleading enhancement.
No undisclosed photo edits or filters
Any editing that materially improves the apparent result must be disclosed. Use unedited photos wherever possible.
Material connections disclosed clearly
If the patient received free or discounted treatment in exchange for photos or a testimonial, disclose it explicitly — e.g., "Received complimentary treatment from [Clinic]."
Disclosures are clear and conspicuous
Placed near the photo, in readable text, in plain language. Not buried in hashtags, fine print, or below the fold.
Claims in the post are substantiated
Any claim about what the treatment achieves must be backed by evidence. If you state or imply a specific outcome, you must be able to substantiate it.
Sample Disclosure Language You Can Use
The following templates reflect the FTC's clear and conspicuous standard. Adapt them to your practice — but do not strip out the substance.
For a typical-result photo (no disclosure needed beyond this)
"Results shown are representative of typical outcomes for this treatment. Individual results vary based on patient health history, lifestyle, and adherence to the protocol."
For a standout result that is not typical
"This patient's results are exceptional and reflect outcomes not typically achieved. In our practice, patients undergoing [treatment] typically experience [average outcome, e.g., X% improvement over Y weeks]. Your results will depend on your individual health history and treatment plan."
For influencer or compensated patient posts
"[Patient name] received complimentary treatment at [Clinic Name] in exchange for sharing their experience. Results shown are their individual outcome. Most patients experience [typical outcome]."
What Happens If You Don't Comply
The FTC monitors advertising through its own investigative process and through consumer complaints. Practices that come to the FTC's attention — through a competitor complaint, a patient complaint, or a routine audit — face:
- Civil penalties up to $43,792 per violation — with each non-compliant post counting as a separate violation
- Cease and desist orders requiring immediate removal of non-compliant content
- Consent orders requiring ongoing compliance monitoring and reporting
- Reputational consequences from public enforcement actions
On the HIPAA side, the HHS Office for Civil Rights actively investigates social media complaints. The Cadia Healthcare $182,000 settlement demonstrates that posting patient photos without proper authorization — even for benign promotional purposes — is taken seriously as a civil rights violation.
State medical boards may also take interest in deceptive advertising practices, particularly when before and after content implies clinical outcomes that misrepresent the nature of a treatment.
The Documentation Your Practice Needs
Compliance is much easier to demonstrate when you have written policies and signed documents on file. Every compliant med spa marketing operation should have:
- A HIPAA-compliant patient photo authorization form that is signed before any photo is used publicly
- A social media marketing policy that documents your disclosure standards, photo editing rules, and influencer partnership requirements
- A photography protocol specifying how before and after photos are taken to ensure consistency
- A typical outcomes disclosure template for each major service category that can be attached to before and after content
- A material connection disclosure policy for anyone who receives free or discounted treatment in exchange for public content
Disclaimer: This article is for educational purposes only and does not constitute legal advice. FTC rules and HIPAA requirements are complex and fact-specific. Consult a licensed healthcare attorney for guidance on your practice's specific marketing materials.