(Privacy) Check, Please!
The Privacy Implications of QR Code Menus
There are many habits we now consider the “new normal”. Masks, sanitizer, and awkward Zoom hangouts are just some of the facets of daily life we no longer think twice about. As restaurants open and we can meet outside our screens again, one of the newer processes we are getting use to is scanning QR code menus. These virtual menus remove one more touchpoint from bars and restaurants and reduce sanitation steps for staff. When you scan the QR code, it takes to directly to a website or PDF containing the menu. We’ve heard about websites mining our data, so are these codes just another tracking trap disguised as a menu? There are some real privacy implications raised by QR codes that need exploration.
What are QR Codes?
“QR” stands for Quick Response. QR codes are not a pandemic invention but were developed in 1994 by a Japanese car manufacture as a way to quickly track and identify car parts [1]. Since QR codes come in more complex shapes than standard barcodes, much more information can be embedded into the code. For restaurants or retailers, a QR code is a quick and simple way of sharing information to clientele. An article by the Washington Post explains:
QR codes have emerged as an effective way to collect first-party data…If that pair of jeans you like has a QR code on the tag, you can scan to read more details on the brand’s website. The next time you visit, the site will remember you, and the jeans might be waiting in your shopping cart with a discount. [2]
What this means is that QR codes are an easy way of marketing directly to customers. Instead of printing and handing out flyers, a business can add a code to a jacket tag and you can learn about sizes, sales, and outfit inspirations. It’s a form of first-party data collection, where the company is reaching out directly to customers who enter their business to gain insights, instead of buying consumer data from third-party companies. In most consumer spaces, the QR codes take the customer directly to a custom webpage.
In the case of restaurants, QR codes have allowed many places to ditch the traditional paper menu. Not only does this save some trees, but it also means that the staff doesn’t have to disinfect hundreds of menus a week and they can easily update as needed. Like in a retail setting, the QR code will take you to a site that collects first-party data. It is important to note that this first-party data may be sold to third-party vendors through the websites you access via QR codes [3]. All of this could be done without your informed consent, which raises privacy concerns. Do you really want your eating habits sold off to marketing companies without your knowledge?
The Privacy Implications of QR Codes
The QR menu at your favourite sushi spot isn’t sending your personal information into the dark corners of the web. That being said, it does not mean that you are not sending out some personal information when you scan those codes. The types of data that QR codes might collect are less personalized. The data might only show the restaurant owner or web-host some overall trends, such as the busiest times at the restaurant. The codes are not collecting your email address, phone number, or name. As explained in an article by the cybersecurity company Kaspersky:
QR code-generating software does not collect personally identifiable information. The data it does collect – and which is visible to the code’s creators – includes location, the number of times the code has been scanned and at what times, plus the operating system of the device which scanned the code (i.e., iPhone or Android). [2]
Although the codes themselves are not mining your data, QR codes take you to websites and these sites collect some data to sell to third-party companies for marketing purposes. This is done through the process of collecting cookies. Cookies are data that websites store on your computer and are used to remember information about you each time you re-enter the site [4]. You won’t
necessarily know what data the website collects either. The restaurant could use this information to better market to you and other patrons. Some restaurants use third-party technology for their QR menus, which means that these companies could be aggregating your data from multiple sources if you’re visiting different locations that use the same technology [5]. An article by the CBC used the following example of how a restaurant may use the data from their online menu: “Let’s say it was a Hungarian restaurant that you visited. Well then other Hungarian restaurants in the area might start advertising to you all of a sudden” [6]. QR codes are tied up to this overarching question of informed consent. Do you want the restaurants you visit to have more information about you than you are consciously aware of? Restaurants using online menus need to consider what data their websites collect and make this process transparent to their customers. It is not just a courtesy but a legal requirement under the Canadian Personal Information Protection and Electronic Documents Act [7].
Is there anything I should be doing?
The simplest solution is to open QR codes in private browsing mode. This will limit the amount of data that is shared with the website, and what can be mined by third-party companies. If a website allows you to choose which cookies it tracks, ensure you are taking the extra minute to review your options. QR code menus are likely here to stay – they’re convenient, easy to update, and much cheaper than physical menus. It is always important to use a critical lens with the technology we use, even if it seems innocuous. Informed consent and data transparency is the future we should all be fighting for with all forms of technology.
Points to Consider
How do you feel about QR code menus – are they convenient or tedious? Could you see QR code menus becoming a privacy issue in the future? What protocols should companies implement to protect their customers? Feel free to discuss below!
References
[1] Kaspersky. (n.d.) QR Code Security: What are QR codes and are they safe to use?. Kaspersky Resource Centre. https://www.kaspersky.com/resource-center/definitions/what-is-a-qr-code-how-to-scan
[2] Hunter, T. (2021, October 7). QR codes are a privacy problem — but not for the reasons you’ve heard. The Washington Post. https://www.washingtonpost.com/technology/2021/10/07/are-qr-codes-safe/
[3] Perlstein, J. (n.d.) Deprecating the cookie: The impact of eliminating third-party identifiers. Venture Beat. venturebeat.com/2021/11/19/the-impact-of-eliminating-third-party-identifiers/
[4] Rescorla, E. (2021, July 26). What’s wrong with QR code menus?. Educated Guesswork Blog. https://educatedguesswork.org/posts/qr-code-menus/
[5] Dunham, J. (2021, September 28). ‘Convenience comes at a price’: Experts urge caution on QR codes. CTV News. www.ctvnews.ca/sci-tech/convenience-comes-at-a-price-experts-urge-caution-on-qr-codes-1.5603169
[6] Weikle, B. (2021, September 26). Scan QR-code menus with a side of caution, say privacy experts. CBC News: Cost of Living. https://www.cbc.ca/radio/costofliving/there-just-aren-t-enough-houses-for-canadians-to-buy-plus-digital-menus-and-getting-into-sports-betting-1.6173009/scan-qr-code-menus-with-a-side-of-caution-say-privacy-experts-1.6188515
[7] Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5. (2019). laws-lois.justice.gc.ca/PDF/P-8.6.pdf
Featured Image: Photo by Tim Douglas from Pexels https://www.pexels.com/photo/crop-cafe-coworkers-using-app-on-smartphone-at-work-6205512/
Written By: Brittanny Dzioba
Edited By: Lucas Wright
People said…