At noon on January 11, Ms. Li and her friends met at the "PUTIEN (Lujiazui Center) restaurant". Seeing the order code posted on the desktop, she skillfully pulled out her mobile phone and opened WeChat. But just after scanning the two-dimensional code, a reminder of "pay attention to the public number" popped up. Recalling the various restaurant public accounts on her mobile phone, Ms. Li couldn't help but sigh, and then pressed the "Follow" button and began to choose dishes.
Every New Year's Festival, in addition to the blessings received by relatives and friends, there are also "greetings" from various public accounts, Ms. Li is overwhelmed, and every time there is a period of time, she has to clean up a wave of useless public accounts. What worries her even more is that there is also a trap of information harvesting behind the scanning code ordering.
Since April last year, the Shanghai Municipal Consumer Protection Commission has repeatedly called for "restaurants should not collect or collect as little information as possible from consumers", and Tencent has also pushed a notice to developers on the issue of self-inspection and scanning code ordering mandatory attention to public accounts. It is reported that Tencent has verified such problems since January 17 this year, and the illegal official account will be restricted from the ability of the QR code to open the official account.
1 month has passed, how is the rectification of the restaurant's self-inspection? The reporter went to a number of restaurants in Shanghai to conduct investigations and visits.
Mandatory attention has been abolished, and personal information is still "fragrant"
The reporter visited several shopping malls and scanned the order codes of nearly 20 restaurants such as Lao fat cats, new white deer, typhoon shelters, Bai Chunyuan, soup cans, and small man handmade powder, and observed the collection of personal information by merchants. In general, all the restaurants visited do not need to pay attention to the public account when scanning the code to order food, and the ordering function can be realized by using a small program, many of which use the ordering system developed by the same third party. In addition, most restaurants also offer paper menus in addition to scanning codes to order food.
However, the reporter noted that even if consumers are not forced to pay attention to public accounts, the situation of using various links to obtain consumer information still exists.
In Raffles City on the North Bund's "Rice Peach Jiangnan Su Xi Cuisine" restaurant, the reporter used his mobile phone to "sweep" the order code on the table, and immediately jumped out of the "stored value 1000 free 100" prompt. The reporter did not want to recharge, but if he did not turn over the advertisement, he could not order food, and there was only one "order me authorized" option on the page. As a last resort, the reporter could only click "click me authorization", and as a result, he was asked to provide a WeChat nickname and avatar. Fortunately, this link has a "reject" option, after the reporter selects "reject", he finds that he can also enter the order page and complete the order. But strangely, on the checkout page, the mini program also applied to obtain the orderer's mobile phone number, if canceled, it could not check out. That is to say, from ordering food to checkout, this small program asked for the reporter's personal information three times in total, and finally successfully obtained the reporter's mobile phone number.
You will be asked for your mobile phone number when you pay the bill.
Personal information such as WeChat nicknames, avatars, and geographical locations is still "fragrant" in the eyes of merchants. Bai Chunyuan (Century Bailian Store), Tang Xiaocang (Century Bailian Store), and Nanxiang Xiaolong Steamed Bun (Century Bailian Store) still require consumers to authorize the provision of WeChat nicknames, avatars, etc. before scanning the code to order food, while the fat cat asks for location information. In addition, the reporter tried to cancel the personal information that had been authorized to the "one store, one purchase" mini program in a restaurant, and also did not find the cancellation entrance.
Several merchants applied to obtain user nicknames and avatars.
What's more noteworthy is that the problem of excessive collection of personal information is not limited to the catering sector. In the 12345 citizen service hotline, many citizens reported that in other matters such as issuing electronic invoices and choosing delivery services, "asking for personal information" has become a unified operation for businesses. At the beginning of February, Mr. Du went to the hot spring at No. 600 Jinqiao Road, and when he entered the door to pick up the number, he was asked to pay attention to the public number and provide a mobile phone number. "Isn't this mandatory collection of user information? Why can't I provide a non-scan method? ”
Behind the repeated prohibitions: "For follow-up marketing"
Can service companies such as restaurants provide mini programs and apps that do not request personal information? The answer is yes.
The reporter learned that most of the ordering and checkout information services used by such service enterprises come from third-party software service providers, and related service chambers provide corresponding modules, including push advertising, whether to request personal information, and what personal information to request. "These modules are not fixed, but can be added or deleted according to customer needs. As long as the customer says they don't need these services, they can fully meet their needs. An engineer at an ordering service software vendor said.
But he acknowledged that most service companies collect user data to a greater or lesser degree, "all for follow-up marketing." For example, he said, if users are required to pay attention to the public account, it means that catering companies can provide rich push content, including product information, preferential information, etc.; if the user's mobile phone number is obtained, then advertising can be sent in the form of text messages, "Now we all pay attention to precision marketing, private domain traffic, and accumulate their own customer groups through a single consumption, which has become the norm." ”
Most of the common scan code ordering systems are based on open source code, and the development difficulty is not high, which greatly increases the risk of consumer information leakage. Usually, the personal information provided by consumers is stored in the background of the system and connected to the merchant's own system. However, due to the large number of third-party software service providers on the market and the uneven level of service, there is no guarantee whether the relevant data will be properly kept or whether it will be "re-sold".
Technicians said that it is not difficult to change the phenomenon of excessive demand for consumer information through technical means, the key is to clarify whether merchants can ask for user information, and once they illegally request user information and leak user information, what kind of legal responsibility they need to bear, "Only by fully recognizing the importance of personal information protection can we eliminate excessive demand for personal information from the source." ”
"Over-collection" is suspected of violating the law
The Shanghai Municipal Consumer Protection Commission and relevant legal personages have expressed their opposition to the retail enterprises' requests for personal information when ordering meals and settling through QR codes.
Tang Jiansheng, deputy secretary-general of the Shanghai Municipal Consumer Protection Commission, pointed out that scanning the code to order food can improve the service efficiency of the restaurant, but "as long as you can know which table to order and what dishes to order." As for whether it is Zhang San or Li Si sitting at this table, as well as their mobile phone number, WeChat username and other information, the restaurant does not need to understand, the restaurant should not collect or collect as little information as possible from consumers. ”
Lu Shanjing, a public interest lawyer at the Shanghai Municipal Consumer Protection Commission and a partner at Shanghai Hairuo Law Firm, pointed out that it is a "formal voluntary and substantively compulsory" transaction behavior to set conditions such as "agreeing to obtain personal information", "agreeing to obtain user location information" and "agreeing to a third party to obtain information" for scanning codes and ordering food. Article 26 of the Law on the Protection of Consumer Rights and Interests stipulates that business operators shall not use standard terms, notices, statements, store notices, etc., to make unfair or unreasonable provisions to consumers, such as excluding or restricting consumers' rights, reducing or exempting business operators' responsibilities, or increasing consumers' responsibilities, and must not use standard terms and technical means to force transactions. If the merchant compulsorily requires consumers to scan the code to order food, consumers have the right to refuse, or complain to the market supervision department. At the same time, merchants should protect consumers' personal information, and if consumers find that their personal privacy information has been violated, they should promptly protect their rights through legal channels.
Ge Zhihao, a lawyer at Beijing Guantao Zhongmao (Shanghai) Law Firm, believes that the essence of food and beverage consumption is the purchase of catering services by consumers from merchants, and the establishment of this relationship does not require consumers to provide personal information as a necessary premise. Therefore, the restaurant requires consumers to place orders or pay bills through APP or WeChat Mini Programs, and then collect consumers' personal information, which clearly exceeds the necessary limits, in addition to the voluntary behavior of customers, generally speaking, such behavior should be classified as "excessive collection" prohibited in the Personal Information Protection Law.
At the same time, according to the relevant provisions of the Personal Information Protection Law, if a merchant collects consumers' personal information, it must also follow a series of rules, including clearly informing consumers of the purpose of the collection behavior, the rules of information processing, and the method of information processing; if the consumer does not agree with the collection behavior, the merchant should also cooperate with the withdrawal of the collection behavior, and if it has been collected and used, it should be promptly and effectively removed according to the requirements of the consumer, and so on. However, at present, most merchants have not provided or informed such services.
As for the "automated decision-making" behavior of merchants collecting personal information for "smart push", the Personal Information Protection Law also makes provisions, giving consumers the right to freely choose or refuse to be "smart push".