QR codes have become an integral part of our lives, offering convenience in accessing information with just a quick scan. However, this convenience comes with its own set of risks, especially concerning the safety of personal information.

What is a Quick Response (QR) code?

Quick Response (QR) codes are small white squares with two dimensional black markings, similar in look to a barcode. By simply scanning the code with your device's camera, you can unlock certain information. QR codes are used for several different purposes – from viewing a restaurant's menu to accessing additional information on a website or registering to attend an event.

There are three primary ways people interact with QR codes: consuming, where users scan a code to view content; sharing, where individuals present their code for information verification; and generating, which involves creating a QR code to facilitate an action (such as pairing devices).

Risks of using QR codes

Incorporating QR codes into your business practices offers convenience and efficiency, but it also introduces certain risks that need to be managed. Potential risks from using QR codes include:

  • Collection of metadata: When customers scan a QR code, it can lead to the collection of metadata related to the user, including the device type, IP address, location and any information entered on the website.
  • Tracking online activity: Websites may use cookies to track users' online activities, enabling the collection and use of data for marketing purposes without the user's consent.
  • Exposure of financial data: Transactions made through QR codes may expose financial data, such as credit card numbers, if used to purchase goods or services on a website.
  • Threat actors: QR codes can be used by threat actors to infect devices with malware, steal personal information or conduct phishing scams. Threat actors typically exploit vulnerabilities in computer systems, networks and software.

Mitigating the risks

It's imperative to minimize your risks relating to the use of QR codes in your business. As a business considering the integration of QR codes, it's important to conduct a thorough privacy and security review to identify potential risks. Here are some recommended practices to enhance security and privacy.

  • Understand what QR codes do: To mitigate risks relating to the use of QR codes you need to clearly understand what QR codes collect and what is done with this information.
  • Implement private browsing for business devices: Consider using private browsing on your business devices and opt for browsers that offer anti-tracking features to protect your online activities.
  • Verify website URLs: Train your staff and inform your customers about the importance of verifying website URLs before entering sensitive information, such as a password or login details.
  • Adjust browser settings: Adjust browser settings on business devices to disable cookies and site data storage.
  • Limit personal information: When using QR codes in your business, request only the essential personal information from customers.
  • Privacy policy confirmation: Ensure your privacy policy is transparent, accessible and communicated effectively to users scanning your QR codes.
  • Fraud reporting procedures: Create clear guidelines for reporting fraud or cyber incidents, including contacts for the local police, the Canadian Anti-Fraud Centre or the Cyber Centre.

Acceptable Use Policies and QR codes

Organizations are encouraged to develop an Acceptable Use Policy (AUP), which serves as a comprehensive set of rules set by the network, website, service's owner or administrator. This policy outlines the acceptable and prohibited uses of the organization's digital resources and sets guidelines for proper usage.

It's important for organizations to train their employees on the potential risks associated with QR codes and to specifically address the use of QR codes within their AUP. This ensures that employees are not only aware of how to use these tools safely but also of usage boundaries within the organization's framework.

Organizations that use QR codes should be aware of the associated risks and ensure that their use is both appropriate and secure. If you're interested in learning more about how to appropriately implement AUPs and mitigate risks within your organization, our Privacy, Data Protection & Cybersecurity group has extensive experience assisting various organizations in this area. We can support you in reviewing your existing policies, implementing these guidelines and preparing AUPs that are tailored for your organization. Contact us to learn more.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.