Back to Blog
March 05, 20265 min readqrmarketinganalyticsprivacy

QR codes and GDPR: how to track campaigns without risking privacy

QR code tracking is powerful, but EU privacy rules still apply. Learn how to use UTMs, redirects, consent, and data minimization to measure scans safely.

QR codes and GDPR: how to track campaigns without risking privacy

QR codes are everywhere because they bridge offline to online:

  • flyers
  • menus
  • posters
  • product packaging
  • real estate signs

And once you can measure scans, you can optimize.

But if you operate in the EU (or market to EU users), GDPR still applies. "It is just a QR code" is not a legal strategy.

This article is a practical, conservative guide to tracking QR campaigns without creating unnecessary privacy risk.

TL;DR

  • Avoid putting personal data in QR destinations or UTM parameters.
  • Use dynamic QR codes so you can fix mistakes without reprinting.
  • Treat the landing page like any other marketing page: consent, disclosure, and data minimization.
  • Prefer aggregate measurement (campaign level) over person level measurement.
  • When in doubt, talk to a qualified privacy lawyer.

This is not legal advice. It is operational guidance.

What GDPR cares about in a QR code campaign

A QR code itself is just an image.

GDPR gets involved when scanning leads to processing personal data.

Examples of personal data in a QR flow:

  • IP address and device identifiers collected by analytics
  • cookies used for marketing attribution
  • form submissions (email, phone)
  • unique identifiers tied to a person

Even if you never ask for a name, you can still create personal data by combining identifiers.

The most common tracking mistake: putting PII into UTMs

UTM tags are query parameters used for campaign tracking.

Example:

  • ?utm_source=flyer&utm_medium=qr&utm_campaign=summer

The mistake is when teams include personally identifying information (PII) in UTMs.

Examples of what not to do:

  • utm_campaign=john-smith
  • utm_content=customer_anna_1984
  • utm_term=+31612345678

Why this is risky:

  • UTMs are copied into analytics tools
  • UTMs end up in logs and third party referrers
  • URLs get shared and screenshotted

If you need per placement attribution, use non identifying codes.

Example:

  • utm_content=poster_a3_window_left

Start here:

  • /blog/utm-tags-for-qr-codes
  • /blog/qr-code-campaign-tracking-utm

Dynamic QR codes make privacy safer (because you can repair)

Privacy mistakes often happen at speed.

You print 2,000 flyers with a URL that includes a bad parameter. Now what?

With a static QR code, you are stuck.

With a dynamic QR code, you can:

  • remove the parameter
  • change the destination
  • update your tracking scheme

without reprinting.

If you are printing anything, use dynamic.

  • /blog/dynamic-qr-code
  • /blog/editable-qr-code

A conservative QR campaign setup (GDPR friendly by default)

1) Use campaign level UTMs

Keep UTMs descriptive and non personal.

A solid default:

  • utm_source: where the scan happens (flyer, poster, menu)
  • utm_medium: qr
  • utm_campaign: your campaign name
  • utm_content: placement code (optional)

2) Land on a page that explains what happens

Your landing page should not be a privacy surprise.

Add:

  • a short disclosure if you use analytics
  • a link to your privacy policy

If you use cookies for marketing, you likely need consent mechanisms.

3) Measure what you need, not what you can

Offline campaigns often do not need person level attribution.

You usually need answers like:

  • which placement generated the most visits
  • which page converted best
  • whether the campaign produced signups

That can often be done with aggregate analytics.

4) Keep scan destinations stable and secure

QR code tampering is a real risk in public spaces.

Recommendations:

  • use HTTPS
  • keep the domain consistent
  • do not redirect through sketchy shorteners

Related:

  • /blog/qr-code-security-quishing

Do you need consent for analytics on the landing page?

This depends on your setup.

Some analytics approaches are lower risk than others.

A practical framework:

  • If you use marketing cookies or cross site tracking, treat it as consent required.
  • If you use minimal, first party measurement, the requirements can be lighter.

The safest operational move is to assume you need proper consent if you do any marketing attribution.

Again, talk to counsel if this is business critical.

QR codes for loyalty, tickets, and personalization (higher risk)

Campaign posters are one thing.

Personalized QR codes can be different.

Examples:

  • a unique QR per customer on a mailer
  • QR codes that open a logged in account
  • QR codes that reveal personal details

If you do this, you should:

  • avoid exposing personal info in the URL
  • require authentication for sensitive data
  • rotate or expire links
  • document your lawful basis and retention

A quick checklist before you print

Before printing a batch, do a proof.

Checklist:

  • No personal data in the URL or UTMs
  • Destination loads fast on mobile
  • Privacy policy link is present
  • Consent banner behavior is correct
  • Dynamic QR code is used for print
  • Multiple phone scan test passed

Full print workflow:

  • /blog/qr-code-proofing-checklist-before-printing

How QRShuffle helps

QRShuffle makes it easy to run QR campaigns without getting locked into mistakes:

  • create dynamic QR codes
  • update destinations and UTMs after printing
  • keep exports crisp for designers

If you want to generate a campaign QR code with clean tracking, start here:

https://qrshuffle.com

QRSHUFFLE • CREATE

Create a QR code with editable links.

Print once. Update the destination later. Track scans. No reprints.

Get started for free See pricing

Editable

Update links without reprinting

Trackable

Scan analytics + UTMs

Fast

Built for real-world scans