As a result of the COVID-19 pandemic, restaurants and organizations throughout the world have turned to the use of “quick response” or “QR” codes to facilitate their “touchless” operations more easily. However, the convenience of these increasingly popular QR codes may come at a price with respect to consumer privacy and cybersecurity. Businesses and organizations should exercise caution when using this technology to avoid violations of consumer privacy regulations and reduce the risk of falling victim to cybersecurity incidents.
What are QR Codes?
QR codes have been around for decades, but the scannable technology has experienced a rapid resurgence during the COVID-19 pandemic. The unique square codes are similar to bar codes and have been used to replace menus and other paper forms in an effort to provide contactless services to slow the spread of COVID-19. Instead of physically handling a menu or completing a form by hand, customers use their smartphones to quickly scan a QR code, which then directs the customer to a digital menu, an online form, or other types of digital content.
Businesses and organizations in various industries have continued to utilize QR codes for the advantages they provide. Some of those advantages include saving costs on physical prints, the ease of online editing, and the ability to collect information on consumer preferences to better tailor their service or product offerings. However, these advantages must be balanced against the potential risks involved.
Risks with QR Code Technology Usage
The benefits of QR codes are clear, but there may be potential downsides to this technology in the context of cybersecurity and data protection. Before incorporating QR code technology into your organizational operations, you should consider the risks involved and plan accordingly. For instance, businesses must account for increased data processing and storage, gathering consumer acknowledgments and consents, and establishing appropriate cybersecurity safeguards to protect the personal information being processed.
- Lack of Consent – Another major concern with the use of QR codes is that consumers are not always being asked for their consent to have their information collected, stored, and used for advertising and other promotional purposes. If they are given an option to provide their consent, they oftentimes have no other choice but to accept if they intend to proceed with the service. In contrast, a consent-based service model that adheres to certain consumer privacy rights and regulations should request consumers’ consent to track their data as soon as they scan the QR code. Since the widespread adoption of QR codes is still relatively new, many businesses are not aware of applicable privacy law obligations regarding its usage. However, as global privacy laws continue to expand in scope and number, commercial entities can satisfy at least one of their potential legal requirements by obtaining prior consent from consumers to collect their personal information.
- Security Risks – There are several potential cybersecurity risks associated with the improper use of QR codes. The technology could be vulnerable to cybercriminals attempting to extract data from the mobile device used to scan the code or redirecting the scanner to a different URL that hosts an information phishing site. The issue gets even more dangerous if a consumer’s payment information is involved in the process. To avoid cybersecurity pitfalls, QR codes must be implemented properly with the right safeguards in place. With the increase in cybercrime, organizations need to devote more time and resources into network security and patch vulnerabilities before consumer data gets compromised, or otherwise face substantial liability because of their improper data protection efforts.
There is no doubt that QR code technology is a beneficial tool for many businesses and organizations, especially as we look for more ways to embrace touchless operations. However, the technology must be implemented properly to minimize the associated risks. Proper QR code usage should involve consent-based mechanisms for data collection, information being clearly communicated to consumers regarding the processing of their personal data, and appropriate cybersecurity measures to prevent security incidents.