Can a QR code track your location or device when you scan it?

Sometimes — it depends entirely on whether the code is static or dynamic, and the QR code itself is never the part doing the tracking. It's just a container for a link. What happens after you scan is where the answer actually lives.

A fake QR code sticker placed over a legitimate code on a payment terminal

Static QR codes: nothing to track

A static QR code has the destination URL baked directly into the black-and-white pattern. Your camera decodes it locally and opens that exact address — no server sits in between, so there's nothing to log. This is why free QR code generators that don't require an account almost always produce static codes: there's no ongoing service behind them to report back to.

Dynamic QR codes: what actually gets logged

A dynamic QR code encodes a short redirect link instead of the final destination. Scanning it sends a request to the generator's server first, which logs a few things before forwarding you on: your IP address, your device's user-agent string (phone model, OS, browser), a timestamp, and sometimes a referrer header. The redirect itself takes milliseconds, so it looks identical to a static code from where you're standing.

What's typically collected

  • Approximate location (country/city, from IP)
  • Device type, OS, and browser
  • Time of scan
  • Total vs. unique scan counts

What isn't, by default

  • Your name, email, or phone number
  • Precise GPS coordinates
  • Your identity across unrelated codes

So can it get your exact location?

Only through the same mechanism any website uses: the landing page itself requesting location access through the browser's Geolocation API, and your browser showing the standard permission prompt. IP-based geolocation alone resolves to a city or region, not an address — the same accuracy your public IP address already reveals to a normal website just from you visiting it. If a QR-linked page also grants itself a payment or contact-form step, that's a separate, explicit data collection event, not something the QR code enabled on its own.

The bigger risk isn't tracking — it's where the code leads

Scan analytics are largely aggregate and IP-based, which makes them a fairly mild privacy concern next to the more common real-world attack: someone printing a malicious sticker and placing it directly over a legitimate code. This has turned up on parking meters and restaurant tables in multiple cities, redirecting scanners to fake payment pages designed to harvest card details rather than to log a scan at all — the FTC has issued consumer warnings about exactly this pattern. That's the threat worth actually being cautious about.

Before scanning anything payment-related: check the sticker sits flush with no lifted edge, and read the domain your scanner previews before tapping through — most phone cameras show it in a small banner before opening the link. It's just a phishing attack delivered through a QR code instead of an email link, so the same caution applies.
Can a QR code get my exact GPS location without asking?

No. A QR code, static or dynamic, can only trigger a request for your precise GPS location through the landing page it opens, using the same browser location-permission prompt any website uses. Your browser has to show that prompt and you have to tap allow — there's no way for a QR code or the page behind it to pull GPS coordinates silently. Without that permission, any location data collected comes from your IP address, which only resolves to a city or region, not an address.

Does scanning a QR code with my phone's camera send anything anywhere?

The decode itself happens entirely on your device — no data leaves your phone just from pointing the camera at the pattern. Tracking only becomes possible in the next step, when you (or the app) opens the decoded link and that request reaches a server. Static QR codes skip that server entirely and go straight to the destination, so there's genuinely nothing to log.

How do I know if a QR code is static or dynamic before I scan it?

You generally can't tell by looking at the printed code. The practical signal is the URL your scanner previews before opening it: a long, direct-looking address usually points to a static code, while a short branded redirect domain (a URL shortener style link) usually means a dynamic one routing through an analytics service first.

Is it safe to scan a QR code on a parking meter or restaurant table?

The bigger risk isn't tracking — it's a sticker placed over the real code. This has been reported on parking meters and menus in several cities, redirecting scanners to fake payment pages instead of collecting scan analytics. Check the sticker sits flush with no edges peeling up, and read the previewed domain before tapping through, especially on anything involving a payment.