QR codes on packaging spark consumer privacy debate
Key takeaways
- QR codes are increasingly used on packaging to provide product details, recycling guidance, promotions, and brand engagement.
- Experts warn that scans can collect data such as location, device type, time, and product batch, raising concerns over consumer tracking.
- Industry voices argue QR codes can support transparent, consent-based engagement if brands follow strong data governance and privacy rules.

Invented to track vehicle parts more efficiently during manufacturing, QR codes are now a common feature on packaging. Yet, as the black and white square becomes second nature for consumers, some voices have highlighted the risk that the technology could undermine digital privacy rights.
Meaning “quick response,” consumers can scan QR codes to find out a host of information, such as recycling instructions, allergen information, product origin, promotions, and recipes. They offer companies a direct pathway to engage with consumers and raise awareness around their brand.
However, QR codes are more than just a consumer interaction tool — they aid in the collection of data used by companies to understand consumer behavior patterns.
The QR code is not itself a tracker, but once a code on a package is scanned, a consumer’s device is directed to a website. In doing so, depending on how a system is configured, companies may be able to see time, approximate location, device type, and product batch — among other things that depend on a company’s terms and conditions, analytics setup, and consent settings.
In some cases, third-party QR codes route users through an external QR management platform before directing them to the company’s webpage, potentially adding another data-processing layer.
Packaging Insights speaks to Appetite Creative, Polytag, and NGO Digital Rights Watch to better understand the tracking technology behind QR codes, uncovering it as more than a packaging design feature, but an analytical marketing tool.
“Data brokers tend to follow people around the web as much as they possibly can. Their business model is predicated on knowing as much about an individual as possible,” Tom Sulston, head of Policy at Digital Rights Watch, tells us.
“So it’s very likely that following QR codes printed on packaging will result in the user being tracked — even if they’re not logged into a specific system.”
In collecting such data, QR-code-enabled systems can help companies aggregate data to target consumers for future advertising campaigns.
Behind a QR code
Tom Sulston warns that QR codes can direct consumers into wider web-tracking systems, raising privacy and transparency concerns.Sulston explains that while data tracking for the purposes of marketing might not seem like an issue, for some consumers it could be.
“You could easily imagine insurers being interested in the medical products that a person is looking at on the web,” he says. “In one sense, QR codes are pretty benign — they’re just a machine-readable way of printing a web address. But due to the fact that QR codes direct people onto the web, there can be privacy risks that derive from the websites that they’re being used to direct people to.”
Global QR code company Flowcode asserts that while QR codes on packaging aren’t “inherently dangerous”, it likens scanning an unidentifiable code to opening the front door to a stranger.
However, Jenny Stanley, managing director at Appetite Creative, and Alice Rackley, CEO at Polytag, argue that because consumers have to actively choose to scan a QR code, there is an element of safety.
“A QR code is the opposite of covert tracking. It does nothing until a consumer actively chooses to scan it — it's an invitation, not a beacon,” says Stanley.
Rackley echoes this sentiment, suggesting that “nobody is required to scan a QR code — it is completely voluntary. Consumers choose whether they want to engage with the products’ information, and if they don’t see the value, they won’t.”
She also suggests that, in fact, a QR code scan provides “very limited data” to a company, and that personal information is only shared if a consumer chooses to share it, like for a competition, survey, or communication emails.
Flowcode says that most generic QR codes are “indistinguishable,” and the URLs that pop up when a code is scanned can trigger actions a consumer hasn’t decided to opt into.
Although consumers can choose whether to scan a QR code, Sulston says that it’s “problematic” that a QR code “doesn’t easily allow a human to know where they’re about to visit on the internet before opening it.”
“This is a security issue — people shouldn’t click links of unknown provenance, and this applies to QR codes, too.”
Company responsibility
QR codes can support transparent, consent-based engagement when brands build strong data governance behind them, says Stanley.Stanley says that connected packaging “done well” can replace surveillance-era tracking, like third-party cookies, with “transparent, consented, first-party engagement,” provided that companies comply with privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
But, she adds: “Standards are moving faster than shared best practice on consent design. As an industry, we should be doing more — consistent opt-in, plain-language, data-use disclosure, and privacy-by-design with GDPR and CCPA built in from the start, not bolted on.”
Packaging companies should also be held accountable for the data they collect via QR codes, notes Stanley, noting that “good operators welcome it.”
“Accountability already exists under GDPR and CCPA, and it rightly sits with the brand as data controller and its technology partners. The principle is simple: collect only what you need, be transparent about why, and give the consumer real value back.”
Polytag’s Rackley also notes that it’s important to distinguish between collecting unnecessary data and creating useful consumer experiences, which can build trust in a brand.
She says: “When managed through GS1-approved platforms, such as Polytag, QR codes are used to deliver practical value, from product information to food safety updates.”
Contrary to this, Sulston suggests that although company transparency regarding QR codes is important, it’s “not really sufficient.” He argues that consumers do not read terms and conditions because they are “long and unwieldy.”
“Companies know this, and typically their terms and conditions will assert they can do whatever they want with user data with no recourse.”
Like Rackley and Stanley, however, Sulston agrees that governments and regulators can help secure consumers’ data.
He says: “That could take the form of a ‘best interests’ or a ‘fair and reasonable’ test, where people could take legal action if a company’s use of their data is not reasonable.”
Consumer engagement or privacy concern?
QR codes can support transparent, consent-based engagement when brands build strong data governance behind them, says Stanley.The debate remains on whether QR codes represent a fair way for companies to engage with consumers and monitor consumption patterns, or whether they erode consumers’ right to online privacy.
For Sulston, QR codes on packaging and other areas of life represent a larger problem in which the “attention economy has already normalized pervasive surveillance of people on the Internet — QR codes being used to do so is just another step.”
Rackley underscores that a standard QR code scan doesn’t reveal personal data, and consumers remain in control of whether they share anything further. “The growth in QR code engagement is brands wanting a better connection for consumers, not a route to their data.”
Stanley argues that the “legitimate concern” is not the code itself but “what a minority of brands choose to load behind it.”
“The risk has never been the QR code; it’s the weak data governance behind it. Robust accountability protects consumers and the responsible majority of the industry alike.”
Sulston reminds consumers that they can help foster a safer online environment by putting pressure on legislators and taking individual action by being cautious when scanning a QR code.
He remarks: “You can always find a product or company by going directly to their website or searching online.”









