QR Codes are everywhere: menus, products, events, registration forms. But few people stop to think that behind a simple square there can be personal data collection — and clear legal obligations under privacy laws like LGPD (Brazil's data protection law) and GDPR (Europe's).

If you create QR Codes for your business, you need to know what you can and cannot collect. If you scan QR Codes from third parties, understanding what they can know about you helps protect you. This guide covers both sides.

Why Privacy Laws Apply to QR Codes

The LGPD (Law 13,709/2018) and the GDPR regulate any processing of personal data by individuals or companies — including via QR Code. This includes:

  • Forms linked to QR Codes collecting name, email, tax ID, phone number
  • Scan tracking data (time, approximate location, device)
  • Any information that identifies or can identify a person

If you serve customers in Europe, both sets of rules may apply simultaneously.

Angle 1 — You Who CREATE the QR Code and Collect Data

What Requires Legal Attention

When the QR points to a form, registration page, landing page with tracking or any system that stores user data, LGPD/GDPR obligations kick in:

Situation Privacy Concern
QR → registration form (name, email) Needs explicit consent + clear purpose
QR → form with tax ID or health data Sensitive data: stronger legal basis + specific consent
Static QR with personal data in URL Don't do this — data is exposed and cannot be erased
Dynamic QR tracking scans Legitimate, but disclose in privacy policy
QR → login or authentication system Involves processing: document the legal basis
QR in public spaces (street, store) User doesn't expect collection — notify beforehand

The Three Mandatory Questions

Before creating any QR Code that leads to data collection, answer:

  1. Why am I collecting this data? (purpose — must be declared)
  2. What is the legal basis? (consent, contract, legitimate interest, legal obligation…)
  3. How long will I store it and how will I delete it?

If you can't answer all three, don't publish the QR yet.

Sensitive Data = Extra Caution

Health, biometrics, racial origin, religious belief, children's data: if the linked form collects any of these, consent must be specific, highlighted and unambiguous. In these cases, always use a password-protected QR Code to restrict who reaches the form — only those who should, will.

Never Expose Personal Data in a Static Public QR

A static QR permanently encodes its URL. If you embed a tax ID, user token or email directly in the URL and print it on a poster or packaging, that data is permanently accessible to anyone who scans it — and you cannot "erase" a printed QR. Use anonymous session IDs instead of real data.

Angle 2 — Scan Tracking: What Is Legitimate

Dynamic QR Codes log information about each scan. Here's what gets collected and what privacy law says about each item:

Data Collected by Dynamic QR Is It Personal Data? What to Do
Scan timestamp Not alone OK — use for peak-hour analysis
Approximate country/city (via IP) Can be — IP is personal data Disclose in privacy policy
Device type / operating system Not in aggregate OK — use to optimize landing page
Full IP stored individually Yes Needs legal basis and retention period
Precise location (GPS) Yes — sensitive location data Only with explicit consent

Best practices for legitimate tracking:

  • Mention access data collection in your privacy policy
  • Don't store individual IPs longer than necessary
  • Use aggregated data (city, not address; day of week, not exact timestamp per identified person)
  • If you use UTM + Google Analytics, set up IP anonymization correctly

Angle 3 — For the Scanner: What a QR Can Know About You

If you're the end user scanning QR Codes out in the world, here's what happens:

What a QR Code Can Know (via destination system)

  • Time you scanned
  • Approximate city/region (from your phone's IP)
  • Device type and operating system
  • Whether you clicked a link afterward

What a QR Code Cannot Do from a Scan Alone

  • Install an app without your action
  • Access your contacts, camera or microphone
  • Know your name, tax ID or any identifiable data — unless you fill in a form afterward

Signs of a Malicious QR Code

Watch out if the QR:

  • Leads to a suspicious or shortened URL that doesn't reveal the destination
  • Immediately prompts installation of an unknown app
  • Opens a form requesting personal data with no clear context
  • Is pasted over the original QR at an establishment (possible swap attack)

Before scanning an unknown QR, check if the link is safe. And read about QR Code safety to understand the real risks.

How to Create Compliant QR Codes on Code2Scan

Step by Step

  1. Define the purpose before creating — what the user will find and what data will be collected
  2. Use a dynamic QR to be able to update the destination and maintain control over tracking data — create a dynamic QR here
  3. For restricted content (sensitive form, limited-access area), use a password-protected QR Code — only those with the password can access
  4. For forms, display the privacy notice and link to your data policy before submission
  5. Add UTM tags if using analytics — and ensure GA has IP anonymization enabled — see how to track with UTMs
  6. Document what data is collected, for how long, and who has access
  7. Don't print personal data directly in a static QR URL

Static vs. Dynamic QR Under a Privacy Lens

A dynamic QR is much easier to keep compliant: you can change the destination, end the collection and update the policy without reprinting. A static QR, once printed, cannot be "updated" — any change requires new physical materials.

Common Mistakes

❌ Thinking a QR Code Is "Just a Link" with No Legal Implications

If the destination collects data, privacy law applies fully. The QR is merely the access channel.

❌ Not Informing Users That Data Will Be Collected

Every collection of personal data requires notifying the data subject — before or at the time of collection.

❌ Putting Tax IDs or Personal Tokens in the URL

Personal data in the URL ends up in server logs, browser history and analytics data. Avoid it.

❌ Using a Password-Protected QR as a Substitute for Compliance

A password restricts access but does not replace consent and legal basis if data is collected at the destination.

❌ Ignoring GDPR for European Audiences

If your campaign reaches Europe, GDPR also applies — and in some respects it is stricter than LGPD (e.g., cookies and tracking require active consent).

Summary

  1. If you create: define purpose, legal basis and retention period before publishing the QR
  2. Sensitive data in the destination form → use protected QR + specific consent
  3. Never put personal data directly in a static public QR URL
  4. Scan tracking is legitimate — but disclose it in your privacy policy
  5. If you scan: the QR alone does not access your personal data — the risk lies in the destination form or app
  6. Dynamic QR = more control, easier to maintain compliance

Use a password-protected QR Code whenever the destination content is restricted or involves sensitive data. Create responsibly and keep your users' trust.