Ada Chung Lai-ling, the Privacy Commissioner for Personal Data, has advised individuals to exercise caution when ordering food using QR codes and restaurant mobile applications. She emphasized the importance of reading and understanding personal information collection statements before providing sensitive data such as phone numbers and email addresses, as some restaurant chains require this information prior to accepting food orders.
Chung’s advice follows a recent investigation by the Privacy Commissioner’s office, which visited 60 restaurants offering electronic food ordering services between November and the present month. The study revealed that all restaurants providing mobile apps for food ordering were collecting user data for direct marketing purposes. Notably, Satay King, one of the restaurants surveyed, did not offer an option for customers to decline the use of their personal data for direct marketing.
Of the nine restaurants that sought user consent through a checkbox, seven of them defaulted to consent as the pre-selected option. Major catering chains like McDonald’s, Starbucks, TamJai Yunnan Mixian, and Tam Jai SamGor required customers to register an account and provide personal details such as names, phone numbers, and/or email addresses during the registration process. While Cafe de Coral, Fairwood, KFC, and Yoshinoya allowed customers to place orders without registration, they still required personal data during the checkout process.
In addition to mobile apps, four restaurants utilized QR codes for ordering purposes and also collected customers’ phone numbers and/or email addresses. Brad Kwok Ching-hei, the Chief Personal Data Officer, cautioned against scanning tampered QR codes, as they could lead to personal data breaches. Kwok advised individuals to use the built-in QR code scanners on their mobile phones and verify the authenticity of websites linked to QR codes in order to mitigate the risk of data leakage and potential malware downloads.
Chung stressed the importance of minimizing the amount of personal data shared when making electronic orders at restaurants, and urged individuals to consider whether downloading a mobile app and providing personal data solely for food ordering purposes was truly necessary. She encouraged users to select the most privacy-protective settings available if they choose to utilize ordering apps. Furthermore, Chung called on the industry to offer more options for customers to place electronic food orders without the need for personal data collection.
In a related matter, Chung highlighted the alarming rise in data breach incidents, with the number of reported hackings doubling and data breach incidents increasing by 50 percent compared to the previous year. The Privacy Commissioner’s office received 157 data breach reports, with 48 originating from public institutions and 109 from private companies. Of these cases, over 40 percent (64 incidents) were attributed to hacking, more than double the number recorded in 2022. Chung expressed deep concerns about this global trend of large-scale hacking and pledged to enhance education and awareness efforts to promote data security among institutions throughout the year.