QR (short for Quick Response) codes are everywhere these days. QR codes have replaced the humble URL on storefronts and bus stop advertisements, supplanted the business card and badge details at conferences, and they've become the new normal for displaying restaurant menus.

What began as an internal inventory system at Toyota in the 1990s has evolved into one of the most pervasive—and underregulated—data collection mechanisms in modern commerce.

Industry reports reveal the rise of QR code adoption: QR provider Uniqode claims that 79% of businesses use dynamic codes, with 95% gathering first-party data. The pandemic turbocharged adoption, with usage skyrocketing 433% over four years as businesses embraced contactless solutions. The convenience and cost-effectiveness of QR codes have made them an essential tool for businesses of all sizes seeking to streamline operations and enhance customer experiences. Yet this rapid embrace of QR technology occurred largely without consideration of its privacy implications.

Food Isn't the Only Thing on the Menu

For example, let's say you're out on the town, and looking for a nice meal. Since the restaurant you're visiting changes its menu regularly, they moved to QR code menus on the table to be environmentally-friendly. But, as you scan the code looking for your main course, you may not only be accessing dining information — you could be unknowingly placing an order for comprehensive surveillance. While QR codes themselves are usually benign methods of encoding information, they can still make for risky clicks. Obviously, there’s the nefarious links problem, where a QR code directs a user to a compromised website, or gets the user to download malware. But there are privacy risks even when the links themselves are legitimate. 

This is because many of the services that generate QR codes operate as sophisticated data analytics businesses disguised as simple code creators, whether they’re free QR generators or paid platforms. Companies like Flowcode, Uniqode, and QRCode Chimp, for example, collect extensive behavioral data by intercepting requests and passing your information through their servers first before connecting to the final destination. All the while, they may be collecting loads of personal data in seconds--unbeknownst to you, or the business using them.

This automatic data collection typically includes IP addresses, device fingerprinting data and IDs, timestamps, precise location data (sometimes without consent), and referrer information. The fundamental privacy problem is clear: personal data flows before users can make informed choices about whether (or who) they want to share their data with.

And the appetites for consumer data from these analytics sites are enormous. Flowcode, Uniqode, and QRCode Chimp, for example, share and sell scan data with affiliates, advertisers & ad networks, analytics providers, co-promotional partners, and marketing services. And when it comes to retention, both Flowcode and Uniqode retain data for ages–Flowcode for up to seven years, while Uniqode makes no mention of how long they store personal data beyond retaining it where "ongoing legitimate business requires retention," according to their respective privacy policies.

Regulators Are Still Reading the Wine List 

Despite the pervasive nature and ubiquity of QR codes, specific guidance from global privacy regulators remains surprisingly scarce. This regulatory blind spot has allowed extensive data collection practices to flourish largely unchecked.

The UK's Information Commissioner's Office (ICO) has provided only scattered references to QR codes in its broader privacy guidance, though they did fine QR code provider Tested Me Ltd £8,000 for using personal data collected via QR codes for unlawful marketing purposes. 

Outside of the UK, guidance specific to QR code privacy practices remains absent. Similarly, the European Data Protection Board (EDPB) and other major privacy regulators have not issued any detailed guidance, despite the technology's explosive growth. 

This regulatory vacuum doesn't signal compliance—rather, it suggests that once regulators catch up to the technology, there may be a reckoning. The ICO's recent focus on cookie compliance, dark patterns, and ensuring "meaningful choice" for users, combined with their broader online tracking strategy suggests that QR code scrutiny could be coming as part of a later course.  

Even without specific guidance, current privacy laws still mandate clear requirements that many QR code implementations struggle to meet. Under the General Data Protection Regulation (GDPR), valid consent must be "freely given, specific, informed, and unambiguous." The automatic data transmission that occurs upon QR code scanning makes it virtually impossible to obtain truly informed consent before data processing begins, though some services like Uniqode purport to ask for user consent, at least prior to collecting precise geolocation data, while others only apply precise geolocation collection in jurisdictions with weak/no meaningful protections.

Similarly, the GDPR's transparency requirements under Article 13 also mandate that data controllers provide clear information about data processing at the time of collection. For QR codes, this means users should understand who is collecting their data, what specific data points are being gathered, why it's being collected, how it will be used, and with whom it might be shared—all before scanning the code itself. That could make for a lot of extra reading if all you want to do is order lunch.

Finally, under various state privacy laws in the United States, including the CCPA, Virginia Consumer Data Protection Act, and others, businesses must provide clear disclosures about data collection, sale, and sharing, and offer opt-out mechanisms. The automatic nature of QR code data transmission coupled with the opacity of collection by code generation sites, may create disclosure challenges for businesses sharing content via QR codes.

The Business Risks

For businesses using third-party QR code services, several significant risks emerge. 

First, regulatory exposure will increase if privacy enforcers catch up to the technology. Companies operating in jurisdictions with strict privacy laws may face enforcement actions if their QR code implementations fail to meet legal requirements for consent and transparency.

Brand reputation risks also loom large. Consumers who discover that their QR code menu scans also come with a side of extensive data tracking might be turned off from engaging with businesses who use these services. The potential for negative publicity also increases as consumer awareness of data privacy issues grows.

There’s also heavy third-party risk & dependency issues. Businesses may have limited control (or knowledge) over QR providers' data practices & the use of data. QR code service providers can modify their retention periods, data sharing practices, or security measures, leaving businesses dependent on external companies' privacy compliance efforts. And many businesses may not think to ask, assuming as so many of us do, that the codes flow directly to the source.

Finally, legal liability concerns arise when businesses become data controllers for information collected through their QR code campaigns. Under privacy laws, businesses may be held responsible for ensuring lawful processing of customer data, even when collection occurs through third-party services.

A Better Recipe for QR Code Privacy

• Audit your QR code providers' data practices: Review the contracts, privacy statements, and service agreements to understand the data processing terms, retention periods, and sharing practices of QR code providers. And if companies aren't transparent, find a new provider.
• Update privacy notices to accurately reflect third-party QR code data collection: Ensure customer-facing privacy notices clearly explain what happens when QR codes are scanned and provide meaningful control mechanisms. If the QR code generator is tacking on precise geolocation, IP tracking, behavioral targeting or other questionable practices, document this, and explain why it's necessary in your transparency statements. 
• Implement Best Practices and Privacy-By-Design: Better still: choose QR code generators that minimize data collection and prioritize privacy. Static QR codes that simply encode URLs without tracking capabilities eliminate most privacy concerns while still providing basic functionality. Consider an open source, auditable solution if you want to be certain.

Check, Please

The question isn't whether QR code privacy regulation is coming—it's whether businesses will be ready when it gets here. By embracing privacy-by-design principles now, companies can leverage the convenience and efficiency that QR codes provide, while respecting user privacy and future-proofing against regulatory changes.

(For anyone eyeing the QR code at the top of this page—relax. We used a bare-bones, open-source generator that simply links to a catchy, relevant YouTube link. No tracking, no data collection. We're never gonna give you up like that).