DCC summary, not a translation. TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase grounded in the guide’s title and the underlying regime; specific clauses should be checked against the published guide.
Scope
This practice guide provides personal-information protection requirements for QR-code ordering scenarios — where customers scan a code to view a menu and place an order in restaurants, cafés and similar venues. It applies to the merchants and the mini-program / platform providers that operate such ordering services, and addresses what personal information may be collected and on what terms.
It is a practice guide issued by the TC260 Secretariat — advisory, not a mandatory standard. It targets a well-known consumer grievance: being required to follow a public account, register a member account, or grant access to personal information merely to order food.
Key contents
At a structural level the guide is expected to cover:
- Minimum necessity — collecting only the personal information genuinely needed to complete an order; ordering should not require registration or membership where it is not necessary.
- No forced following / registration — customers should be able to view the menu and order without being compelled to follow an account or hand over identity information.
- Consent and transparency — clear notice of what is collected and why; separate consent for anything sensitive or non-essential (e.g., marketing).
- Marketing and profiling limits — no using the ordering interface to coerce consent for unrelated marketing or profiling.
- Security and deletion — protecting and deleting the collected data appropriately.
Editor: verify specific clauses against the published guide.
How it fits the regime
The guide applies PIPL’s minimum-necessity principle (Articles 5–6, which require processing to have a clear, reasonable purpose and to be limited to the minimum scope necessary) and its consent rules to a high-volume everyday scenario. It also draws on the logic of the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, which cap what apps may require for their core function, and on the broader campaign against forced, excessive and bundled collection in mobile services.
For overseas compliance teams operating consumer-facing ordering or mini-program services in China, it is the scenario-specific reference for designing a compliant scan-to-order flow — order-first, register-only-if-needed — and it complements the app-collection rules, the notice-and-consent guide and GB/T 35273.