Watchdog offers food for thought on apps

People should read personal information collection statements carefully before ordering food using QR codes and restaurants' mobile applications, the Privacy Commissioner for Personal Data Ada Chung Lai-ling said, as some restaurant chains would request customers to provide information like phone numbers and emails before they can order food.

The advice came after the watchdog visited 60 restaurants that offered electronic food ordering, including 10 restaurants with mobile apps to order food and the other 50 utilizing QR codes, between November and this month.

It found that all restaurants providing the apps would track users' records that could be used for direct marketing.

Among these, one, Satay King, does not provide an option for people to reject use of their personal data for direct marketing purposes.

Nine restaurants would first obtain users' consent with a checkbox, but seven of them set the default option to consent.

Catering chains, such as McDonald's, Starbucks, TamJai Yunnan Mixian and Tam Jai SamGor, would require customers to register an account before they can use the apps and collect personal data such as names, phone numbers and/or email addresses during the registration.

Cafe de Coral, Fairwood, KFC and Yoshinoya allow customers to place orders through apps without registration but still require personal data when checking.

Four restaurants that provide QR ordering codes also collect customers' phone numbers and/or email addresses.

Chief personal data officer Brad Kwok Ching-hei said yesterday that scanning tampered QR codes could lead to personal data leaks.

"Tampered QR codes may lead customers to fake websites or download malware on their phones, which may put personal information at risk of leakage," he said.

Kwok also urged people to scan the codes with built-in QR code scanners on mobile phones instead of third-party apps and check the authenticity of the websites that are directed by the QR code.

People should give as little personal data as possible when making electronic orders in restaurants, with Chung saying "please think twice whether you really need to download a mobile app and give out your personal data solely for ordering food."

She called on people to opt for the most privacy-protective setting if they choose to use apps to place orders.

Chung also urged the industry to provide more options for customers to order food by electronic means without collecting personal data.

Meanwhile, Chung said the number of data breach incidents surged 50 percent last year with the number of hackings doubling.

The watchdog received 157 data breach reports, with 48 coming from public institutions and 109 from private companies.

Of these, over 40 percent, or 64 cases, were related to hacking, more than twice the 29 cases in 2022.

Chung said the increasing incidences of large-scale hacking had become a global trend and raised deep concerns and that the commission would further enhance education and publicity this year to raise institutional awareness to protect data security.