---
title_en: "Cybersecurity Standards Practice Guide — Personal Information Protection Requirements for QR-Code Ordering"
title_zh: "网络安全标准实践指南 — 扫码点餐个人信息保护要求"
abbreviation: "TC260 QR Ordering Guide"
hierarchy: "standard"
issuing_body: "National Information Security Standardization Technical Committee (TC260)"
status: "effective"
related_laws: ["app-necessary-pi-scope-provisions"]
domains: ["personal-information"]
url: https://datacompliancechina.com/laws/tc260-qr-ordering-pi-guide/
summary: "This TC260 practice guide sets personal-information protection requirements for QR-code ordering (扫码点餐) in restaurants and similar settings — a response to the common practice of forcing customers to follow accounts, register, or hand over excessive personal information just to view a menu or order. It emphasizes minimum necessity, the availability of order-without-registration options, and no forced follows or over-collection. It is advisory practice guidance applying PIPL's minimum-necessity principle and the app necessary-PI rules to this everyday scenario."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/tc260-qr-ordering-pi-guide/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Cybersecurity Standards Practice Guide — Personal Information Protection Requirements for QR-Code Ordering", https://datacompliancechina.com/laws/tc260-qr-ordering-pi-guide/
> *DCC summary, not a translation.* TC260 practice guides are copyright-protected and the Secretariat prohibits unauthorized translation. The structured summary below is DCC's own paraphrase grounded in the guide's title and the underlying regime; specific clauses should be checked against the published guide.

## Scope

This practice guide provides **personal-information protection requirements for QR-code ordering scenarios** — where customers scan a code to view a menu and place an order in restaurants, cafés and similar venues. It applies to the merchants and the mini-program / platform providers that operate such ordering services, and addresses what personal information may be collected and on what terms.

It is a **practice guide** issued by the TC260 Secretariat — advisory, not a mandatory standard. It targets a well-known consumer grievance: being required to follow a public account, register a member account, or grant access to personal information merely to order food.

## Key contents

At a structural level the guide is expected to cover:

- **Minimum necessity** — collecting only the personal information genuinely needed to complete an order; ordering should not require registration or membership where it is not necessary.
- **No forced following / registration** — customers should be able to view the menu and order without being compelled to follow an account or hand over identity information.
- **Consent and transparency** — clear notice of what is collected and why; separate consent for anything sensitive or non-essential (e.g., marketing).
- **Marketing and profiling limits** — no using the ordering interface to coerce consent for unrelated marketing or profiling.
- **Security and deletion** — protecting and deleting the collected data appropriately.

> *Editor: verify specific clauses against the published guide.*

## How it fits the regime

The guide applies **PIPL's minimum-necessity principle** (Articles 5–6, which require processing to have a clear, reasonable purpose and to be limited to the minimum scope necessary) and its consent rules to a high-volume everyday scenario. It also draws on the logic of the **Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications**, which cap what apps may require for their core function, and on the broader campaign against forced, excessive and bundled collection in mobile services.

For overseas compliance teams operating consumer-facing ordering or mini-program services in China, it is the scenario-specific reference for designing a compliant scan-to-order flow — order-first, register-only-if-needed — and it complements the app-collection rules, the notice-and-consent guide and GB/T 35273.
