Ordering meals requires scanning the QR code and mandatory information retrieval... Where is the boundary of scanning the code for consumption?
A cup of milk tea may not be expensive, but the order contains the consumer's personal information and consumption trajectory. For merchants, the user data behind thousands of orders can be considered an important "wealth".
Do these dazzling marketing methods, such as scanning QR codes to order meals, exclusive membership, and joining groups to receive discounts, excessively collect user data? Have the merchants properly stored the collected data?
A large amount of personal data is like "oil"
Overexploitation, forced demand, inducement, and illegal use by merchants
Compared to cases where personal information is directly stolen, people are more likely to encounter situations where merchants request personal information such as name, location, phone number, etc. while scanning QR codes, ordering meals, parking and paying fees, and shopping in supermarkets, which can lead to information leakage due to various reasons.
Internet security experts said that there are two main types of harm caused by personal information leakage: one is the use of personal information by black ash products; Another type is the misuse of user information by enterprises to obtain more abnormal commercial rewards and benefits. In addition, it will also establish an intelligence system and industry barriers through personal information.
![Ordering meals requires scanning the QR code and mandatory information retrieval... Where is the boundary of scanning the code for consumption?](https://a5qu.com/upload/images/4a711311208794dd6d4a1a5338d3c73f.jpg)
Despite constant consumer complaints, why are companies still keen on collecting consumer personal information?
Experts say that in the digital economy era, data is like oil. Especially with a large amount of data, it has great value. Integrating all these data together to create a portrait of each individual is the most commercially valuable thing.
In one sentence: Data is the key to opening the door to wealth. Therefore, many users' personal information is excessively collected, forcibly requested, induced to be taken, and illegally used by merchants.
Starting from mid June, the Shanghai Cyberspace Administration, in conjunction with the Market Supervision Bureau, launched a six-month special law enforcement action to address these chaos. The focus was on eight consumer areas, including restaurants, parking QR codes, children's learning and training, shopping in supermarkets, financial and small loans, real estate intermediaries, car 4S stores, and renting chargers.
Compulsory information retrieval, information retention, privacy policies
As the focus of law enforcement
![Ordering meals requires scanning the QR code and mandatory information retrieval... Where is the boundary of scanning the code for consumption?](https://a5qu.com/upload/images/1294458f69ca6c72979c6e7f98211eea.jpg)
Through investigations and undercover investigations of 29 well-known milk tea and fast food restaurants in Shanghai, the law enforcement team discovered several prominent issues.
Firstly, it is mandatory or beyond the scope to request information. This phenomenon is very common in restaurants, milk tea shops, and coffee shops. The user has arrived at the consumption venue but is still informed that they need to scan the QR code through the app or mini program to order. During the scanning process, they are forced or induced to provide names, phone numbers, location information, and other requirements beyond the ordering range by giving coupons or joining a membership, otherwise they will not be able to complete the order.
Experts say that this approach not only violates the principle of minimum necessity, but also deprives consumers of their right to make independent choices and violates the Consumer Rights Protection Law.
The more stores there are, the more data they generate, sometimes even reaching astonishing levels. For example, a well-known chain milk tea brand generates 87 pieces of data for every order received, and has accumulated over 10 billion pieces so far. Among them, there are 670 million sensitive personal information related to consumer names, phone numbers, locations, etc.
Experts say that in the digital economy era, data is often used for business management, which is beneficial for improving work efficiency and enhancing economic benefits. Personal information can be collected and used, but in the process of collecting information, the three principles of legality, legitimacy, and necessity must be followed.
It is understood that building a technology platform to collect consumer personal information requires a low threshold and low cost. Network security experts say that scanning QR codes for ordering carries certain risks, especially when scanning QR codes for small businesses with unknown sources.
![Ordering meals requires scanning the QR code and mandatory information retrieval... Where is the boundary of scanning the code for consumption?](https://a5qu.com/upload/images/51ed2b164f518eb9368294f45bc15e9c.jpg)
So, have these pieces of information collected by merchants through scanning QR codes to order and inducing submissions been properly stored?
The investigation found that many enterprises have certain hidden dangers when storing user information. For example, a well-known milk tea shop that collects a huge amount of data should be protected according to the three-level standard according to the Cybersecurity Law and Data Protection Law, but this enterprise did not do these tasks.
In addition, privacy policies are also one of the key contents of this inspection. The so-called privacy policy refers to the statement issued by the information collecting party on how to collect personal information. Simply put, it tells users the purpose, purpose, and how to store personal information collected.
Law enforcement officers have found that many companies either do not have privacy policies or are not well-established. Some companies may have privacy policies, but they are too lengthy and the user experience is very unfriendly. Some privacy policies are written in countless words, not so much to inform users, but rather to protect the company itself.
Multiple regions have issued compliance guidelines
Strengthen personal information protection
![Ordering meals requires scanning the QR code and mandatory information retrieval... Where is the boundary of scanning the code for consumption?](https://a5qu.com/upload/images/005e8f2e727f75541f2e1e777eaad49a.jpg)
In order to strengthen personal information protection, the Shanghai Consumer Protection Commission has issued compliance guidelines, self-discipline commitments, and compliance lists for four consumption scenarios since July, including QR code ordering, parking payment, children's training, and shared power banks. In the future, corresponding guidance will be provided for major consumer scenarios such as real estate intermediaries and supermarket shopping.
Recently, Beijing also released an analysis of cases of illegal collection and use of consumer personal information through QR code consumption services and compliance guidelines, sorting out six types of violations and making corresponding regulations.
According to the "Management Measures for Personal Information Protection Compliance Audit" released by the State Cyberspace Administration on August 3, processors who process personal information of more than one million people should conduct at least one personal information protection compliance audit annually; Other personal information processors should conduct a personal information protection compliance audit at least once every two years.
Data is known as the "oil" of the information age, and data containing personal information is even more of a high-quality "oil", which is the focus of competition among businesses. It is not impossible for merchants to collect user personal information, but they should collect it with boundaries, use it appropriately, and take responsibility for protecting it. How to standardize the information collection and usage behavior of merchants in various consumption scenarios, and how to supervise and guide merchants to protect consumer personal information, should be given sufficient attention.
↓ More content click on video ↓