The UK privacy regulator has fined a QR code provider that abused its access to personal data to spam individuals with direct marketing at the height of the pandemic.
The Information Commissioner’s Office (ICO) explained in a notice yesterday that it fined St Albans firm Tested.me £8000 after it send the marketing email without gaining adequate valid consent from data subjects.
The firm provided clients with contact tracing services by enabling them to offer customers a QR code to scan when arriving at their premises.
However, it used this data to send nearly 84,000 nuisance emails at the height of the COVID-19 pandemic between September and November 2020, the ICO said.
The ICO has also been running checks on other QR code providers to ensure they’re handling people’s data in accordance with the GDPR and its UK equivalent, the Data Protection Act 2018.
It said the checks revealed that most companies understood the laws and the importance of processing personal data fairly and securely.
The regulator’s guidance for firms as the economy starts to reopen following extensive lockdowns, is to make privacy policies clear and simple, follow data protection by design guidance and not to keep any personal data collected for more than 21 days.
Personal data collected for contact tracing is also not to be used for marketing or any other purposes, it said.
QR codes are increasingly used not only to check-in to locations using the NHS Test and Trace app, but by hospitality venues keen to offer customers a hands-free menu experience.
However, the technology doesn’t just represent a privacy risk. Security experts have warned that QR codes could be hijacked by threat actors to download malware and other threats to users’ devices.