Are the IPs of unique visitors tracked GDPR and CCPA compliant when scanning a QR Code?

Yes, the way we track unique visitors is GDPR / CCPA compliant. This is done by anonymizing the IP address of the user who scans the QR Code. We do not store a tracking cookie on the users device and we do not use browser fingerprinting.

You as account owner can set the detail of anonymization in your account settings.

Depending on the strategy you are using to anonymize IP addresses, you can be fully compliant to GDPR / CCPA. However, the number of unique visitors might not be accurate. The following strategies give you an overview about compliancy and accuracy.

When hashing the IP address, we use the sha256-hash function and add a salt before hashing. However, if users are using the same Wi-Fi network, we cannot distinguish them as separate unique users because they share the same IP address. To be fully GPDR / CCPA compliant we recommend not only hashing but also anonymizing the IP.

Using this strategy, you get the most accurate number of unique visitors that are scanning your QR Codes. Even if more users are behind the same Wi-Fi network, the user agent of a device helps us to distinguish unique visitors more accurate. Only if two or more users have the same user agent and are behind the same IP address they will be counted as the same unique visitor.

Before the IP address is hashed, we truncate the last byte of the IP address e.g., 192.168.178.123 -> 192.168.178.XXX. Using anonymization might makes the number of unique visitors smaller in your statistics, because if there are 2 unique visitors that have a different IP just in the last byte e.g., 192.168.178.123 and 192.168.178.125 they will be counted as the same unique visitor.

This strategy is set as the default behavior and this way is fully GDPR / CCPA compliant.

By choosing this option we do not store any information about unique visitors at all. In your statistics you will just see the number of QR Code scans but not how many people scanned your QR Codes. Please note when unique visitors are not recorded, some functions, like one-time scannable QR Codes based on IP address, do not work.

Login into your account. The anonymization level can only be set in paid accounts. In free accounts the IP is always anonymized & hashed.

Go to your account settings and search for the section Data Protection. In the IP Anonymization drop-down you can set one of three anonymization levels. Click on Save to update the data protection settings.