Walk into any cannabis dispensary and pick up a product. Almost certainly, thereâs a QR code on the label â maybe more than one. Regulators require them for lab test results. Brands use them for loyalty enrollment. Marketing teams use them to drive social follows and product education pages.
Each of those QR codes, when scanned, is a data event. And most cannabis operators have no idea what data is being collected, stored, or sold when their customers scan.
What QR Codes Actually Collect
A QR code is just a machine-readable version of a URL. When a consumer scans a QR code on a cannabis product, their device makes an HTTP request to a server â and that request contains, at minimum:
- IP address of the scannerâs device (geolocation to city or zip code level)
- User agent (device type, operating system, browser)
- Timestamp of the scan
- Referrer (if the URL is a redirect, the scan platform knows it originated from the QR code)
If the QR code leads to a page with tracking pixels (Meta Pixel, Google Analytics, TikTok Pixel), the data collection expands further:
- Device fingerprint (screen resolution, fonts, plugins)
- Cookie-based cross-site tracking if the consumer has visited the brandâs or platformâs sites before
- Conversion events if the consumer then purchases or signs up for something
If the QR code leads to a loyalty program enrollment:
- Name, email, phone number, date of birth
- Purchase history (once theyâre enrolled)
- Location (if they grant location permission)
- Potentially health conditions if itâs a medical cannabis product and the enrollment form asks
This data trail is far richer than most cannabis operators realize â and most of it flows to third parties (QR code platforms, analytics tools, social media companies) under terms of service that the consumer never saw and the cannabis operator likely never fully read.
The Regulatory QR Code Requirement â And Its Privacy Complications
Many cannabis regulatory frameworks now require QR codes on product packaging. Californiaâs Bureau of Cannabis Control regulations require a scannable QR code linking to the productâs Certificate of Analysis (CoA) from a licensed testing laboratory. Several other states have similar requirements.
The intent is transparency: consumers should be able to verify whatâs in their product. But the implementation creates privacy complications:
State-required QR codes go to third-party platforms. Most cannabis brands donât host their own CoA pages. They use platforms like Confident Cannabis, Metrc Labs, or similar services that host lab results and provide the QR code. Every scan goes to the platformâs servers â not the brandâs. The platform operator is collecting scan data about where products are being used and by whom.
IP address data collected by CoA platforms can be correlated. An IP address from a QR scan at 9pm from a residential IP address is effectively pseudonymous health data â it indicates that a specific household used cannabis at a specific time. In California, which has explicit health data protections under CMIA (Confidential Medical Information Act) and CPRA, this may constitute sensitive personal information.
Regulators havenât caught up. Most state cannabis regulations that require QR codes on products were written before modern privacy frameworks. They mandate the disclosure (the CoA link) without addressing the data collection that happens as a side effect.
CCPA/CPRA Compliance for QR-Based Data Collection
Under the California Consumer Privacy Act (amended by CPRA), if youâre collecting data through QR codes â even indirectly through third-party platforms â you have obligations.
Third-party data sharing: If a QR scan sends consumer data to a third party (the CoA hosting platform, analytics tool, or loyalty platform), this may constitute a âsaleâ or âsharingâ of personal information under CPRA if the third party uses that data for its own purposes. The âDo Not Sell or Share My Personal Informationâ disclosure requirement could apply.
Sensitive personal information: Under CPRA, geolocation data is sensitive personal information. If your QR code platform collects precise geolocation from scans (some platforms do, with permission), this triggers enhanced CPRA obligations.
Right to know: Consumers have a right to know what personal information youâre collecting. If your privacy policy doesnât mention QR code scan data, youâre likely in violation.
Service provider vs. third party distinction: If your CoA hosting platform only uses scan data to provide the service to you (not for their own marketing), they may qualify as a âservice providerâ under CPRA â a meaningful distinction that limits your liability. But this requires a written Data Processing Agreement (DPA) specifying the limitations. Most cannabis brands donât have these.
Loyalty Program QR Codes: A Special Problem
QR codes used for loyalty program enrollment or point scanning are a distinct category with heightened compliance risk because they explicitly collect personal information.
The most common pattern:
- Product packaging has a QR code that says âScan to earn loyalty pointsâ
- Consumer scans â redirected to loyalty program enrollment page
- Consumer enters name, email, phone, date of birth
- System links their purchase to their loyalty profile
This is covered extensively in our Cannabis Loyalty Program Privacy article, but the QR code specifically adds:
Tracking across products: If the same loyalty platform QR code appears on products from multiple brands (common with white-label loyalty programs), the platform can build a cross-brand purchase profile. A consumer who buys Brand A flower and Brand B edibles from different dispensaries might not know those purchases are being linked.
Cross-device tracking: If the QR scan creates a cookie and the consumer later logs into the loyalty portal on a desktop, the platform can link the mobile scan to the desktop session â building a cross-device profile.
Health data inference: Purchase history linked to specific products (high-CBD strains, indica vs. sativa, microdose edibles) can be used to infer health conditions. Under CPRA and state consumer health data laws (Washingtonâs My Health MY Data Act, Nevadaâs health data protections), this inference may constitute regulated health data.
State Cannabis Regulations and QR Code Compliance
Beyond California, other state frameworks create QR-related compliance considerations:
Colorado: CO MED regulations require labels to include a batch number traceable to testing documentation. Some operators use QR codes for this â the same compliance concerns apply.
Illinois: IDFPR and the Illinois Cannabis Regulation and Tax Act require lab testing transparency. QR-linked CoA is common; the underlying data handling must comply with Illinois BIPA (for any biometric elements) and IL consumer privacy developments.
Massachusetts: Cannabis Control Commission label regulations require specific disclosures. QR codes linking to supplemental information are common. Massachusetts has an active AG office for consumer privacy.
Oregon: OLCC label requirements. Oregon Consumer Privacy Act (effective July 2024) creates rights for Oregon consumers including the right to opt out of targeted advertising â which QR-to-ad-platform tracking arguably constitutes.
New York: OCM label rules. NY SHIELD Act and the evolving NY Privacy Act create data security and privacy obligations for NY resident data, including from QR scans.
What Good QR Code Data Practices Look Like
Cannabis operators who want to use QR codes responsibly â and avoid future regulatory exposure â should implement the following:
For Regulatory Compliance QR Codes (CoA Links)
- Host your own CoA pages where feasible, or use platforms with strict data minimization policies. Request and review the platformâs privacy policy and data retention practices.
- Negotiate DPAs with your CoA hosting platform specifying they cannot use scan data for their own purposes.
- Disclose QR scan data collection in your privacy policy, including the fact that third-party platforms may collect IP addresses and device data.
- Use QR redirect services that donât log individual scans for regulatory CoA links, or ensure your platformâs logging is aggregate only (no individual scan data).
For Loyalty and Marketing QR Codes
- Use first-party data collection where possible â direct consumers to your own hosted page, not a third-party loyalty platform that retains the data for their own purposes.
- Provide clear notice at the point of scan: âScanning this code will collect [data types] for [purposes].â
- Obtain explicit consent before collecting personal information through QR-linked enrollment flows.
- Provide an opt-out for any cross-product or cross-brand tracking.
- Audit your loyalty platform vendor: Request their SOC 2 report and data processing practices. Loyalty platforms are a concentrated target for data brokers.
- Suppress geolocation collection on loyalty QR landing pages unless thereâs a specific operational need (e.g., nearest store finder).
For All QR Codes
- Inventory all QR codes on your products and where they redirect
- Map what data is collected at each destination (your analytics, platform analytics, third parties)
- Update your privacy policy to disclose QR scan data collection
- Execute DPAs with all platforms receiving scan data
- Assess whether any scan data constitutes âsale or sharingâ under CPRA â if yes, implement Do Not Sell / Share mechanism
- Review state-specific health data laws in every state where products are sold
The Regulatory Trajectory
Cannabis regulators are beginning to look at product labeling QR codes with a privacy lens, not just a compliance transparency lens. Several signals:
- California CPRA enforcement: The California Privacy Protection Agency has indicated health and wellness industries are a priority enforcement area. Cannabis QR codes touching health data are an obvious intersection.
- Washington My Health MY Data Act: Washingtonâs health data law, which covers consumer health data broadly, could apply to cannabis QR scan data that reveals health-relevant consumer behavior.
- FTC commercial surveillance: The FTCâs commercial surveillance rulemaking â focused on data brokers and tracking practices â could eventually touch loyalty platforms used by cannabis brands.
Operators who wait for explicit regulatory action before addressing QR code privacy will be in a reactive posture. The operators who build privacy-respecting labeling practices now will have a competitive and compliance advantage when enforcement arrives.
QR codes are a small rectangle with significant data implications. Cannabis operators who treat them as a printing decision rather than a data governance decision are building compliance risk with every product batch they run.
For more on consumer data privacy in cannabis retail, see our Cannabis Loyalty Program Privacy article.



