Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · TC260 QR ORDERING GUIDE

Cybersecurity Standards Practice Guide — Personal Information Protection Requirements for QR-Code Ordering.

网络安全标准实践指南 — 扫码点餐个人信息保护要求

FILED UNDER · Personal Information

DCC summary, not a translation. TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC’s own paraphrase grounded in the guide’s title and the underlying regime; specific clauses should be checked against the published guide.

Scope

This practice guide provides personal-information protection requirements for QR-code ordering scenarios — where customers scan a code to view a menu and place an order in restaurants, cafés and similar venues. It applies to the merchants and the mini-program / platform providers that operate such ordering services, and addresses what personal information may be collected and on what terms.

It is a practice guide issued by the TC260 Secretariat — advisory, not a mandatory standard. It targets a well-known consumer grievance: being required to follow a public account, register a member account, or grant access to personal information merely to order food.

Key contents

At a structural level the guide is expected to cover:

  • Minimum necessity — collecting only the personal information genuinely needed to complete an order; ordering should not require registration or membership where it is not necessary.
  • No forced following / registration — customers should be able to view the menu and order without being compelled to follow an account or hand over identity information.
  • Consent and transparency — clear notice of what is collected and why; separate consent for anything sensitive or non-essential (e.g., marketing).
  • Marketing and profiling limits — no using the ordering interface to coerce consent for unrelated marketing or profiling.
  • Security and deletion — protecting and deleting the collected data appropriately.

Editor: verify specific clauses against the published guide.

How it fits the regime

The guide applies PIPL’s minimum-necessity principle (Articles 5–6, which require processing to have a clear, reasonable purpose and to be limited to the minimum scope necessary) and its consent rules to a high-volume everyday scenario. It also draws on the logic of the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, which cap what apps may require for their core function, and on the broader campaign against forced, excessive and bundled collection in mobile services.

For overseas compliance teams operating consumer-facing ordering or mini-program services in China, it is the scenario-specific reference for designing a compliant scan-to-order flow — order-first, register-only-if-needed — and it complements the app-collection rules, the notice-and-consent guide and GB/T 35273.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

No briefs filed yet under this law.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →