Complete 2026 guide to medspa advertising compliance — what Google, Meta, and TikTok allow, LegitScript certification, HIPAA in marketing, FTC rules for testimonials, and safe messaging frameworks.

Your ad got rejected. Again. Or maybe you’ve been running a campaign that suddenly disappeared, and nobody at the platform gave you a straight answer about why.

Medspa advertising is one of the most heavily moderated categories across every major digital advertising platform. The rules aren’t published in one clean document anywhere — they’re scattered across platform policies, FTC guidelines, FDA regulations, and state medical board rules that change regularly and apply simultaneously.

This guide covers all of it in one place. What you can say, what you can’t say, what will get your account flagged, what LegitScript actually is and whether you need it, how FTC testimonial rules apply to your before-and-after posts, and what to say instead of the phrases most likely to kill your ads.

Important note before we start: This guide is educational and reflects current policy understanding as of May 2026. It is not legal advice. Consult a healthcare compliance attorney for your specific situation, especially regarding state-specific medical advertising regulations.

—

Why Medspa Advertising Compliance Is Uniquely Complicated

Most businesses advertising online deal with one regulatory layer: the platform’s policies.

Medspas deal with four at once.

Layer 1 — Platform policies: Google, Meta, and TikTok each have their own healthcare advertising rules, each enforced differently, and each updated independently of the others.

Layer 2 — FTC rules: The Federal Trade Commission governs testimonials, endorsements, before-and-after advertising, and any claim about product or service outcomes — including what constitutes deceptive advertising. Updated guidelines in 2023 changed the compliance requirements significantly.

Layer 3 — FDA drug advertising rules: If your practice offers services involving prescription medications (neuromodulators, GLP-1 programs, prescription skincare), FDA rules govern how those services can be advertised and by whom.

Layer 4 — State medical board advertising regulations: These vary by state and can be substantially more restrictive than the federal floor. Some states require specific disclosures in all medical service advertising. Others regulate the use of specific terminology.

This overlap is what makes medspa advertising simultaneously risky and confusing. An ad that’s technically legal under FTC rules can still violate Google’s policy. An ad that passes Google’s review can still expose you to an FTC complaint. And all of that can be perfectly fine federally while violating your state medical board’s advertising standards.

Understanding each layer independently — and where they interact — is the only way to build advertising that runs clean.

—

Layer 1: Platform-by-Platform Rules

Google Ads

Google’s healthcare advertising framework is more nuanced than most medspa owners realize. The common experience is that ads get rejected without a clear explanation, leading to a cycle of random edits that may or may not fix the underlying issue.

What medspas can advertise on Google without special certification:

General aesthetic services — facials, non-prescription skincare treatments, laser hair removal, body contouring with non-drug devices — can typically be advertised without additional certification. Your standard service advertising (appointments, consultations, location-based ads) falls into this category.

What requires LegitScript certification:

LegitScript is a third-party healthcare certification body that Google has designated as its compliance partner for certain healthcare advertising categories. Without LegitScript certification, you cannot run ads that directly reference prescription medications, certain drug categories, or online pharmacy services.

For medspas, LegitScript becomes relevant when you want to advertise:

• Services that involve prescription medications by their brand or generic name
• Telehealth or online prescription services
• Weight loss programs that involve GLP-1 medications or other prescription drugs
• Certain treatment categories where Google’s algorithm determines the content is drug-adjacent

What LegitScript actually involves:

LegitScript certification requires submitting documentation of your practice’s licensure, compliance policies, and operating procedures. They review the submission and, if approved, certify your account to Google. The process typically takes 4–8 weeks.

Cost: approximately $1,000–$2,500 in setup fees plus $1,500–$3,000 annually for the certification, depending on your practice size and service categories.

Running without LegitScript:

You can still advertise medspa services effectively without LegitScript — you just cannot use prescription drug brand names or generic names in your ad copy when advertising those services. The workaround is to use category language rather than drug language:

• Instead of “Botox” → “Injectable anti-wrinkle treatment” or “neuromodulator treatment” or “wrinkle relaxer”
• Instead of “Ozempic” or “Wegovy” or “semaglutide” → “Medically supervised weight loss program” or “GLP-1 weight management”
• Instead of “Sculptra” → “Collagen-stimulating filler” or “biostimulator treatment”

The ads perform comparably. In many cases they perform better, because category language makes it clear what the outcome is rather than assuming the reader recognizes the brand name.

Keywords that reliably trigger disapprovals:

Ad copy containing exact brand names of prescription drugs in combination with pricing, availability, or clinical claims is the most common trigger. Watch specifically for:

• Drug brand names paired with “units” and a price
• Drug brand names paired with “near me” or geographic terms in a way that implies you’re selling the drug rather than offering a service
• Any language that implies you’re an online pharmacy or can fulfill prescriptions remotely

The Google Ads appeals process:

If an ad is disapproved and you believe it complies with policy, you can appeal directly through the platform. A compelling appeal includes: a statement that your practice is a licensed medical facility, that all services are performed or supervised by licensed practitioners, and that no prescription drugs are being advertised for sale — only licensed medical services are being offered.

—

Meta (Facebook and Instagram)

Meta’s advertising policies for healthcare are both more restrictive in some areas and more permissive in others compared to Google. The key distinctions medspa owners need to understand:

Before-and-after images:

Meta permits before-and-after imagery but with meaningful restrictions. The platform has become increasingly aggressive about enforcement in this category.

What gets flagged:

• Before-and-after images that imply unrealistic or dramatic results
• Before-and-after imagery that includes pricing information in the same ad (both FTC and Meta policy flag this combination)
• Before-and-after images showing dramatic weight loss, which Meta treats as a separate restricted category
• Any imagery that implies body shaming or negative framing of the “before” state

What passes review:

• Results imagery showing refreshed, natural-looking improvements
• Clear “individual results may vary” or equivalent disclosure
• Consistent lighting and presentation between the before and after frames

Patient consent: Meta does not require you to display consent documentation in the ad itself, but you must have written patient consent in your records for any patient imagery used in advertising. This is both a Meta policy requirement and an FTC requirement.

Drug advertising restrictions:

Same general principle as Google: prescription drugs cannot be advertised by name without appropriate certification. This affects how you can talk about neuromodulators, dermal fillers that are classified as prescription devices, and GLP-1 programs.

The “health and wellness” sensitive category:

Meta automatically classifies health and wellness advertisers in a restricted audience targeting category. This means you cannot:

• Target audiences based on health conditions or medical history
• Use interest targeting that implies knowledge of health-related personal information
• Layer health condition-based custom audiences in ways that might infer sensitive health information

In practice, this means medspa advertising on Meta typically relies on:

• Demographic and geographic targeting
• Interest targeting around aesthetics, beauty, self-care, and wellness (as distinct from medical conditions)
• Lookalike audiences built from your existing patient list
• Retargeting website visitors

Needle and medical procedure imagery:

Meta’s policies prohibit graphic medical imagery, which includes the actual process of administering injections, laser procedures being applied to skin with visible redness or clinical markers, and blood or wound imagery. You can show clinical settings, patients in treatment rooms (pre-procedure), and outcomes — not the procedure itself in graphic detail.

What consistently works on Meta for medspas:

• Results photography (refreshed face, smooth skin, visible but natural improvement)
• Provider and staff imagery in a clinical but approachable setting
• Patient testimonials or case studies (text-only or with compliant imagery)
• Educational content (myth-busting carousels, “what to expect” posts)
• Practice culture and team content

The ad rejection cycle and how to break it:

The most common reason Meta ads cycle through rejections for medspas is that the account has accumulated policy flags. Each rejection adds a compliance note to your account. Enough flags and you enter restricted advertiser status, where new ads face increased scrutiny.

Prevention: be conservative with initial creative. Run compliant ads first, build a clean account history, then gradually test more competitive creative. If you’ve already accumulated flags, an account in good standing over 60–90 days of conservative activity usually resets the scrutiny level.

—

TikTok

TikTok is the most restrictive of the three major platforms for medical aesthetic content, and the gap between what’s allowed and what actually runs without problems is wider here than on Google or Meta.

What TikTok explicitly prohibits for healthcare advertisers:

• Graphic depictions of medical procedures, which TikTok defines broadly enough to cover most injections, laser treatments being administered, and surgical procedures
• Before-and-after content, which TikTok’s moderation treats as promoting unrealistic standards
• Direct promotion of prescription medications, including by brand name or generic name
• Health claims that have not been submitted with supporting documentation (and even documented claims require pre-approval for some categories)

What the enforcement actually looks like:

TikTok’s content moderation is heavily automated, and the triggers are less predictable than Google or Meta. A video showing a before-and-after might run for two days and then get pulled. Educational content about a service type might be flagged because a keyword in the caption matches a restricted category. Appeals are slower and less transparent.

What actually works on TikTok for medspas:

The platform rewards educational and behind-the-scenes content that doesn’t make direct clinical claims. The most effective medspa TikTok content:

• “What to expect at your first [service] appointment” — process and experience content
• Myth-busting: “5 things you’ve heard about [treatment] that aren’t true”
• Day-in-the-life practice content: team, culture, clinical environment
• Patient education: what different concerns actually look like, how treatments work mechanistically (without before-after)
• “Is [service] right for me?” explainers

Paid ads on TikTok for medspas are more viable for certain service categories (laser hair removal, facials, non-prescription skincare) than for injection services, where the combination of prescription drug restrictions and procedure imagery rules makes compliant creative difficult to produce at scale.

TikTok’s ad pre-approval for health verticals:

For certain health categories, TikTok requires pre-approval before ads can run. This process is less defined than Google’s LegitScript requirement — it typically involves submitting business licensure documentation through TikTok’s advertiser portal. Plan for 2–4 weeks for initial category approvals.

—

Layer 2: FTC Rules for Testimonials and Before-and-After Advertising

The Federal Trade Commission updated its endorsement and testimonial guidelines in 2023. The changes were significant enough that practices relying on testimonial-based advertising without updating their compliance approach are now out of step with current requirements.

The key changes from the 2023 FTC update:

Prior to 2023, the prevailing approach to testimonial compliance was to append “results not typical” to any testimonial showing exceptional outcomes. The FTC’s revised guidelines effectively ended this as a sufficient disclosure.

The current standard requires that if a testimonial describes results that are not typical for most consumers of that product or service, the advertiser must:

1. Disclose what typical results actually are, OR
2. Not use the atypical result as the basis of the marketing claim

“Results not typical” alone is no longer considered adequate.

What this means in practice: if your testimonial features a patient who lost 40 pounds on your weight management program, you cannot run that testimonial without either (a) telling consumers what the typical patient actually achieves on the program, or (b) reframing the ad to not rely on that specific outcome as the implicit promise.

Paid influencers and gifted services:

Any relationship where a person receives payment, products, or services in exchange for promoting your medspa must be disclosed. This includes:

• Influencers paid to post about your practice
• Patients who received free or discounted treatment in exchange for content
• Employees or staff posting on personal accounts about the practice
• Affiliate or referral arrangements where the referrer receives compensation

Disclosure must be “clear and conspicuous” — meaning it cannot be buried in a string of hashtags, placed where it’s likely to be scrolled past, or worded in a way that obscures the nature of the relationship. “#ad” or “#sponsored” at the beginning of a caption, or “Gifted by [practice]” clearly stated, is the current standard.

Before-and-after photography compliance under FTC:

The FTC applies its general deceptive advertising standard to before-and-after imagery: if the presentation creates a misleading impression about typical results, it’s potentially actionable.

Specific FTC risk factors for before-and-after medspa advertising:

• Different lighting conditions between before and after photos that make the result appear more dramatic
• Makeup differences between frames (no makeup in before, natural makeup in after)
• Posture or facial expression differences that affect the appearance of results
• Significant filtering or digital post-processing of the after image
• Pairing before-and-after with pricing in a way that implies this level of outcome is what the price buys

—

FTC Compliance Checklist for Medspa Marketing

Use this checklist to audit your current testimonial and before-and-after practices:

• [ ] All patient testimonials have signed consent forms on file authorizing use in advertising
• [ ] Any testimonial describing results not typical for most patients includes a statement of typical results
• [ ] All sponsored content, gifted service posts, and influencer partnerships are disclosed clearly
• [ ] Before-and-after photographs are taken under consistent conditions: same lighting setup, no makeup difference, no posture coaching for the after photo
• [ ] Before-and-after imagery has not been filtered or digitally enhanced beyond basic color correction
• [ ] No ad combines before-and-after imagery with specific pricing in the same frame
• [ ] No guarantee of outcome language is used in any ad creative
• [ ] Testimonials on your website include either (a) “results may vary” plus a description of typical results, or (b) do not make implied claims beyond the individual’s experience

—

Layer 3: FDA Rules on Drug Advertising

The FDA’s regulation of drug advertising is primarily aimed at pharmaceutical manufacturers — not at the healthcare providers who administer those drugs. But there are specific situations where medspa advertising intersects with FDA jurisdiction in ways practice owners should understand.

The general principle:

Only the pharmaceutical manufacturer is authorized to run “branded” drug advertising for their drug. A medspa advertising “Botox treatments” is in different territory than Allergan advertising Botox — but the distinction matters.

Botox and other neuromodulators:

“Botox” is a registered trademark of Allergan/AbbVie. Using the brand name in general service advertising to communicate what service you offer is generally accepted practice — “We offer Botox treatments for forehead lines” is not the kind of thing the FDA pursues as drug advertising.

The risk zone: advertising in ways that look like you’re promoting the drug itself rather than your clinical service. Ads that highlight the drug brand prominently, emphasize units and pricing as the central message (which looks more like selling the drug than selling the service), or make claims about the drug’s superiority over competitors move closer to manufacturer-type advertising.

Safe approach: advertise the service and outcome, not the drug. “Injectable anti-wrinkle treatment from our experienced team” communicates the same thing as “Botox by certified practitioners” without the brand-name risk.

GLP-1 medications and the 2025 compounding crackdown:

In early 2025, the FDA issued guidance significantly restricting the advertising and sale of compounded versions of GLP-1 medications including semaglutide and tirzepatide. The compounding shortage exemptions that had allowed widespread availability of these medications were ended for most categories.

As of 2026, advertising compounded semaglutide by name is a high-risk activity. Practices offering medically supervised weight loss programs should use category language in all advertising: “medically supervised weight loss program,” “GLP-1-based weight management,” or “physician-directed metabolic health program.”

This is an area where the ground shifted rapidly and continues to evolve. Anyone offering these programs should be working with a healthcare compliance attorney who follows FDA compounding guidance specifically.

Off-label treatment advertising:

Providers may administer FDA-approved drugs for off-label uses. You can advertise those services (Botox for hyperhidrosis, Botox for TMJ, dermal fillers for hand rejuvenation). What you cannot do is make claims that imply FDA approval for the off-label use — “FDA-approved treatment for [off-label condition]” would be inaccurate and potentially actionable.

Compliant framing: “We offer Botox for hyperhidrosis (excessive sweating). Many patients find significant relief. Contact us to learn whether this is appropriate for your situation.”

—

Layer 4: State Medical Board Advertising Regulations

This is the layer that varies most significantly and is most often overlooked. Federal rules set a floor; state medical boards frequently set a higher bar.

Common state advertising requirements:

Many states require that any advertising for medical services clearly identify the licensed healthcare professional responsible for those services. This affects medspas that are owned or operated by non-physicians but where medical services are provided.

In practical terms: if your medspa is operated by a licensed aesthetician or a business owner who is not a medical professional, but a nurse practitioner or physician performs injections, your advertising in many states must identify the supervising or responsible medical professional — not just the brand name of the practice.

States with notable additional requirements:

*California:* Requires explicit disclosure of medical supervision in advertising for services that constitute the practice of medicine. Has additional provisions around the use of medical terminology in business names and advertising.

*Florida:* Physician supervision requirements for certain aesthetic services are more prescriptive than many states, and those requirements affect what claims can be made in advertising.

*Texas:* Scope of practice regulations affect what nurse practitioners and physician assistants can advertise independently versus under physician delegation.

*New York:* Strict oversight on medical claims and close scrutiny of advertising that implies medical outcomes without qualifying language.

The safest approach:

Do not rely on federal compliance alone as your standard. Have a healthcare attorney in your state — specifically one who works with medical practices or medical spas — review your advertising materials. This is a one-time investment (or annual review) that can prevent significantly more expensive problems.

—

Safe Messaging Frameworks: Compliant vs. Avoid Language

For each major medspa service category, the table below shows what you can confidently say in advertising and what creates compliance risk.

—

How to Get Ads Approved When They Keep Getting Rejected

If you’re in an active cycle of rejections, the most effective path is methodical, not reactive.

Step 1: Remove all prescription drug brand names from ad copy. This is the single highest-yield fix. Replace every brand name with the category term. Do not use workarounds like misspellings or asterisks — platforms flag these as evasion and it can result in account suspension.

Step 2: Separate before-and-after imagery from pricing. Run them in separate ads, separate campaigns, or separate posts. Never in the same frame.

Step 3: Replace any health condition targeting. Audit your audience targeting for any segments based on health conditions, medical history, or related interest categories. Replace with demographic, geographic, and interest-based segments that don’t imply health data targeting.

Step 4: Assess whether LegitScript certification is necessary for your service mix. If your practice wants to prominently advertise services involving prescription medications and you’re seeing repeated rejections, LegitScript certification may be the path forward. The 4–8 week timeline and $3,000–5,000 first-year cost is a real investment, but it unlocks advertising you cannot otherwise run compliantly.

Step 5: Appeal with documentation. For wrongful rejections — ads that comply with policy but were flagged by automated systems — submit an appeal with a short statement identifying your practice as a licensed medical facility, confirming all services are performed or supervised by licensed healthcare professionals, and specifying which policy you believe was incorrectly triggered.

Step 6: Clean your account history before launching new campaigns. If your ad account has a history of policy flags, new creative will face heightened scrutiny. Running a period (60–90 days) of clearly compliant, conservative ads before launching anything more aggressive allows the algorithm to re-calibrate your account risk profile.

—

HIPAA in Marketing: What Actually Applies

HIPAA compliance in medspa marketing is a topic that generates significant confusion. The good news: standard marketing activities don’t create most of the HIPAA risk medspa owners worry about.

What HIPAA actually prohibits in marketing:

HIPAA restricts the use of Protected Health Information (PHI) — individually identifiable information about a person’s health status or treatment — for marketing purposes without explicit written authorization.

In a medspa context, this primarily affects:

• Using patient email lists from your EHR or booking system to market to patients without a signed authorization (note: there’s a treatment and healthcare operations exception that covers some patient communications)
• Sending targeted ads to patients based on their specific treatment history without authorization
• Sharing patient information with third-party marketing vendors without a Business Associate Agreement (BAA)

What it doesn’t prohibit:

• General advertising to the public
• Retargeting website visitors (who haven’t shared PHI through that interaction)
• Social media advertising to interest-based audiences
• Patient testimonials with consent (the consent form serves the authorization requirement)

The highest-risk HIPAA scenario in medspa marketing:

Uploading a list of patients who have received specific treatments to Meta or Google for custom audience targeting. This shares PHI with a platform that may not have an appropriate BAA in place. Even if the list is “hashed,” if it identifies individuals based on their treatment history, it likely constitutes PHI.

Safe approach: upload customer lists for lookalike audiences using contact information only (email, phone) — not treatment history. Ensure your patient contact data is properly authorized for marketing use in your intake forms.

—

Working With a Compliance-Aware Marketing Agency

Most medspa marketing agencies focus on the performance metrics — clicks, leads, cost per acquisition — without deep familiarity with healthcare advertising compliance. The result is ad accounts that perform inconsistently, generate policy flags that compound over time, and create potential regulatory exposure for the practice.

Compliance-aware medspa marketing means:

• Building ad creative from the ground up using compliant language frameworks
• Managing platform accounts with an eye toward account health, not just immediate performance
• Keeping up with platform policy changes as they affect medspa advertising specifically
• Knowing when to pursue LegitScript and how to navigate the process
• Building content strategies that work within FTC guidelines rather than around them

Sprout Sage Solutions works exclusively with medspas and aesthetic practices. We’ve managed advertising for 65+ practices and built compliance-first creative frameworks across Google, Meta, and organic channels.

Engagements start at $500/month, no long-term contracts.

Book a 30-minute consultation: https://calendly.com/workwithmandeep/30min

Call or WhatsApp: +91 9729712388

We’ll review your current advertising setup, identify any compliance gaps, and give you a straight read on what’s creating risk and what would fix it.

—

*This guide reflects platform policies and regulatory guidance current as of May 2026. Platform policies change frequently — verify current requirements directly with each platform’s healthcare advertising policies before launching new campaigns. This content is educational and does not constitute legal advice. Consult a qualified healthcare compliance attorney for guidance specific to your practice and state.*