Posted In: Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
Industry:
Technology
Corporate TIPS: Are QR Codes Problematic from a Privacy Law Standpoint?
By Jarman J. Smith on October 13, 2021
As a result of the COVID-19 pandemic, restaurants and organizations throughout the world have turned to the use of “quick response” or “QR” codes to facilitate their “touchless” operations more easily. However, the convenience of these increasingly popular QR codes may come at a price with respect to consumer privacy and cybersecurity. Businesses and organizations should exercise caution when using this technology to avoid violations of consumer privacy regulations and reduce the risk of falling victim to cybersecurity incidents.
What are QR Codes?
QR codes have been around for decades, but the scannable technology has experienced a rapid resurgence during the COVID-19 pandemic. The unique square codes are similar to bar codes and have been used to replace menus and other paper forms in an effort to provide contactless services to slow the spread of COVID-19. Instead of physically handling a menu or completing a form by hand, customers use their smartphones to quickly scan a QR code, which then directs the customer to a digital menu, an online form, or other types of digital content.
Businesses and organizations in various industries have continued to utilize QR codes for the advantages they provide. Some of those advantages include saving costs on physical prints, the ease of online editing, and the ability to collect information on consumer preferences to better tailor their service or product offerings. However, these advantages must be balanced against the potential risks involved.
Risks with QR Code Technology Usage
The benefits of QR codes are clear, but there may be potential downsides to this technology in the context of cybersecurity and data protection. Before incorporating QR code technology into your organizational operations, you should consider the risks involved and plan accordingly. For instance, businesses must account for increased data processing and storage, gathering consumer acknowledgments and consents, and establishing appropriate cybersecurity safeguards to protect the personal information being processed.
- Increased Data Processing – Although directing restaurant patrons to a digital menu using a QR code may seem innocent enough, there are valid concerns about what personal data is being collected and how it could be used when a consumer visits a particular website. For example, a customer might be directed to a website that uses cookies to track visitors’ behavior. This may allow businesses to store consumer preferences and other information, such as the time of the consumer’s visit, to send targeted advertisements or upsell the customer with personalized offers. Every time a consumer scans a QR code, some metadata such as the type of device they’re using, their location, IP address, the date and time, and any other information they may input on the other end of that code can be collected and exploited. These concerns are amplified when you consider the fact that many organizations use third-party apps for the source of their QR code capabilities, which in turn gives a single company the ability to collect data on an individual from multiple establishments at once. This kind of aggregated data can be problematic, as the totality of collected information can build a more complete picture of an individual. To better reflect consumer privacy ideals and perform business operations in a manner that is more likely to satisfy data privacy requirements, every organization using this technology should adopt written policies directed to its consumers that outline how their personal information will be collected and processed.
- Lack of Consent – Another major concern with the use of QR codes is that consumers are not always being asked for their consent to have their information collected, stored, and used for advertising and other promotional purposes. If they are given an option to provide their consent, they oftentimes have no other choice but to accept if they intend to proceed with the service. In contrast, a consent-based service model that adheres to certain consumer privacy rights and regulations should request consumers’ consent to track their data as soon as they scan the QR code. Since the widespread adoption of QR codes is still relatively new, many businesses are not aware of applicable privacy law obligations regarding its usage. However, as global privacy laws continue to expand in scope and number, commercial entities can satisfy at least one of their potential legal requirements by obtaining prior consent from consumers to collect their personal information.
- Security Risks – There are several potential cybersecurity risks associated with the improper use of QR codes. The technology could be vulnerable to cybercriminals attempting to extract data from the mobile device used to scan the code or redirecting the scanner to a different URL that hosts an information phishing site. The issue gets even more dangerous if a consumer’s payment information is involved in the process. To avoid cybersecurity pitfalls, QR codes must be implemented properly with the right safeguards in place. With the increase in cybercrime, organizations need to devote more time and resources into network security and patch vulnerabilities before consumer data gets compromised, or otherwise face substantial liability because of their improper data protection efforts.
There is no doubt that QR code technology is a beneficial tool for many businesses and organizations, especially as we look for more ways to embrace touchless operations. However, the technology must be implemented properly to minimize the associated risks. Proper QR code usage should involve consent-based mechanisms for data collection, information being clearly communicated to consumers regarding the processing of their personal data, and appropriate cybersecurity measures to prevent security incidents.
How Brouse Can Help
As technology advances and cybersecurity standards are strengthened, more and more organizations are realizing their operations involve data processes that are subject to stringent data security requirements. Even something as simple as making content available via QR codes could mean your organization has legal obligations concerning data privacy. Brouse McDowell’s Cybersecurity and Data Privacy team can provide the guidance and tools you need to develop an understanding of how your organization processes consumer data and the steps required to become compliant with any applicable regulations. Along with providing general guidance through the complexities of data privacy laws and regulations, we also provide proactive solutions for companies to defend against cyber-attacks. Our cybersecurity team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery, and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.
Share Article Via
