Johnson & Johnson Worldwide Online Policy

Last Updated: June 21, 2013

Page 2 of 33

TABLE OF CONTENTS Executive Summary 3 Introduction 5 PART I: EMPLOYEE ONLINE ACTIVITY 6

I. EMPLOYEE ONLINE ACTIVITY 7 A. Responsible Use of Online Media 7 B. Compliance with other Company Policies 7 C. Privacy Considerations 10 D. Online Spokespeople 11 E. Statements About Our Company & Products on Third Party Sites 11 F. Social Listening 12

PART II: ADMINISTRATION / REVIEW OF COMPANY SITES 13

II. ADMINISTRATION OF COMPANY SITES 14 A. Adverse Event Reporting & Product Quality Complaints 14 B. Statements about our Company & Products on Company Sites 14 C. Company Contact and Response 14 D. Governance 15 E. Compliance with IAPP 19 F. Notices, Disclaimers & Retention of Content 20 G. Accessibility 21

III. REVIEW OF COMPANY SITE CONTENT 22

A. General 22 B. External Social Media Sites 22

IV. E-COMMERCE 24

V. LEGAL 25

A. Corporate Name Treatment 25 B. Health Care Regulatory Law 25 C. Import/Export Law 26 D. Patent Law Guidelines 26 E. Trademark & Copyright Law 26

VI. PRIVACY INTERESTS OF CONSUMERS AND CUSTOMERS 30

A. Internet Privacy Worldwide 30 B. Email Communication 30

VII. WEB SECURITY 31

VIII. ADMINISTRATION OF INTERNAL COMPANY SITES 31

IX. RELATIONSHIPS WITH INCENTIVIZED BLOGGERS AND SPOKESPERSONS 32

Page 3 of 33

EXECUTIVE SUMMARY: At Johnson & Johnson and its operating companies (“OpCos”), we recognize the value of websites, social networking tools and online conversations to our businesses, our customers, users of our products and services, and in helping us achieve our goals as companies committed to relevant, timely, and meaningful communications with our customers. We also recognize the value of such vehicles in facilitating communication among employees of Johnson & Johnson and its OpCos (together, the “Company”). We support the use of social channels and platforms to communicate, interact, and build relationships with our various stakeholders provided there are appropriate safeguards in place to protect our Company and assure compliance with applicable laws and the rules of the regulated environment in which we operate. Importantly, the use of online media requires the same adherence to the rules and guidelines the Company has established for the use of traditional media and communications among employees and other stakeholders. At the same time, online activity, especially for employees in the health care industry, may carry different risks than those associated with traditional media. This document attempts to address them and to educate our employees to their responsibilities in the use of online media. This document outlines the global policies the Company has established with respect to (1) conduct online both internally and externally of employees and contractors of the Company; (2) the Company’s external activities online including internet sites owned or controlled by the Company, social media sites, mobile applications, pages, groups or other presence (including software applications) hosted on a third party site or platform and any sites or micro sites or platforms created by third parties or vendors on our behalf (“Company Sites”); and (3) Company internal activities online including intranet sites and internal social media sites.1 This document is divided into two parts:

• Part I, Employee Conduct Online, provides guidance to all employees and contractors on how to conduct themselves when engaging online and using social media tools. Part I addresses those who use social media in either their professional or personal lives or both. Other Company policies, for example, on

1 The policies in this document apply only to online activity and replace and supersede the Johnson & Johnson Internet Compliance Policies Summary and the Johnson & Johnson Global Social Media Website Policies. Other Johnson & Johnson policies cited in this document, including policies concerning the development, deployment, and maintenance of websites (or site content) owned or controlled by the Company or other policies concerning employee conduct and overall business rules, remain in full force, unless specifically noted otherwise. Each referenced policy can be accessed on the Johnson & Johnson Intranet.

Page 4 of 33

business and personal conduct, the protection of confidential information2, the reporting of adverse events, and refraining from making unauthorized statements on behalf of the Company, apply equally to online activity. Part I also addresses social “listening” activities for those entrusted with this responsibility as part of their jobs and for those who may otherwise become aware of certain information. It provides guidance on to whom you should report certain information or the appropriate cross-functional team (regulatory affairs, legal, medical affairs, quality) with which you should consult.

• Part II relates to the administration and review of Company Sites and covers the process of creating a Company Site and the respective roles and responsibilities of various stakeholders. Although Part II is specifically targeted at employees and contractors whose work involves Company Sites, all employees are encouraged to read it. Important details regarding the designation of Site Owners, creation of Standard Operating Procedures, the handling of Adverse Event reports, clearance of product claims, proper use of legal notices and a general discussion of applicable laws and regulations are contained in Part II. Part II also addresses the governance structure of sites, including working with the Internet Compliance Authority and Digital Asset Risk Management (DARM, formerly known as WICO), and includes a discussion of applicable Privacy and Web Security policies and procedures. It also discusses internal facing social media sites and programs and concludes with a discussion regarding relationships with incentivized bloggers and spokespersons and disclosure obligations.

When engaging in social communication online – whether as an individual employee or as someone responsible for a social media tool or program – you should understand the dynamic nature of social channels and know the laws, regulations and policies that apply to your activities. Additionally, it is the responsibility of employees and contractors who are developing or deploying any websites or social media programs on behalf of the Company to read and understand all requirements that apply to them.

2 Confidential information is defined as any and all non-public company information including, but not limited to, marketing, pricing, distribution, cost, sales and manufacturing data, reports, papers, presentations, information, or descriptions; drawings, specifications, photographs, samples, models, techniques, data, including inventions, practices, methods, knowledge, know-how, , test data, analytical and quality control data, designs and engineering data, clinical data, instructions, software, reports, compounds, compositions of matter, assays and biological materials related thereto, papers and any other technical or related non-public company information, whether disclosed orally or in written form.

Page 5 of 33

INTRODUCTION: We recognize that social media is a rapidly evolving form of communication. This document attempts to provide you current and concrete guidance concerning online activity. As with any communication or activity that may impact the Company, you should use appropriate discretion and sound judgment in your use of online media. If you have any doubt as to whether a contemplated communication or activity reflects the values of the Company or conforms to the requirements of its policies, you should refrain from such communication or activity and consult with your board attorney, regional attorney, sector attorney, or other law department representative. The Corporate Communications Group and your local Public Relations team are also useful resources in this area. As with other Company policies, violation of the guidance and requirements concerning the use of online media may result in disciplinary action up to and including termination. Therefore it is important to carefully review these materials and follow the processes and procedures set forth in this document.

Page 6 of 33

PART I:

EMPLOYEE ONLINE ACTIVITY

Page 7 of 33

I. EMPLOYEE ONLINE ACTIVITY A. Responsible Use of Online Media

Johnson & Johnson and its OpCos recognize that employees take a great deal of pride in working for our Company, and want to be able to talk appropriately and share links to our stories and information on their own social networks. We also respect the desires of employees to use social media tools, both internal to the Company and externally, as a source of knowledge, information exchange or form of expression. However, it is important that all employees understand that, as an employee of Johnson & Johnson and its OpCos, working in the health care industry, online activity – whether done using a company or a personal computer or other device – carries certain responsibilities and implications. Online conversations and interactions can pose risks to the Company, confidential information, reputation and brands; expose the Company to potential discrimination and harassment claims; and jeopardize the Company’s compliance with business rules and laws. We recognize that some employees have job responsibilities that require them to use or engage with social media. Other employees do not, but do personally engage in online activity. This policy applies to all employees and requires the responsible use of online media where what you publish can reflect on the Company. Good judgment and common sense is important in anything you publish, whether from a company or personal computer, or other device. All Company policies governing employee conduct and business practices and concerning the appropriate handling of confidential and proprietary information apply equally to employee online activity. Violation of any Company policy through the use of online media can lead to disciplinary action up to and including termination of employment. Nothing contained in this policy is intended, or should be interpreted, to interfere with or restrict communications protected by state or federal law or preclude or dissuade discussions among employees about wages, terms and conditions of employment, or other legally protected or required activities. You should read this policy carefully.

B. Compliance with Other Company Policies You must comply with all Company policies in your use of online media. We have highlighted some rules to remember.

1. Remember our Company values. Be polite, transparent and respectful in all

communications and understand that, as an employee of the Company, your conduct may impact others’ views of who we are and what we stand for as a Company. This applies equally to communications within and outside the Company and to personal communications that may impact the Company or communications in connection with your job responsibilities. Inappropriate postings that violate the Company’s harassment and non-discrimination policies, including discriminatory remarks, obscenity, harassment, intimidation, bullying and threats of violence or similar inappropriate or unlawful conduct, will not be tolerated and may subject you to disciplinary action up to and including termination of employment.

Page 8 of 33

2. Adhere to all Company policies. Online media should not be used in a way that

violates any other Company policy or employee obligation. If online activity would violate any Company policy in another forum, it also will violate them in an online forum. Without limiting all implicated policies, we point out that all employees are subject to the Company’s Policy on Business Conduct, the Information Asset Protection Policy (“IAPP”), policies concerning confidentiality and non-disclosure, respect for third party intellectual property rights, and compliance with SEC rules regarding insider trading.

3. You are responsible for your actions. Anything you post, whether anonymously or

under your name, that can potentially tarnish the Company’s image or harm other employees will ultimately be your responsibility.

4. Be conscious when mixing your business and personal lives. Online, your personal

and business personas are likely to intersect. The Company respects the right of employees to express themselves, but you must remember that others often have access to the online content you post and may be left with an impression of you and the Company as a result. Always exercise good judgment. Keep in mind, when publishing information online (including photos), that such information can be seen by more than friends and family, and can be forwarded on to others you may not intend.

5. Do not disclose non-public Company information. Remember NEVER to disclose

Johnson & Johnson or any OpCos’ Confidential Information to any third party, unless you have specific written authorization to do so and a binding confidentiality agreement that will protect the information from further disclosure. It is NEVER acceptable to externally post or blog about Company Confidential Information, including documents, photos, videotapes, instant messages, voicemails and email. Sites like Facebook, Twitter, Yammer, YouTube, and LinkedIn are all external to Johnson & Johnson and, as such, posting Confidential Information is inappropriate. The Information Asset Protection Policies (IAPP) (http://it.jnj.com/wwis/Pages/IAPPs.aspx) contain detailed requirements regarding treatment of Company information and all employees are subject to these requirements in their online or other activity. Your employment documents may also contain restrictions on your use of Company information with respect to concepts and developments you may produce that are related to the Company's business. Before disclosing any such information, you should consult your manager or the Law Department. In the event that the Company becomes aware that you have inappropriately published such information, upon request, the Company will expect that you take corrective action, including, for example, confining or suspending your online commentary concerning restricted topics.

6. Be transparent about who you are and who you represent. In certain instances, your affiliation with the Company may be relevant and important information for third parties with whom you interact online to know. For example, if you are

Page 9 of 33

praising one of the Company’s products in a forum where the readers do not already know that you are employed by the Company, you should disclose your relationship to the Company. Transparency is key! When you choose to identify yourself as an employee of Johnson & Johnson or one of its OpCos in any external online interactions -- especially if you have a personal website or blog -- please make it clear to your readers that the views you express are yours alone and that they do not necessarily reflect the views of Johnson & Johnson or one of its OpCos. We suggest you put the following notice or something similar in a reasonably prominent place on your site or blog (e.g., at the bottom of your "about me" page) to avoid the potential for confusion: “The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.” If you wish to use the name or trademarks of Johnson & Johnson or its OpCos on your site or reproduce company material, you must first obtain permission, unless you are linking to material that has already been approved for sharing by employees and is available from the company externally (e.g., J&J YouTube Channel, ennTV).

7. Be alert to issues and reporting obligations. Employees should not respond to or participate in a dialogue regarding possible adverse events (AEs), product complaints, or off-label statements on the Internet unless they are specifically authorized to do so. If you come across such online dialogue, available information should be collected and distributed to appropriate individuals within the relevant OpCo. Your obligation to report AEs applies to information you become aware of online. Log onto eUniversity for AE training. If you come across positive or negative remarks about the Company or its products online that do not fall within the above scope but which you nonetheless believe are important, consider alerting your Communications or Law Department representative or the appropriate Customer Call Center.

8. Let spokespeople comment on behalf of the company. You may come across

negative or disparaging posts about the Company or its products, or see third parties trying to spark negative conversations or otherwise making incorrect statements or comments about our products and services. Unless you have been designated a Johnson & Johnson or OpCo spokesperson, you should not respond on your own. Alert your Communications or Law Department representative or the appropriate Customer Call Center who are trained to address such comments. Moreover, only Spokespeople should engage on social media sites with the intent of raising awareness of or engagement with our products or services.

9. Do not give medical advice. You work in a regulated health care industry. Unless it is expressly within the scope of your job responsibilities to do so, you should NOT give medical advice to other employees, consumers or patients, even if you tell the person that you are not authorized to provide such advice or otherwise provide a disclaimer.

Page 10 of 33

10. Feel free to share publicly available content with your social networks keeping in mind the disclosure requirements and other guidance contained in this policy. We have a number of existing external social media communities that have material which has been reviewed and approved for the general public and, with proper disclosures on your part, can be shared with your social networks. For example, there are three corporate blogs, the Johnson & Johnson Corporate Blog (www.blogjnj.com), the JNJ Parents blog (www.jnjparents.com), and Kilmer House (www.kilmerhouse.com), a corporate Facebook page (http://www.facebook.com/jnj), the Johnson & Johnson YouTube Channel (http://www.youtube.com/jnj), ennTV stories that can be shared externally (http://globalenn.jnj.com/ennTV), and a growing number of Twitter feeds that you can follow, including @JNJNews, @JNJCares, and @JNJParents. Many of our OpCos have both branded and disease awareness social media sites that you can review as well. These sites regularly post stories, information and perspectives that are approved, appropriate and – we hope – interesting for you and perhaps your social followers. You are free to share them with your social networks keeping in mind the disclosure requirements (see subsection 6, above) and other guidance contained in this policy.

C. Privacy Considerations

1. Respecting personal privacy. The Company respects employees’ right to their personal privacy and provides the following guidelines: • Supervisors and managers may not require or request that their reports and/or

prospective employees provide passwords, usernames or access to their personal social media (e.g., Facebook and Twitter). If this happens, you should refer the supervisor or manager to this policy or contact your Human Resources representative.

• Supervisors and managers may not require or request that their reports or prospective employees divulge any personal social media. If this happens, you should refer the supervisor or manager to this policy or contact your Human Resources representative.

• To safeguard the distinction between business-related and potentially highly personal information, employees should refrain from asking their supervisors and managers to join their social media networks (e.g., accepting an invitation to become "friends" on Facebook), and managers and supervisors should decline such invitations.

2. No expectation of privacy in use of Company-owned IT resources and

communications systems. Employees should understand that all contents of the Company’s IT resources and communication systems are the property of the Company and, unless otherwise restricted by applicable law, employees should have no expectation of privacy in any online activity involving use of such resources or systems.

Page 11 of 33

3. Special considerations involving consideration of candidates for employment or advancement. A manager or supervisor’s use of on-line research in this context can present difficult problems and is discouraged. The use of Google, Bing, Yahoo, or any other web-based search engines or on-line research tools inadvertently may disclose personal information about an employee or candidate that is not business-related or a legitimate consideration in assessing candidates. To avoid any appearance that a manager or supervisor might consider such information, access to it should be avoided. With appropriate discretion, in accordance with applicable law, and for the limited purpose of obtaining business profile information, a manager or supervisor may access a candidate’s professional social media, such as LinkedIn.

D. Online Spokespeople

Although different in many respects from traditional media outlets, external social media sites are a means of communicating to a broad external audience. Blog posts, wikis, video or photo uploads, and comments made in chat rooms are often picked up and spread throughout the online world, and many have been the source of mainstream media stories. Johnson & Johnson considers external social media sites to be media, and therefore the general policies concerning official company communications with the media apply, including but not limited to the following:

1. Only designated Company spokespeople are authorized to make official company

comments to a third-party social media site such as a blog, discussion group, chat room or wiki (such as Wikipedia).

2. Only designated Company spokespeople are authorized to engage in discussion groups on social media sites with the intent of raising awareness of or engagement with our products or services and correcting or clarifying information about our products. Company spokespeople who post comments to third-party social media sites are responsible for ensuring that their public statements undergo the appropriate review process as determined by the relevant OpCo or business unit and that such statements comply with all Company Guidelines.

3. When making official comments to third-party social media sites, designated

Company spokespeople must clearly identify themselves by name and correct company affiliation.

4. Employees who are not designated Company spokespeople should not state or

imply that they are authorized to speak on behalf of the Company when engaging in discussions online. Employees who choose to identify themselves as employed by Johnson & Johnson or one of its OpCos should also state that their comments and opinions are their own, and do not necessarily reflect those of the company.

E. Statements About Our Company & Products on Third Party Sites

The Company has processes to evaluate inappropriate statements about the Company or its products of which it becomes aware on third party sites. In no circumstances should an

Page 12 of 33

individual employee undertake to correct or remove such statements (e.g., through posting statements directly on the third party site or through contact with a site administrator) unless they are authorized to do so and the proposed corrective statements undergo the appropriate review process as determined by the relevant OpCo or business unit.

F. Social Listening

We recognize that “listening” to social media conversations can enable Johnson & Johnson and OpCos to better understand discussions around the Company, our products, brands and potential marketplace. There are processes in place to guide you in the event you “hear” certain information. The following general policies apply for any social listening program:

1. During the course of your “listening” program, you may come across statements

regarding possible AEs or product quality complaints. If you come across such online statements, available information should be collected and distributed to appropriate individuals within the relevant OpCo. Your obligation to report AEs applies to information you become aware of online. Employees responsible for social listening programs are responsible for making sure that vendors who are “listening” on our behalf are trained to recognize reportable AEs or product quality complaints.

2. All social listening programs should have an owner and appropriate cross-functional

groups (regulatory affairs, legal, medical affairs, quality) should be consulted. Local or regional social listening guidelines, if they exist, should be consulted.

3. Consider alerting your Communications or Law Department representative or the

appropriate Customer Call Center if you become aware of a troubling conversation.

Page 13 of 33

PART II:

ADMINISTRATION / REVIEW OF COMPANY SITES3

3 Many of the provisions set forth in Part II represent best practices already in use at many OpCos. All Company Sites should comply with this policy no later than October 1, 2013. If an exception to this implementation date is required, please contact the law department.

Page 14 of 33

II. ADMINISTRATION OF COMPANY SITES A. Adverse Event Reporting & Product Quality Complaints

Information about adverse event experiences, off-label use or product quality complaints relating to the products and services of the Johnson & Johnson Family of Companies could be communicated from the public whenever websites are designed with interactive functionality such as open text boxes, email, survey forms, discussion groups (e.g., blogs and chat rooms), and any other interactive media that provide the site visitor with the ability to either contact Johnson & Johnson or one of its OpCos or contribute user-generated content (“UGC”) directly to the site. A Site Owner (as defined in Section D(5) below) must establish or follow a documented process by which accounts of AEs or product quality complaints appearing on Company Sites will be reported to the appropriate OpCo unit handling adverse event reporting and product quality complaint handling, within timeframes that take into account applicable regulation or law. This responsibility includes confirming that vendors are trained on adverse event and product quality complaint reporting. All Company Sites should include statements that encourage site visitors to report AEs not via the website but instead through a validated system that is validated in accordance with any applicable OpCo or Quality system standards (i.e. toll free numbers).

B. Statements about our Company & Products on Company Sites

If local regulations allow a Company Site to contain product claims, the company should have a process to evaluate whether claims made about a company product in UGC on Company Sites have the potential to misbrand the product (e.g., contains off-label claims, is false or misleading) and should take steps to remove that content within a specified time period. For products that are regulated such as prescription and OTC drugs and devices, posts that make any reference to use of our products outside the approved labeling are not permitted, and the Site Owner must ensure that any such statements are not posted or, if posted, are promptly removed (within 24-48 hours). If you have any questions about whether or not a posting contains inappropriate product content, please consult with the appropriate Law Department or Regulatory colleagues.

C. Company Contact and Response

Company Sites must provide the site visitor with a mechanism to send questions and other communications to the Site Owner. If a Company Site is not approved to allow for such communication between site visitor and Site Owner (e.g. website for clinical trial recruitment), the Site Owner will ensure that the website displays instructions to site visitors describing an alternate process for addressing visitor questions and other communications. Any online communications that we solicit or initiate that could include privacy related or otherwise sensitive information must be accomplished by using Secure Socket Layer (SSL)4 web-based forms to ensure security of the sending information, if available.

4 SSL is the preferred technology for encryption. Other technologies may require cookie sessions, raising potential compliance issues.

Page 15 of 33

It is recommended that web forms are used to provide a mechanism to contact the Site Owner as this method prevents the problem of spam that may be generated. If customer service contact email addresses are provided instead, the OpCo must establish procedures to notify Johnson & Johnson Information Technology (IT) and Public Affairs of the existence of such email addresses. OpCos should not respond to messages identified as spam. Company-owned blogs must display their comments policy and have a mechanism to contact the blog owner. Site owners should consider displaying a comments policy if they are soliciting comments from site visitors. OpCo SOPs must identify a resource for providing responses, tracking open responses, and monitoring response times and include a process to ensure that responses are not delayed. Product related messages or communications received via the Johnson & Johnson Corporate site (http://www.jnj.com) will be directed to the appropriate OpCo’s customer service staff.

D. Governance

All online activity, including any sites or micro sites created by third parties on our behalf, must comply with this Policy and with any relevant policies and procedures set forth by the OpCo or functional/business unit involved (“Responsible Entity”). Company Sites must also adhere to the following specific requirements:

1. Approval

Before launching any website, the Site Owner must obtain documented approval from all appropriate functional areas such as Legal, Marketing, Communications, Medical Affairs, Scientific Affairs, Information Technology and other groups as needed. For Social Media Sites, the Site Owner must also obtain documented approval from an OpCo Board Member or equivalent member of senior leadership prior to launching, except that in the Consumer Sector such approval may be obtained at the Vice-president level.

2. Accountability a) Site Owner. A Site Owner must be identified for each website prior to launch.

The Site Owner is responsible for site content appearing on a Company Site, or where content we control is hosted on third-party owned sites on our behalf or at our direction (see full list of responsibilities in Section 5 below). The role of the Site Owner is crucial to the successful implementation of this Policy and the Site Owner should be an individual capable of carrying out these responsibilities.

b) Internet Compliance Authority/DARM (formerly known as WICO). Each Group

Operating Committee (“GOC”) or equivalent functional or regional leadership team shall ensure that each OpCo/organization within its scope of responsibility has a procedure for submitting new websites for review through the establishment of an Internet Compliance Authority (ICA) position at the OpCo or GOC level. The ICA should be appointed by the OpCo President, GM, or the

Page 16 of 33

equivalent member of senior leadership of the Responsible Entity and should have a working knowledge of the Internet and web technologies and any applicable guidance from the Digital Asset Risk Management (DARM, formerly known as WICO) group to ensure the ability to fulfill the responsibilities set forth in Section 5 below. Operating company presidents or managing directors may cooperate to appoint a regional ICA who would be responsible for several companies.

In cases of internet sites with multiple content owners, such as portals, each participating Responsible Entity involved should ensure appropriate approvals are obtained for that OpCo’s portion of the site unless responsibility is assumed in a written service agreement by the company hosting the site (e.g., J&J Gateway houses content from multiple OpCos; JJHCS is the Site Owner, and any OpCo contributing content must ensure that its own content meets all requirements under this policy unless it has expressly transferred this obligation to JJHCS in writing).

3. Site Registration

All domain names must be requested and registered through DomainCentral (http://domaincentral.jnj.com) and not via outside vendors. In addition, prior to launching any new Company Sites (whether through creation of a company owned domain name/website, or a presence hosted on a third-party website, such as Facebook or Twitter), the Site Owner must register the following (also via DomainCentral) with the Trademark Law Department:

• Site Owner name • Site domain name

This provides Johnson & Johnson with a central repository of all domain names, Company Sites, and associated Site Owners for Company Sites. DARM must maintain a central inventory of all Company Internet Sites for which it is responsible. The Site Owner must provide the following information to the ICA for inclusion in the site inventory:

• Site domain name, as recorded with DomainCentral • URL • Status (i.e. development, production, terminated) • Date created • Last date on which content was reviewed

The Site Owner must involve the ICA while the site is being developed and before the site is live. If you do not know who your ICA representative is, you can inquire of the DARM mailbox (DARM@its.jnj.com).

4. Assessments/Audits/Compliance Documentation At a minimum, the following reviews must take place for the life of the site:

• Pre-launch site review • User-generated content review • Post-launch annual site review

Page 17 of 33

• Social Media Site Content Moderation DARM provides guidance for pre-launch site review as well post-launch review of Company Sites at least annually to ensure compliance with requirements set by Corporate Internal Audit, Health Care Compliance, and other compliance or regulatory bodies. The ICA will be responsible for ensuring that the review takes place and through what process the review will occur (e.g., via adding annual site review into the OpCo copy review SOP, establishing a policy for content review by a non-OpCo entity such as a Digital Center of Excellence). At a minimum, the following reviews must take place for the life of the site:

• Pre-launch site review • User-generated content review • Post-launch annual site review • Social Media Site Content Moderation

The process for review of Social Media Sites must be documented by the Site Owner in advance and in writing (see Section [ 5] below).

5. Roles Each OpCo or functional group that engages in Company Online Activity is required to have the following (which can be consolidated to one individual if appropriate): DARM Support or Internet Compliance Authority (ICA):

• Provides guidance to help ensure that Company Sites are in compliance with Johnson & Johnson policies, including this Policy.

• Has at minimum conceptual technical know-how (in order to provide guidance in SSL encryption, Internet privacy and compliance, etc.)

• Ensures a process is in place for annual Company Site reviews to occur • Incorporates guidance from DARM on any relevant issues • Coordinates with Corporate Internal Audit as needed

Global Services or other Internet Technical Liaison (ITL):

• Responsible for website technical development • Supports compliance through technology and site set up

Site Owner:

• All Company Sites must be managed by an individual Johnson & Johnson or OpCo employee of appropriate authority and experience to undertake this responsibility. The Site Owner is responsible for site content and operations and must ensure that there are adequate business resources available to run and monitor the site on an ongoing basis. The Site Owner is also responsible for implementing an appropriate exit strategy in the event a decision is made to take down a Company Site. In the event that a Site Owner resigns or otherwise changes jobs or responsibilities, their manager is responsible for ensuring that responsibility for the site is transitioned to a new Site Owner and is responsible for the site content and operations until

Page 18 of 33

such transition is completed and documented through change of Site Owner in DomainCentral.

Site Owner Responsibilities include:

• Prepare SOP with members of the internal review team for each new project; follow and update the SOP as necessary throughout the lifecycle of the social media platform.

• Register Site Owner name and domain name with the Trademark Law Department prior to launch through DomainCentral (For the sake of clarity, even if the project does not take place on a domain name owned by Johnson & Johnson or one of its OpCos, the Site Owner must still register the site at domaincentral.jnj.com, clicking on the “Social Media Registration” tab)

• Obtain and document review and approval by all functional areas required prior to launch

• In the case of Social Media Sites, the Site Owner will be held responsible for ensuring monitoring of all content posted to the site and removal in a timely manner of any posts or comments that do not observe site policy5.

• Establish or follow a documented process by which accounts of AEs or content raising other regulatory concerns appearing on the site will be reported to the appropriate OpCo unit handling adverse event reporting within timeframes specified in company SOPs.

• Establish or follow a documented process by which accounts of content raising significant safety concerns appearing on the site will be reported to the legal and medical functional areas who will assess the appropriate response, if any.

• Flag content for re-review and removal if appropriate, using site administration tools (with assistance from Global Services or the ITL as necessary).

• Where necessary to register the social media initiative with a third party, ensure that the OpCo is listed as the owner, not an outside agency.

• Where communication is sent from the Company Site, website or social media initiative to consumers or third parties, ensure that the e-mail address is a Johnson & Johnson or OpCo e-mail address, and not that of a third party. The preferred e-mail address would be [PROGRAM][@[DomainName].com, where the DomainName is registered through DomainCentral.

6. Website Separateness

Company Sites that represent the organization or products of more than a single OpCo are generally prohibited, except in the case of established co-marketing/collaboration situations. We must be mindful of the principles of

5 Monitoring can be done by appropriate third parties under the supervision of the Site Owner. The Site Owner shall ensure the third party is adequately trained and is responsible for the acts or omissions of the third party.

Page 19 of 33

corporate separateness and seek guidance from the Law Department on such proposed websites. Note: This does not apply to the incidental mention of another OpCo’s product if the following applies:

• It is done sparingly, • The Site Owner obtained permission of the other OpCo, and • The site provides appropriate disclosure that the other product is made by a

different company and provides proper trademark ownership attribution. In addition, the placement of links to other Johnson & Johnson websites is permitted.

7. Review and Approval All Internet content and functionality must be reviewed by the appropriate reviewers for the OpCo or functional area (e.g. copy review committee, management board, etc), as well as by the appropriate ICA. The Site Owner is responsible for leading the collection and documentation of approvals from all parties involved in the content review process, including Legal, Marketing, Medical Affairs and Regulatory Affairs. There are additional considerations for Social Media Sites. Prior to getting content review committee approval, the Site Owner for a Social Media Site must ensure that a moderation plan and posting policy are in place at the OpCo (see Section III.B). Product content that is intended for a franchise in multiple countries should be developed as a base publishing piece which can be easily adopted by each country. Any modifications made to the base publishing piece by the region must be approved by the appropriate reviewers for the OpCo (e.g. local Regulatory Department).

8. Maintenance OpCos are responsible for specifying the procedures for maintaining and/or disabling Company Sites, including archiving of previously posted content, notification to the public and temporary redirection of URL addresses.

9. Urgent Site Changes OpCo SOPs must establish a mechanism for making urgent site changes including removal of content, correction and recall announcements. Such changes should be able to be made immediately upon notification of the need for the change.

E. Compliance with IAPP All Company Sites must be compliant with the Information Asset Protection Policy (“IAPP”). The ICA in conjunction with Johnson & Johnson Information Technology is responsible for reviewing and ensuring the connections between the internal Johnson & Johnson network and the external Internet are consistent per IAPP. Refer to the complete IAPP policy for details (http://it.jnj.com/wwis/Pages/IAPPs.aspx ).

Page 20 of 33

F. Notices, Disclaimers & Retention of Content 1. Geographic Disclaimer and Statement of Responsibility

Websites reach a global audience and thus if the content does not apply to a global audience, a geographic disclaimer is required. An example of this is if the site content revolves around product information that may or may not be available in any particular country or region of the world and may be approved by a government regulatory body for sale or use with different indications and restrictions in different countries. In this case a site must clearly state the target country or countries to which the information applies. Note that some of our products are sold under different names depending on the geography. In addition to the standard group of reviewers, the Site Owner should check with the Trademark Group to ensure that a “global” website is appropriate early in the process. If the intended audience is global then a geographic disclaimer is not necessary. These types of sites may include the following:

• Corporate sites that describe general information, i.e. descriptions of the types of business conducted, recruitment, public relations, philanthropy and other non-product specific information

• Disease state sites All websites must include a Statement of Responsibility which is stated separately from the Legal Notice and after or below the copyright notice, as follows: “This site is published by [Insert Full legal name of affiliate publishing the site] which is solely responsible for its contents.” Note: When a Company Site contains licensed content for which the licensor has indemnified the OpCo or function against liability, an additional statement may be included in the Statement of Responsibility to that effect. The Site Owner should work with the OpCo’s designated attorney to develop the statement in this case. In any event, contracts with third party content providers should clearly state any such indemnification.

2. Legal Notice and Disclaimers The link to the current legal notice provided by the Johnson & Johnson Law Department, or edited locally by a representative of the Johnson & Johnson Law Department to reflect local law, must be available at a minimum on the first page of each Company Site. There is only one legal owner of the site, even in cases where the content represents multiple Johnson & Johnson companies. Only in rare cases, and most often where the social media initiative is a true corporate initiative, would the site owner or copyright owner be listed as “Johnson & Johnson.” One of the OpCos is the most likely candidate to serve as the site owner. Other disclaimers should be utilized when applicable, including some form of exit notice where it is not apparent that a user is leaving the site, to limit liability, address privacy requirements, and to mark the site’s boundaries.

Page 21 of 33

3. Intended Audience Disclaimers In addition, where content intended for health care professionals is posted on third party sites where it may be accessible by the general public, a disclaimer should be used to indicate the intended audience6 and the materials should be reviewed by the appropriate functional representatives, as set forth in OpCo SOPs governing the review of company disseminated materials. Local regulations should be consulted to determine if a disclaimer would be sufficient.

4. Records Retention In general, retention of records on a Johnson & Johnson Internet Site should follow the Records Retention Schedule (RRS) of the OpCo or the functional area (or both) from which the site originates. In addition note that certain types of records may be subject to different treatment based on regulatory or litigation hold requirements. For question or clarification, contact your appropriate Records Manager.

5. Website Attachments All self-contained documentation, including PDFs and MS Word documents, that can be downloaded via an OpCo website must embed the following important information:

• Copyright information • Safety information, if applicable • Website reference (Example: This document as been accessed through <J&J

website URL> and should be viewed in conjunction with other important information within the originating website)

G. Accessibility Consideration of the following factors may help ensure accessibility of Company Sites by all those who use our products:

• Key information and functionality is accessible to the disabled and others with compromised senses and dexterity.

• Clear and consistent navigation (e.g. general to specific information) • Adequate spacing between menu selections for easy browsing • Logical content organization makes sites easier to comprehend and navigate,

particularly for those with low literacy or language barriers • Text descriptions of graphic elements and transcripts of video allow them to be

searched through existing search engines.

Utilization of the techniques described above are within the Web Content Accessibility Guidelines 1.0 (http://www.w3.org/TR/WCAG10/).

6 Sample “pop-up” disclaimer used in the U.S. to accompany product training materials available on iTunes: “This material is intended for Healthcare Professionals Only. If you are not a Healthcare Professional, please consult your doctor for additional information regarding this procedure.” User must click “OK” to continue.

Page 22 of 33

III. REVIEW OF COMPANY SITE CONTENT A. General

The Site Owner is responsible for ensuring that information on the site is of high quality, including considerations of accuracy, non-misleading content/layout, and good taste. Every site should be seen as an important piece of direct communication with our customers and/or the general public. The Site Owner must ensure that there are specific business resources available and a documented process is in place to review Company Sites on an ongoing basis, at least annually or more often as in the case of Social Media Sites as set forth below. This review should be conducted by the appropriate functional representatives, as set forth in OpCo SOPs governing the review of company disseminated materials, or in the case of corporate functional groups (e.g., Corporate Communications, Finance), should include at least representation from Legal and Regulatory Affairs. For certain types of content, the length of time that it appears on the website must be restricted by the Site Owner since applicable laws, regulations, or governmental policies restrict how long it can appear (e.g., press releases, limited time offers, comparative claims that require monitoring and updating). Such content should be flagged by the Site Owner using site administration tools (with assistance from Global Services or the ITL as necessary) for follow-up and removal prior to regularly scheduled annual site review if/as needed to ensure compliance.

B. External Social Media Sites Online activity that includes the potential for interactivity raises certain unique opportunities and risks. Given the dynamic nature of Social Media Sites and the highly regulated environment in which we operate, there are some additional requirements applicable to Social Media Sites.

1. Moderation: In general, all content published to a Social Media Site, or content published on behalf of the Company on a third party website, including UGC, must be reviewed and approved before being posted (Pre-moderation). For certain initiatives it may be deemed appropriate for content, including UGC, to be posted on a Social Media Site or a third-party site without prior review. In such cases, a process of posting without prior review, followed by moderating (Post-moderation), may be permitted with the express approval, and at the discretion of, the OpCo President, GM, or the equivalent member of senior leadership of the Responsible Entity, except that in the Consumer Sector such approval may be obtained at the Vice-President level.

2. Moderation Process: Unless exempted from moderation requirements under Section 4 below, the Site Owner must document the process for reviewing content on Company Sites, whether before or after posting. The documentation process should include a procedure to promptly remove content from Company Sites if necessary (e.g., based on third-party intellectual property claims, off-label statements about our products, or violations of site posting policy). The process must also be flexible enough to quickly approve acceptable posts, comments, videos

Page 23 of 33

or other materials, and escalate any materials requiring additional review (whether by Legal, Regulatory, IT or other subject matter experts).

3. Training/Guidance: Suggested criteria for use in moderating site content are set forth in a separate guidance document entitled “Johnson & Johnson Guidelines on User-Generated Content,” located on the Law Center (http://lawcenter.jnj.com/lawcenter/Pages/FindAPolicy.aspx ). Training on these Legal Guidelines should take place at the OpCo, function or business unit level. In the event that a third party is to review site content, the Site Owner must work with their Law Department representative to ensure that the third party is appropriately trained on the “Johnson & Johnson Guidelines on Consumer-Generated Content,” and relevant Company Guidelines.

4. Exemptions from Moderation:

A. Third-Party Control: In circumstances where the Responsible Entity does not have editorial rights or control over content on third-party sites, or where the nature of the technology may not permit review or editing, it may not be possible to engage in any form of moderation. Examples of content that cannot be moderated may include, but are not limited to, Company content published elsewhere on third-party sites7, use of tools or applications created on our behalf or at our direction where we do not control the user activity8, platforms where Company content will be commented on and further disseminated by other users beyond our control9, and content superimposed upon or copied from Company Sites and re-disseminated10. In such instances, the Responsible Entity may still

7 For example, if an OpCo sponsors a page or section of a third-party site, the OpCo is unlikely to have the right to control content appearing on one of the other pages of that site, nor to have the ability to monitor dynamic content on that site as a practical matter. In this instance, it may be impossible to engage in any form of moderation of the site content beyond the Company-owned content. A regulator may nonetheless view the choice of sponsoring content on a given third-party site as intentionally associating our products and services with the content appearing on other pages, so consideration should be given to the overall context of the third-party site as we currently would do when evaluating advertising placement in journals or magazines. 8 For example, while most Facebook content is susceptible to review either in advance (creation by the page owner) or through post-moderation, certain Facebook applications are expressly designed to be sent virally from one Facebook user to another, and cannot be controlled by the Company once released. Such applications should be designed with this fact in mind and may therefore be constrained in terms of what product claims can be made, especially for more highly-regulated products and sectors. 9 For platforms like Twitter where pre and post-moderation are not possible, a Site Owner may want to consider preparing pre-vetted responses to be used in real-time in order to be responsive to the dialogue taking place among users. In this instance the Site Owner would be defined as the individual proposing to engage online on behalf of the OpCo or function.

10Existing and future online technologies will enable users to “post”/superimpose content on, and to remove content from, Company Sites without our consent (e.g., SideWiki). As a general rule, we are not responsible for

Page 24 of 33

proceed with the proposed activity with the express approval, and at the discretion of, the OpCo President, GM, or the equivalent member of senior leadership of the Responsible Entity, except that in the Consumer Sector such approval may be obtained at the Vice-President level.

B. In certain situations it may be appropriate to exempt Company Sites from regular pre- or post-moderation requirements other than review of the site such as may occur in the ordinary course of business (e.g., non-product related, general sites such as BabyCenter.com that are not associated with or controlled by OpCos that manufacture and sell products). In such instances, the Responsible Entity may still proceed with the proposed activity with the express approval, and at the discretion of the President, GM, or the equivalent member of senior leadership of the Responsible Entity.

5. Governance/Approvals: In any event, participation in or sponsorship of third-party sites must be approached with consideration and judgment. Every effort should be made to work with the relevant third-party site owner to ensure that the site comment and posting policies encourage behavior that will not damage the image or reputation of Johnson & Johnson, its OpCos, or their respective brands. The determination to engage in online activity where pre- or post-moderation is not possible must be made in consultation with a Law Department representative directly supporting the business and other subject matter experts as needed (e.g., Regulatory, IT), based on an evaluation of factors including but not limited to: the business purpose, technology constraints, product/sector at issue, type of promotion, type of site, and associated risks.

6. Mobile Applications: Mobile Applications (aka “Mobile Apps”) require certain special considerations during the review process. A detailed Mobile Applications Compliance Guide can be found at http://it.jnj.com/support/pages/wicostandardrequirements.aspx#.

IV. E-Commerce The sale of products or services online directly to consumers triggers the same issues as retail sales via other channels (pricing, sales tax, refund policies, etc.), Accordingly, it is important to involve the Finance, Tax and Law departments early on in the planning of any site that will engage in e-commerce. The sale of products or services online, rather than at a brick and mortar store, also triggers some special considerations, addressed below.

such online activities and are not accountable for reviewing such content. If, however, we become aware of such content, we must discharge any relevant regulatory or other responsibilities, such as the reporting of potential AEs through proper channels in accordance with our policies. Precautions should be taken to help ensure that content cannot be removed from our sites, or if removed, that content related to our products and services will contain all necessary fair balance, disclaimers and other regulatory required messages imbedded within the content (eg. “fair balance” in a product-related video should appear within the video itself as opposed to only in surrounding text on the Company Site).

Page 25 of 33

A. Retail sales, whether offline or online, require sellers to develop policies and practices to comply with applicable laws and rules, including such matters as : (i) Country/State sales tax laws; (ii) Country/state and federal pricing laws (e.g., how to legally discount prices; how to conduct a “free trial”; automatic renewals; etc.); (iii) Thirty Day/Mail Order Rule compliance (e.g., timing requirements for shipping product; establishing a back order policy; order tracking; etc.); (iv) shipping and handling charges (e.g., permissible amount to charge; determination as to where taxable; how to characterize; etc.); (v) returns and credits (developing policies and procedures for tracking and issuance); (vi) rebate and coupon law compliance; (vii) billing and debt collection; (viii) requirements relating to overseas shipments, if applicable; (ix); gift card law compliance, if applicable; (x) Global Payment Card Industry (“PCI”) compliance and security standards (https://www.pcisecuritystandards.org/organization_info/index.php); and (xi) unclaimed property law compliance.

B. In addition to addressing all of the standard retail issues, including the issues identified above, the applicable OpCo must also prepare any consumer-facing policies on the site to ensure that they adequately address e-commerce activity. For example, the Privacy Policy must appropriately describe the information collected, how it will be used and with whom it will be shared; such Policy is likely to be more extensive in an e-commerce environment than on a site that does not engage in sales activity. At a minimum, the Privacy Policy should disclose that information collected from consumers will be used to process orders and ship the product and shared with service providers for that purpose. The Terms of Use for the site should also be robust enough to include the applicable OpCo’s purchase policies for the site, such as return policies; product guarantees; a description of any auto-renew features; shipping and handling, etc. The site owner may also want to include FAQs to describe the site’s functionality, customer service methods, order tracking, product details, etc. Johnson & Johnson, the parent company, does not engage in any on-line or e-commerce activity.

V. Legal A. Corporate Name Treatment

The Johnson & Johnson name and logo may only be used in strict accordance with the Johnson & Johnson Corporate Signature Policy available at http://corporateidentity.jnj.com .

B. Health Care Regulatory Law

As a diversified health care manufacturer the Johnson & Johnson Family of Companies conducts a wide range of activities, including research, education, and marketing and selling of products. There are a variety of legal and ethical standards that apply to these activities. The Johnson & Johnson Family of Companies is committed to conducting its affairs in compliance with these standards. The following is a non-exhaustive list of legal, regulatory, and industry standards that should be considered in the development of a Company Site and individuals who are qualified to advise on these topics should be consulted as needed:

• Anti-Kickback Laws • False Claims and Other Billing Standards

Page 26 of 33

• Food and Drug Administration (FDA) and Federal Trade Commission (FTC) Regulatory and promotional/advertising rules

• Laws and regulations issued by the applicable health ministries and bodies of each country we operate in

• State Laws • Industry Standards • Country specific guidelines on gifts and payments to health care professionals • Accreditation Council for Continuing Medical Education Standards for

Commercial Support of Continuing Medical Education • PhRMA Code on Interactions with Healthcare Professionals (the “PhRMA Code”) • AdvaMed Code of Ethics for Interactions with Health Care Professionals (“the

AdvaMed Code”) • Johnson & Johnson Health Care Business Integrity Guide

C. Import/Export Law Anti-Boycott/Trade Sanctions (Asset Freezes and Embargoes) Johnson & Johnson policy is to adhere strictly to applicable U.S. law when conducting international transactions, to be aware of the law, and to implement administrative steps necessary to assure compliance with trade sanctions. Refer to the United States Export Regulations Affecting All Affiliates for more details (http://lawcenter.jnj.com/lawcenter/Pages/FindAPolicy.aspx ).

D. Patent Law Guidelines

Prior to hiring any consultants or vendors to develop your website, you should involve the appropriate Law Department representative to obtain advice or a relevant template agreement which can be used to put the proper agreement in place for the work to be performed. The Johnson & Johnson attorney for your project can be found at the Johnson & Johnson Law Center at http://lawcenter.jnj.com/lawcenter/Pages/FindALawyer.aspx . Importantly, in the absence of a written agreement between the parties, a consultant or vendor may end up owning the code, and may fully or jointly own any inventions incorporated into the code.

E. Trademark & Copyright Law

1. Copyright Notices and Protection of Site Images Copyright law is the primary form of legal protection for the content of Internet websites. To assure maximum legal protection of Johnson & Johnson Family of Companies website content, follow these guidelines for including a copyright notice in sites: Form of Notice: A copyright notice consists of the following three elements in order in a single line of text:

• Copyright Symbol: © • Owner’s Name: The full legal name of the particular operating company that

has published the site • Year(s) of Publication and Modification of the Site

For example: © [Owner’s Name] [Year-Modified date]

Page 27 of 33

Year(s) to Use in Notice: The year in the copyright notice should be the year the site was first launched (“published”). If the site content is modified in subsequent calendar years, add to the copyright notice each calendar year in which such a modification was made. Location of Notice: The notice should appear legibly in the following places in the Site:

• Legal Notice • Home page • Bottom of each electronic page of the site

For example, if first published in 2008, and then updated in 2013, the copyright notice would read: © [Owner’s Name] 2008, 2013. If the site was first published in 2008 and has been routinely or continuously updated through 2013, the copyright notice would read: © [Owner’s Name] 2008, 2013 Omission of Notice: The omission of a copyright notice from a site can result in the loss of legal rights in the copyrightable contents of it. Protection of Site Images: Unless there is a business justification for permitting or encouraging the copying of such images, proprietary OpCo graphics that are displayed on OpCo websites, particularly Johnson & Johnson OpCo logos, product logo and product packaging images, should be protected by coding which restricts the ability of visitors to “right click” on images and thereby copy and/or save the images. This technology will make it somewhat more difficult for J&J related images to be illegally utilized on other websites or used on websites that “spoof” legitimate Company Sites. Where there is a business justification for permitting or even encouraging the sharing of certain site content, such as the creation of advocacy opportunities or for search engine optimization purposes, rights secured sharing buttons and tools should be enabled. Approval for Third Party Images: Written permission or licenses MUST be obtained to use any photographs, logos, product packaging or other proprietary images owned by third parties. NOTE: Just because something appears on the Internet, doesn’t mean that it is in the “public domain” and that it can be used on a Company Site. Just as Johnson & Johnson or an OpCo claims rights to the materials we post on the Internet, so do third parties. Approval for Third Party Content: If intellectual property, other than links, not owned or licensed by Johnson & Johnson or an OpCo is used on a Company Site, written permission must be obtained. This documented permission should include the following:

• An identification of the material in question • Identification of the material’s owner (name, title, address) • A description of all uses planned for the material (e.g. to post it for public

viewing by on a specified Company Site)

Page 28 of 33

• The owner’s consent for such use, along with terms and conditions, as well as the time period or duration that such consent will be considered valid and in force

• Work with your local attorney or Trademark Attorney as needed to have such documentation prepared, reviewed, and processed.

• With respect to linked content, all linked-to content must be approved by the OpCo copy review process, but may not require third party permission, depending on the material.

NOTE: Many stock photography sites have limitations and even restrictions in their “standard” license agreements about use of such imagery on websites and in the social media context. Consult your local attorney or Trademark Attorney to review the relevant license agreement before using stock photography on a Company Site.

2. Internet Domain Name Registration & Ownership It is corporate policy that, for registration and ownership purposes, each domain name should be treated in the same fashion as a legal trademark of Johnson & Johnson. As such, the registration and administration of domain names must be handled by the Trademark Law Department and registrations must be secured in the name of Johnson & Johnson, to the extent legally permissible. Domain names will be managed by Johnson & Johnson Corporate similarly to the management of Johnson & Johnson’s trademark with the strategic intent of protection against infringement, including monitoring of third party use of the same or confusingly similar domain names. Processes have been established to implement global registrations of domain names covering all countries (*.uk, etc.) and all global top-level domains (*.com, *.net, etc.) where requested by the relevant operating company or franchise. All such requests for the registration of domain names must be made through DomainCentral (http://domaincentral.jnj.com). 11 In addition, in order to keep centralized records of which social media initiatives and sites are owned by J&J OpCos, even if the domain name for a particular initiative is owned by a third party, such initiative must be registered with the Trademark Law Department through DomainCentral. Note: This practice can help avoid inadvertent enforcement action against a site which is authorized. The ICA will also register your site with the DARM Inventory for Social Media Sites. Use of redirecting URLs to ensure traffic flow to Company Sites is a good practice. However, Responsible Entities must assure that all such addresses are properly registered via the Johnson & Johnson Trademark Law Department.

11 In general, to preserve consumer expectations, a domain name should not point directly to a third party social media website unless it is clear to the consumer by the context or the domain name itself that the domain name will do so. Otherwise, the domain name should point to a landing page, which can redirect the consumer to the social media website.

Page 29 of 33

Each Responsible Entity must develop a domain name strategy analogous to trademark strategy.

• No OpCo may use the “jnj” designation alone for their website address. For example, you may use JNJGermany.de or JNJEDeutschland.de or JNJGMBH.de. However, you may not use JNJ.de. Per policy, the “JNJ” designation in each country domain is reserved for corporate use, as an extension of the JNJ.com URL. Corporate websites may use “jnj” in combination with other wording for the URL domain name.

• OpCos must not preemptively register competitors’ trademarks as domain names nor should a competitor’s trademark be directly “purchased” as a key word for purposes of internet search algorithms.12

• It is not permitted to authorize or arrange to have any third parties register Johnson & Johnson domain names. This includes the agency that may have been used to create the website content. It can be very difficult and costly to retrieve the domain name registration from the third-party’s ownership in the future. This can be a particularly serious problem when the domain name is or includes one of Johnson & Johnson Company’s existing trademarks.

• If a domain name has inadvertently been registered through a third party, or has been registered in the name of a Johnson & Johnson affiliate, ownership of the domain name registration must be immediately transferred into the name of Johnson & Johnson. Contact the Trademark Law Department (domains@corus.jnj.com) promptly should this situation occur.

3. Linking and Framing

Direct or indirect links among pages of operating companies or between Johnson & Johnson Corporate and operating companies are permitted, as are links to third party websites from Company Sites (and “pop-up” disclosures may be helpful where it is not otherwise apparent that a user is leaving the site) as long as such linking does not in any way suggest that the content on a linked-to site belongs to the originating site.

4. Company trademarks should be cleared prior to use and used properly on all Company Sites. In most instances, proper usage includes:

• use of a Company trademark in all capital letters, followed by a ™ symbol for pending applications or an ® symbol for registered trademarks;

• never pluralizing nor using a trademark in the possessive form (e.g., never use an ‘s after a trademark);

12 Where a competitor has purchased one of our trademarks as a key word, consult with the Trademark Group to determine next steps, which may include reaching out to the third party and/or determining that an exception to this policy is appropriate given the particular circumstances.

Page 30 of 33

• use of a descriptor or generic product name following at least the first use and prominent uses of a trademark on a page of a Company Site; and

• never hyphenating, abbreviating, or distorting a Company trademark.

Check with your Company or brand trademark attorney for particular brand or OpCo exceptions and variations.

VI. Privacy Interests of Consumers and Customers A. Internet Privacy Worldwide

Refer to “Internet Privacy Policy Manual” (http://jjhccp.jnj.com/WWOHCCP/privacy/POLICIES_GUIDANCE/Pages/InternetIntranet.aspx) for an in-depth review of J&J policy requirements concerning the use of externally-facing Privacy Policies and Collection Statements with Web sites, Mobile Sites and Mobile apps.

B. Email Communication

When utilizing email, online surveys or other online technologies to communicate with consumers or customers, ensure the following:

• Email recipients have agreed to receive such types of communications via an opt-in

• All email marketing communications provide the option to opt-out from future email marketing communications and the recipient of any such opt-outs has the ability to promptly honor the opt-out request in a timely manner (e.g., remove or suppress email addresses)

• Clearly identify the purpose(s) of the communication, what information is needed, how it will be used and disclosed

• Indicate the audience for which the email is intended (i.e. country, health care professionals, etc.)

• Use an e-mail address to communicate with consumers that is sent from a domain name owned by Johnson & Johnson or an OpCo (e.g., [PROJECT]@[DomainName].com)

If the email elicits user response, ensure the following:

• Provide clear and conspicuous access to the Privacy Policy and Legal Notice • Provide a clear explanation of what information is required, and how the

response will be used and the mechanism to opt-out from receiving further emails.

• Honor opt-out requests in a timely manner, in accordance with relevant company policy (in the US, this timing should comply with CAN-SPAM requirements).

• Protection of personal information in accordance with J&J privacy policies [Data Privacy Principles, Policy on the Use of Unsolicited Email, Policy on Customer and Consumer Communications, Internet Privacy Manual].

Page 31 of 33

VII. Web Security There are a multitude of requirements set forth in the Information Asset Protection Policies (IAPP) that are applicable to online activities. Rather than attempt to summarize these policies here, they are provided in list form in Appendix B under the heading “IAPPs.” Please consult with your IT representative and/or ICA on which of these policies are applicable and how to comply with these policies during the development phase of any Company Online Activity.

VIII. ADMINISTRATION OF INTERNAL COMPANY SITES Social media sites can be powerful tools that managers, individual employees or teams can use to enhance how they communicate but can carry some added risks that more traditional communications tools do not. For instance, internal blogs and wikis have the potential to reach virtually all employees of Johnson & Johnson and its OpCos as well as many contractors, vendors, and agencies. Like e-mail, information published to an internal social media site becomes a permanent record that is discoverable in litigation and can be submitted as evidence, thus internal Social Media Sites should be approached responsibly, and with thoughtfulness about content and comments. At Johnson & Johnson and its OpCos, we recognize the value that these social networking tools can have in managing our businesses when used appropriately, and have developed the following policy to govern the creation of internal Company Sites, including Social Media Sites, and including such sites regardless of whether they are internally or externally hosted (both of which are referred to as “Internal Social Media Sites”).

1. Internal Social Media Sites must have a clearly defined business objective that must be posted on the site so as to be visible to all site participants, and a site administration plan must be in place.

2. Individual employee contributors to an internal site are also responsible for the content that they post and for ensuring that their posts comply with site policy and Company Guidelines.

3. A statement delineating the guidelines for interacting with the site is required for all sites and must be clearly visible on the site. These rules of engagement must be established in consultation with the OpCo's Law Department and regulatory representatives as part of the approval process for the site.13 These rules should also be reviewed at least annually and updated as necessary.

4. A Site Owner must ensure a site is directed to a defined group of users that is determined and limited by the Site Owner through registration, distribution list, or access controls. There is no specific number limit on site participants, but the number must be finite. Internal Social Media Sites must select employees authorized to access the site based upon the type of information allowed to be discussed on the site and employee roles and responsibilities.

5. A Site Owner must ensure that all posts and comments to the site are reviewed on a regular basis. The site review process, including proposed frequency of review, must be documented and must include a procedure to promptly remove content if

13 See the Corporate Blog or Kilmer House: The Story Behind Johnson & Johnson And Its People for examples of Comment Posting Policies.

Page 32 of 33

needed. In addition, the Site Owner must ensure that there is a procedure in place to ensure that the site is compliant with Company data retention policies. The site must also undergo a review by the Johnson & Johnson Law Department eDiscovery team if (a) OpCo business will be or might be conducted, (b) business records will be or might be created, or (c) subject matter that relates to an ongoing Hold Notice will be or might be discussed.

6. All content posted to an internal site must be attributed to a named employee or allow the author to be identified via another mechanism. Anonymous or pseudonymous content will not be permitted.

7. The site must conspicuously provide a way for any user to contact the Site Owner, and must also provide a contact name or link enabling users to “Report Inappropriate Content” that may occur on the site.

8. If externally hosted, the Site Owner is responsible for ensuring that the external provider has undergone and passed a security audit, a Business Partner Risk Assessment, and is an approved provider with a signed agreement. Externally hosted sites must also comply with the terms outlined in this section, including sufficient processes for proper moderation, and data retention. The site must also undergo a complete review and vetting by and received approval from the Johnson & Johnson Law Department eDiscovery team if (a)OpCo business will be or might be conducted or discussed, (b) business records will be or might be created, or (c) subject matter that relates to an ongoing Hold Notice will be or might be discussed.

9. Individuals and groups may not conduct OpCo business on an internally or externally hosted site without complying with this Section VIII.

IX. RELATIONSHIPS WITH INCENTIVIZED BLOGGERS AND SPOKESPERSONS A. Johnson & Johnson OpCos may from time to time participate in various programs whereby

bloggers and spokespersons are provided incentives, such as payments and other compensation, gifts and product samples. These incentives are sometimes provided directly to the blogger or spokesperson by its OpCos and sometimes by a network or agency on behalf of the advertisers. Such incentives may create a “material connection” between the blogger/spokesperson and the OpCo that, in accordance with the FTC’s Testimonial and Endorsement Guides in the US, must be disclosed by the blogger/spokesperson. Each OpCo must take appropriate steps to ensure that such bloggers/spokespersons make the requisite disclosure. Please consult the appropriate Law Department representative for input on ensuring compliance with these and any other legal requirements.

B. A blogger/spokesperson’s disclosure as to his or her material connection to the OpCo must be clear and conspicuous. The form of disclosure will vary depending on the medium. For example, on a microblog, like Twitter, the use of a hash tag notation, such as #ad, #paid, or #gotitfree, at the beginning or end of the tweet may be sufficient, depending on the context. However, on a standard blog, the use of a statement such as “I received [PRODUCT] from [name of applicable entity]” would be more appropriate. Simply posting a link labeled “Legal” or “Disclosure” would not be sufficient.

C. The OpCo must also take appropriate steps to ensure that the statements made about the

OpCo and its products reflect the blogger/spokespersons’ own (and not the OpCo’s) honest

Page 33 of 33

beliefs, opinions and experiences and that they accurately and truthfully describe OpCo and its products. Such steps should include disseminating written guidelines to bloggers/spokespersons about their responsibilities and fact sheets about the relevant products, as appropriate. Such steps should also include monitoring bloggers/spokespersons to ensure compliance.