If you’ve returned to the restaurants and bars that have reopened in your neighborhood lately, you might have noticed a new addition to the post-quarantine decor: QR codes. Everywhere. And as they’ve become more ubiquitous on the dining scene, so has the quiet tracking and targeting that they do.
That’s according to a new analysis by the New York Times, that found these QR codes have the ability to collect customer data—enough to create what Jay Stanley, a senior policy analyst at the American Civil Liberties Union, called an “entire apparatus of online tracking,” that remembers who you are every time you sit down for a meal. While the data itself contains pretty uninteresting information, like your order history or contact information, it turns out there’s nothing stopping that data from being passed to whomever the establishment wants.
QR codes, for the uninitiated, are essentially square-shaped pixelated barcodes that store certain data—like, say, the menu at a restaurant or a coupon at a certain store. Most phones either have QR-code readers built into their cameras or have similar programs available for download via a third-party app, making it easy to pull up this information just by waving your phone’s camera over the code for a second or two. Because they’re a touchless way to transmit information, restaurants, and retailers have adopted them en masse. And despite the fact that they’re divisive for all sorts of very good reasons, most businesses seem to agree that they’re here to stay, even once the COVID-19 crisis is finally over.
But as the Times piece points out, these little pieces of tech aren’t as innocuous as they might initially seem. Aside from storing data like menus or drink options, QR codes are often designed to transmit certain data about the person who scanned them in the first place—like their phone number or email address, along with how often the user might be scanning the code in question. This data collection comes with a few perks for the restaurants that use the codes (they know who their repeat customers are and what they might order). The only problem is that we actually don’t know where that data actually goes.
The Times spoke with two different companies for its report; Mr. Yum, which offers digital menus meant to track a customer’s purchase history, as they revisit particular restaurants, and Cheqout, which lets users order and pay for their meals directly from their phones. Both claimed that they did not sell any of the data they collected—which included customer’s names, phone numbers, and payment info—to any third-party data brokers at this time.
And because privacy legislation in the US is miles behind what the average data-hoovering company is capable of, there’s really nothing stopping them from sharing whatever data they want, with whoever they want. If enough of that data ends up in the wrong hands, it can easily be used for more sinister means. That’s reason enough to consider asking for a paper menu the next time you’re going out to eat.