Protecting Patron Privacy While Using QR Codes

The pandemic has led to profound and, in many cases, likely long lasting, changes in the way we live, work and conduct businesses.  Restaurants, in particular, have had to go through significant transformation.  One of the ways in which many restaurants have responded to new concerns about transmission of viruses and other contagions in their establishments has been through the adoption of QR coded menus.  While these menus may be an attractive option to patrons and staff who are concerned about passing paper or plastic menus back and forth, and offer a number of other benefits, they are not without their privacy and security concerns.

Prior to the pandemic, QR coded menus were not in widespread use at restaurants but with more and more people seeking contactless ways of getting things done, having the ability to point one’s phone camera at a QR code, rather than passing around shared menus, seemed to be a more attractive option to many patrons and many restaurant managers have been quick to adopt to this new technology.  On the basic side of the spectrum, in some restaurants’ systems, the scanned QR code opens the restaurants website to display the menu.  In other more sophisticated models, the QR codes are linked to systems that allow for the placement of orders and payments.  In many models, restaurant owners can also collect and analyze rich data about their patrons and purchasing activities. In some cases, the technology provider will also want to be able to use and perhaps even monetize those data,

That brings us to one of the biggest potential problems with QR codes – that is – that they can be programmed to linked to anything.  They can track customers, including when and where they scan and track purchase histories and personal data, in many cases without their knowledge or consent.  They can also be prime targets for hackers. QR codes provided to restaurants for free and without any clear privacy controls can be of particular concern.

The privacy concerns surround the use of QR codes have led consumer groups such as the Better Business Bureau and civil rights groups such as the American Civil Liberties Union to issue warnings to consumers.  The Better Business Bureau has taken to warming consumers about the possible signs of QR code scams.  For example, consumers should always verify the source of QR code and should also be suspicious if after scanning a QR code one is prompted for a user name and password.  Consumers should also consider installing a QR scanner with added security or virus scanning capabilities. 

Despite the potential privacy challenges raised by the use of QR codes, they are not likely to go away any time soon, even once the pandemic is finally, thankfully, over. Customers have been shown to enjoy the speed, convenience and ease of using QR codes at their favorite establishment.  Restaurants too, are seeing the benefits, the use of QR codes can reduce labor costs significantly. They also help restaurants gather more data on what dishes are selling well and can offer unique opportunities for offering unique and tailored promotions.

So now that QR codes are likely here to stay, how can restaurants take advantage of the many benefits of QR coded menus without increasing the privacy risks to their patrons?  Here are some tips:

  • Be very cautious about free systems. Many companies are providing free QR codes but if you are concerned about the protection of your patron’s privacy and security, you would be better served by acquiring a system from an established, reputable provided.
  • Negotiate with technology provider. Review and understand the agreements provided by the QR code provider. Ensure that you are taking appropriate contractual steps to protect your customers’ data and security.
  • Disclose the use of the QR codes and policies and practices with respect to data collected through such codes, including, significantly, any information sharing, in the restaurant’s privacy policy.
  • Invest in information security to ensure that all customer data are adequately protected from hackers and bad actors.
  • Understand and be prepared to comply with applicable privacy laws such as the California Consumer Privacy Act, which contains very restrictive provisions concerning the sale of data.  Ensure that your technology provider is also providing legal representations as to their compliance with applicable privacy laws.

By taking these steps, restaurant managers can improve the likelihood that they will be able to reap the many benefits of contactless, technology enabled menu display and ordering without creating privacy and data security problems for their valued customers.