As a result of the COVID-19 pandemic, restaurants and organizations throughout the world have turned to the use of “quick response” or “QR” codes to facilitate their “touchless” operations more easily. However, the convenience of these increasingly popular QR codes may come at a price with respect to consumer privacy and cybersecurity. Businesses and organizations should exercise caution when using this technology to avoid violations of consumer privacy regulations and reduce the risk of falling victim to cybersecurity incidents.

What are QR Codes?

QR codes have been around for decades, but the scannable technology has experienced a rapid resurgence during the COVID-19 pandemic. The unique square codes are similar to bar codes and have been used to replace menus and other paper forms in an effort to provide contactless services to slow the spread of COVID-19. Instead of physically handling a menu or completing a form by hand, customers use their smartphones to quickly scan a QR code, which then directs the customer to a digital menu, an online form, or other types of digital content.

Businesses and organizations in various industries have continued to utilize QR codes for the advantages they provide. Some of those advantages include saving costs on physical prints, the ease of online editing, and the ability to collect information on consumer preferences to better tailor their service or product offerings. However, these advantages must be balanced against the potential risks involved.

Risks with QR Code Technology Usage

The benefits of QR codes are clear, but there may be potential downsides to this technology in the context of cybersecurity and data protection. Before incorporating QR code technology into your organizational operations, you should consider the risks involved and plan accordingly. For instance, businesses must account for increased data processing and storage, gathering consumer acknowledgments and consents, and establishing appropriate cybersecurity safeguards to protect the personal information being processed.

  • Increased Data Processing – Although directing restaurant patrons to a digital menu using a QR code may seem innocent enough, there are valid concerns about what personal data is being collected and how it could be used when a consumer visits a particular website. For example, a customer might be directed to a website that uses cookies to track visitors’ behavior. This may allow businesses to store consumer preferences and other information, such as the time of the consumer’s visit, to send targeted advertisements or upsell the customer with personalized offers. Every time a consumer scans a QR code, some metadata such as the type of device they’re using, their location, IP address, the date and time, and any other information they may input on the other end of that code can be collected and exploited. These concerns are amplified when you consider the fact that many organizations use third-party apps for the source of their QR code capabilities, which in turn gives a single company the ability to collect data on an individual from multiple establishments at once. This kind of aggregated data can be problematic, as the totality of collected information can build a more complete picture of an individual. To better reflect consumer privacy ideals and perform business operations in a manner that is more likely to satisfy data privacy requirements, every organization using this technology should adopt written policies directed to its consumers that outline how their personal information will be collected and processed.
  • Lack of Consent – Another major concern with the use of QR codes is that consumers are not always being asked for their consent to have their information collected, stored, and used for advertising and other promotional purposes. If they are given an option to provide their consent, they oftentimes have no other choice but to accept if they intend to proceed with the service. In contrast, a consent-based service model that adheres to certain consumer privacy rights and regulations should request consumers’ consent to track their data as soon as they scan the QR code. Since the widespread adoption of QR codes is still relatively new, many businesses are not aware of applicable privacy law obligations regarding its usage. However, as global privacy laws continue to expand in scope and number, commercial entities can satisfy at least one of their potential legal requirements by obtaining prior consent from consumers to collect their personal information.
  • Security Risks – There are several potential cybersecurity risks associated with the improper use of QR codes. The technology could be vulnerable to cybercriminals attempting to extract data from the mobile device used to scan the code or redirecting the scanner to a different URL that hosts an information phishing site. The issue gets even more dangerous if a consumer’s payment information is involved in the process. To avoid cybersecurity pitfalls, QR codes must be implemented properly with the right safeguards in place. With the increase in cybercrime, organizations need to devote more time and resources into network security and patch vulnerabilities before consumer data gets compromised, or otherwise face substantial liability because of their improper data protection efforts.

There is no doubt that QR code technology is a beneficial tool for many businesses and organizations, especially as we look for more ways to embrace touchless operations. However, the technology must be implemented properly to minimize the associated risks. Proper QR code usage should involve consent-based mechanisms for data collection, information being clearly communicated to consumers regarding the processing of their personal data, and appropriate cybersecurity measures to prevent security incidents.