QR Code Regulations — What Businesses Need to Know
Regulatory requirements affecting QR code usage: EU Digital Product Passport, FDA food labeling, pharmaceutical serialization, accessibility laws, and data privacy.
QR codes started as an unregulated convenience. Now governments and standards bodies are mandating them. If your business uses QR codes — or will soon be required to — here's the regulatory landscape you need to understand.
This isn't legal advice. But it is a practical overview that should inform your conversations with legal counsel.
EU Digital Product Passport (DPP) — 2027 Onward
The European Union's Ecodesign for Sustainable Products Regulation (ESPR) introduces the Digital Product Passport. This is the single biggest regulatory change affecting QR codes in the next decade.
What it requires: a QR code (or other data carrier) on products sold in the EU that links to a standardized set of sustainability and product lifecycle data. Timeline:- Batteries: DPP required from February 2027
- Textiles, electronics, furniture: phased rollout 2027-2030
- Eventually covers most consumer products
- Product composition and materials
- Carbon footprint data
- Repairability and recyclability information
- Supply chain origin data
- Compliance certifications
Start planning now. The infrastructure to generate, host, and maintain DPP data for your entire product catalog takes time to build.
FDA Food Labeling — SmartLabel and Bioengineered Disclosure
In the US, the National Bioengineered Food Disclosure Standard (NBFDS) allows manufacturers to disclose bioengineered (GMO) ingredients via a QR code on the label instead of text.
What the law says: if a food product contains bioengineered ingredients, the manufacturer must disclose this. One acceptable method is a QR code linking to the disclosure. The controversy: consumer advocacy groups argued that requiring a phone to access mandatory safety information is discriminatory toward people without smartphones, elderly consumers, and those in areas with poor connectivity. The USDA acknowledged this concern but allowed the QR option anyway, provided a phone number and text-based option are also available. Practical requirements:- The QR code must link directly to the bioengineered ingredient disclosure (not a general product page)
- A phone number for text-based disclosure must accompany the QR code
- The phrase "Scan here for more food information" or equivalent must be displayed
Pharmaceutical Serialization — DSCSA
The Drug Supply Chain Security Act (DSCSA) requires unit-level serialization of prescription drugs in the US, with full interoperability requirements in effect since November 2024 (after multiple delays).
What it requires: every saleable unit of a prescription drug must carry a unique product identifier encoded in a 2D data matrix (not technically a QR code, but a close relative in the 2D barcode family).The encoded data includes:
- National Drug Code (NDC)
- Serial number (unique per unit)
- Lot number
- Expiration date
Impact: pharmaceutical manufacturers, wholesalers, and dispensers must be able to scan and verify these codes at every point in the supply chain. This is fundamentally an anti-counterfeiting measure.
Similar regulations exist in the EU (Falsified Medicines Directive), Russia (Chestny ZNAK), and India (DAVA).
GS1 Digital Link — The Bridge Standard
GS1, the organization behind UPC barcodes, has been developing the Digital Link standard that encodes product identifiers in a URL-format QR code.
GS1 Sunrise 2027: retailers are encouraged to accept QR codes at point of sale alongside (and eventually replacing) traditional barcodes.The format: https://id.gs1.org/01/09520123456788/10/ABC123
This single QR code can be:
- Scanned at retail POS as a product identifier
- Scanned by consumers for product information
- Used for regulatory compliance (DPP, DSCSA)
- Tracked for supply chain visibility
If you're in retail or CPG, aligning with GS1 Digital Link now positions you for regulatory compliance across multiple jurisdictions simultaneously.
Accessibility Regulations
Several laws affect how QR codes must be implemented in public-facing contexts:
| Regulation | Jurisdiction | Requirement |
|---|---|---|
| ADA (Americans with Disabilities Act) | US | QR codes cannot be the sole access method for essential services |
| European Accessibility Act | EU (effective June 2025) | Digital services must meet WCAG 2.1 AA |
| Equality Act 2010 | UK | Reasonable adjustments required for disabled access |
| AODA | Ontario, Canada | Accessible formats required for public information |
Data Privacy (GDPR, CCPA)
Dynamic QR codes that track scans collect data: IP addresses, device information, approximate location, and timestamps. This is personal data under GDPR and CCPA.
Requirements:- Disclose data collection in your privacy policy
- If operating in the EU, ensure lawful basis for processing (likely legitimate interest)
- Provide data access and deletion mechanisms if requested
- If using third-party QR analytics services, ensure they have appropriate data processing agreements
Compliance Checklist
Before deploying QR codes at scale:
- Determine if your products are subject to DPP, DSCSA, or NBFDS requirements
- Evaluate GS1 Digital Link compatibility if you're in retail
- Ensure accessibility — alternative access methods for all QR-gated content
- Review data privacy obligations for dynamic/tracked QR codes
- Document your compliance approach for regulatory audits
Related Tools
- QR Code Generator — standards-compliant QR code creation
- Bulk QR Generator — batch serialization for product compliance
- Dynamic QR Codes — trackable codes with privacy-aware analytics