Your favorite server at your local pizza spot may remember you love anchovies. Now, thanks in part to the QR code you used to open the menu and order, other eateries might know, too.

These tiny black-and-white squares originated in factories in the 1990s and saw a resurgence during the pandemic, as more people took extra steps to keep their hands clean and touchless technologies gained ground at restaurants and retailers.

Just open a phone camera, point it at this special type of link and get transported to a website with more information than a paper menu ever offered. Even classically brick-and-mortar businesses like furniture retailers are using QR, or quick response, codes to help shoppers choose what to buy.

But QR codes serve a purpose beyond cutting down on germs. They turn analog interactions — like ordering a pizza — into digital ones, and those digital interactions can be subject to tracking by the restaurant or store. Because QR codes open a browser, companies might use that digital signal to connect the dots between online and offline activity.

According to research firm Forrester, half of adults with smartphones that have scanned QR codes in stores took steps to limit what data the linked app or site collected. And just 8 percent of adults with smartphones have scanned QR codes in stores at all.

“I’m not sure I want my pizza place to understand me much better than it does now,” said Eric Rescorla, chief technology officer of Firefox, a privacy-forward Internet browser by Mozilla. Rescorla called out privacy problems with QR codes in a blog post in July — with some important caveats.

Contrary to some write-ups, QR codes themselves are not tracking you, Rescorla said. And no, they’re not a trapdoor into some scary underground world of tracking and surveillance.

You already live in that world, Rescorla said, but QR codes may be a good reminder of how it all works.

Are QR codes bad?

A shoe store wants to connect the dots between the people milling around the store and the ones who visit its website or click on its ads. This presents a challenge for brands, said Brent Ramos, director of product for search at marketing analytics provider Adswerve, and they’ve traditionally had to piece together a complicated collection of information from data sellers to figure it out.

Now, the industry is shifting, and tracking consumers is getting more difficult in general. Firefox and Safari phased out third-party cookies — tiny bits of code that websites use to track you around the Internet — and Google pledged to do the same. As people become more privacy conscious and some shadier data sources start to dry up, many companies have shifted their sights to first-party data, or the kind they collect themselves.

QR codes have emerged as an effective way to collect first-party data, Ramos said. If that pair of jeans you like has a QR code on the tag, you can scan to read more details on the brand’s website. The next time you visit, the site will remember you, and the jeans might be waiting in your shopping cart with a discount.

“That’s a benefit for the consumer and the brand, right?” Ramos said.

Ramos said brands need to clearly let consumers know when and why data is being collected, and the ones that do will come out on top as individual companies scramble to beef up their collections of first-party data. But he acknowledged that detailed disclosures regarding when data collection is happening and where that data ends up would be a seismic shift for an industry used to hiding the specifics.

QR codes and your privacy

QR codes themselves don’t infringe on your privacy, but the websites they open might, Rescorla said, adding that third-party tracking is nowhere near gone for good.

A retailer’s website could be sending your information to any number of third-party companies, according to Rescorla. It’s unlikely you’ll stop to read the privacy policy when you’re looking for a dessert menu — and even more unlikely that privacy policy lists the assorted “affiliates” the website shares data with.

Even if a restaurant or retailer doesn’t share your information with trackers, that doesn’t mean that data doesn’t get leveraged at all. For instance, a QR-enabled mobile ordering tool may use customer data from one restaurant to target more marketing, Rescorla said. Maybe you order a Manhattan, then later see a coupon in your inbox for the cocktail bar down the street.

The real privacy issue with QR codes is the broader tracking apparatus the codes are part of, according to Rescorla. And, without new rules and regulations, that’s not going away.

“If you’re upset about this, what you should really be upset about is the rest of your life and how much tracking is going on,” Rescorla said.

Right now, the best way to avoid tracking when you visit a website through a QR code — or any other way — is to turn on private browsing mode. To cut down on tracking by third parties, use a browser with anti-tracking features, like Firefox or Safari.

QR codes and your security

QR codes come with some security risks as well, according to Allan Liska, a senior threat analyst at cybersecurity firm Recorded Future. Like any other link, the codes can be the first step in a malware or phishing attack.

First, there’s the “stick a malicious QR code in a high-traffic area” trick. If you ever see a lonely QR sticker on a streetlight or bus stop, don’t scan it.

Then there’s the unfortunately named “quishing” attack,” where a hacker sticks a QR code inside a phishing email designed to fool recipients into opening a malicious link or attachment. Your work email account likely has anti-phishing protections that block suspicious links, but by including the QR code, hackers bet on unsuspecting people pulling out their phones to scan, Liska said.

And look out for apps billing themselves as QR scanners, he added. They’ve been known to spread malware. Your phone’s camera works just fine.

Avoiding QR codes alone won’t protect you from getting tracked by companies. But if you want to cut down on unnecessary data-sharing, pull out some cash and pick up that old laminated menu instead.