EU wine labelling regulation requires that e-label pages collect no user data and display no marketing content. But what exactly does "no tracking" mean in practice? What data can you still access? And why can't you simply host the e-label on your winery's website? This article explains the privacy rules, what's allowed versus prohibited, and how to get useful scan insights without violating the regulation. For the full regulatory context, see our Wine E-Label Masterguide.
This guide summarises EU e-label privacy requirements for informational purposes. For legal advice specific to your situation, consult a qualified wine law professional. Last updated: March 2026.
The Regulatory Requirement: No Tracking on E-Labels
Article 119(5) of the amended CMO Regulation (EU) 1308/2013 β introduced by Regulation 2021/2117 β sets two clear rules for e-label pages accessed via QR codes:
- No collection or tracking of user data
- No sales or marketing information
Commission Notice C/2023/1190 reinforces these rules, stating that electronically provided information must be "neutral" and must not serve any commercial purpose beyond the mandatory regulatory disclosures.
This is not a soft guideline β it is a binding requirement. E-label pages that violate these rules put the winery at risk of the same enforcement actions as any other labelling non-compliance, including fines and market removal.
What "No Tracking" Actually Means in Practice
The regulation prohibits collecting data that identifies or could identify individual consumers. Here is what this means concretely:
| Category | Allowed | Prohibited |
|---|---|---|
| Scan counting | Aggregate total scans across all QR codes | Per-user session tracking |
| Geography | Country-level aggregate counts (from anonymised IP lookup) | Individual IP logging, GPS coordinates, precise location |
| Language detection | Approximate geolocation for auto-language selection | Storing the IP address after lookup |
| Temporal data | Aggregate scans by day and time period | Individual scan timestamps linked to users |
| Technology | Server-side anonymised processing | Cookies, Google Analytics, marketing pixels, fingerprinting |
| Content | Ingredients, nutrition, allergens, recycling info | Website links, promotional messages, e-commerce, branding beyond logo |
The key principle: aggregate and anonymised data is permitted; individual user data is not.
GDPR and Wine E-Labels: How They Interact
The CMO regulation's no-tracking requirement works alongside GDPR, but is stricter in some areas:
- GDPR Article 6(1)(f) allows data processing under "legitimate interest" β but the CMO regulation overrides this for e-label pages by explicitly prohibiting user data collection, regardless of the legal basis.
- GDPR Recital 26 states that anonymised data (data that cannot be linked to an identifiable person) falls outside GDPR's scope entirely. Aggregate scan counts and country-level statistics meet this standard.
- GDPR Article 5(1)(c) requires data minimisation β collecting only what is necessary. For e-labels, the minimum is zero individual data.
In practice, this means: even if you believe you have a legitimate interest in knowing who scans your labels, the CMO regulation prohibits it on the e-label page. If you want detailed consumer data, use a separate marketing QR code (see below).
Why Your Winery Website Cannot Host the E-Label
Many producers initially ask: "Why can't I just put the e-label on my own website?" The answer involves both privacy and content requirements:
- Cookies: Most websites use cookies for analytics, advertising, or session management. Any cookie on an e-label page violates the regulation.
- Analytics: Google Analytics, Meta Pixel, Hotjar, and similar tools collect user data. They cannot be present on e-label pages.
- Marketing content: Winery websites contain product descriptions, promotions, event announcements, and e-commerce links β all prohibited on e-label pages.
- URL stability: E-labels must remain available for the product's expected shelf life. Website redesigns, domain changes, or CMS migrations risk breaking QR code links permanently.
- Mixed content risk: Even if you create a "clean" page on your site, other scripts loaded globally (analytics, chat widgets, marketing tags) may still fire on the e-label page.
A dedicated e-label platform like QRFox.eu E-Labels is purpose-built for this: no cookies, no Google Analytics, no third-party tracking of any kind on e-label pages, with guaranteed URL stability for the life of the product.
The Separate Marketing QR Code Option
The regulation only restricts the compliance QR code β the one marked "Ingredients" on your label. You are free to place additional QR codes on your wine bottle for marketing purposes:
- Link to your winery website or virtual tour
- Link to your online shop or e-commerce page
- Link to food pairing suggestions or winemaker notes
- Link to social media profiles
The requirement is that the marketing QR code must be clearly distinguishable from the compliance QR code. Consumers must not confuse the two. In practice, this means physical separation on the label and distinct labelling (e.g., "Visit our website" vs "Ingredients").
Analytics You Can Still Access
Despite the strict privacy rules, you are not flying blind. Aggregate, anonymised scan data provides meaningful business insights without touching individual user data:
- Total scan counts: How many times each QR code has been scanned β across all wines or per specific product
- Geographic distribution: Country-level scan counts, showing where your wines are being consumed (useful for export strategy)
- Temporal patterns: Scans by day of week and time of day β revealing when consumers are engaging with your labels
- Top performers: Which wines generate the most scans β indicating consumer interest and engagement levels
QRFox.eu E-Labels presents this data in a visual dashboard. The statistics feature can be enabled or disabled per product in the Company Profile section, giving you full control. All data is aggregate and anonymised β no individual consumer is ever identified.
How QRFox.eu Handles Privacy
QRFox.eu E-Labels is designed from the ground up for regulatory compliance:
- No cookies are set on any e-label page
- No Google Analytics or third-party tracking scripts
- No marketing pixels or fingerprinting technologies
- IP addresses are used only for momentary language detection and are not stored or logged
- All scan statistics are aggregate and anonymised
- The platform is regularly reviewed by legal experts to ensure ongoing compliance with both the CMO regulation and GDPR
This no-tracking approach is a key differentiator when choosing an e-label provider β many platforms fail on this requirement because they rely on standard web analytics infrastructure that was not designed for regulatory compliance.
Create your first compliant e-label free β no credit card required. For a comprehensive walkthrough of every compliance detail, see the Wine E-Label Masterguide.
