The U.S. Court of Appeals for the Third Circuit recently held that a debt collector violated the federal Fair Debt Collection Practices Act (FDCPA) when the envelope it sent to a debtor displayed an unencrypted code that revealed the debtor’s account number when scanned.
A copy of the opinion in DiNaples v. MRS BPO, LLC is available at: Link to Opinion.
A consumer defaulted on her credit card and the bank that issued it assigned the account to a debt collection agency. The debt collector sent the consumer “a collection letter as a pressure-sealed envelope that had a QR [or quick response] code printed on its face. QR codes … can be scanned by a reader downloadable as an application (better known as an ‘app’) on a smartphone.”
Upon being scanned, the QR code reader revealed a sequence of letters, symbols and numbers, part of which was the internal reference number associated with the consumer’s account at the debt collection agency.
The consumer filed a putative class action lawsuit against the debt collection agency, alleging that it violated subsection 1692f(8) of the FDCPA, which prohibits debt collectors from “[u]sing any language or symbol other than the debt collector’s address, on any envelope when communicating with a consumer by use of the mails.”
Both sides moved for summary judgment. The trial court granted the plaintiff’s motion as to liability based on the Third Circuit’s ruling five years ago in Douglass, which “held that a debt collector violates § 1692f(8) by placing on an envelope the consumer’s account number with the debt collector.” The trial court reasoned that “there was no meaningful difference between displaying the account number itself and displaying a QR code — scannable ‘by any teenager with a smartphone app’— with the number embedded.”
The trial court also rejected both the debt collector’s argument that the plaintiff “had not ‘suffered a concrete injury,’ explaining that [plaintiff] was injured by “‘the disclosure of confidential information[,]’” and the “argument that it was protected by the FDCPA’s ‘bona fide error defense.’”
The trial court entered judgment for the plaintiff and the certified class. The debt collector appealed.
On appeal, the Third Circuit first addressed whether the plaintiff had standing to sue, the first step in determining whether it had subject matter jurisdiction over the case. The Court explained that in order to satisfy the “case or controversy” required for a federal court to hear a case under Article III of the Constitution, the plaintiff must “have standing to sue. … Standing has three elements: ‘[t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.’ … An ‘injury in fact’ is one that is ‘concrete and particularized.’ … To be concrete, the injury ‘must actually exist.’ … It must be ‘real,’ not ‘abstract.’”
After reviewing the Supreme Court’s ruling in Spokeo to determine whether the plaintiff’s intangible injury was sufficiently concrete, the Court concluded that the plaintiff “suffered a concrete injury when her debt collector sent her a letter in an envelope displaying a QR code that, when scanned, revealed her account number with the debt collection agency.”
The Court reasoned that it had already applied the principles set forth in Spokeo in its 2018 decision in St. Pierre v. Retrieval-Masters Creditors Bureau, which “held that a debtor suffered a concrete injury when a debt collector … sent him a collection letter in an envelope displaying his account number with the debt collector.”
The Third Circuit went on to explain that “[i]n Douglass, we had held that displaying a consumer’s account number on an envelope was not ‘benign,’ explaining that such conduct ‘implicates a core concern animating the FDCPA—the invasion of privacy.’ … Thus, in St. Pierre, we concluded that the harm inflicted by exposing the debtor’s account number was ‘a legally cognizable injury.’ … We explained that, because the harm involves the invasion of privacy, it ‘is closely related to harm that has traditionally been regarded as providing a basis for a lawsuit in English and American courts.’ … And therefore, per Spokeo, the plaintiff in St. Pierre had standing.”
Here, the Court concluded that even though it did not expressly address the QR-code issue in Douglass and St. Pierre, “the reasoning of those two cases inevitably dictates that [the plaintiff] has suffered a concrete injury. … Whether disclosed directly on the envelope or less directly through a QR code, the protected information has been made accessible to the public….”
Because, according to the Court, the disclosure was itself a concrete harm, the plaintiff did not have to show “that someone had actually intercepted her mail, scanned the barcode, read the unlabeled string of numbers and determined the contents related to debt collection—or it was imminent someone might do so.”
Having held that the plaintiff had standing to sue, the Court considered whether the trial court correctly held that “she had a successful claim under the FDCPA.”
First, it analyzed the text of § 1692f(8), finding “[t]here is no dispute that that provision plainly prohibits the QR code.”
Next, the Court rejected the debt collector’s argument “to read a benign language exception into § 1692f(8)” because a literal reading “would seemingly prohibit including ‘a debtor’s address and an envelope’s pre-printed postage,’ as well as ‘any innocuous mark related to the post, such as ‘overnight mail’ and ‘forwarding and address correction requested.’”
The Third Circuit reasoned that the disclosure of the account number itself was an invasion of privacy. “As explained above with respect to standing, the harm here is still the same — the unauthorized disclosure of confidential information. And if such disclosure was not benign, disclosure via an easily readable QR code is not either. Protected information has still been compromised.”
Thus, the Court affirmed the trial court’s holding that the debt collector violated the FDCPA by sending “an envelope displaying an unencrypted QR code that, when scanned, reveals the debtor’s account number.”
The Third Circuit also rejected the debt collector’s bona fide error defense because “the bona fide error defense in § 1692k(c) does not apply to a violation of the FDCPA resulting from a debt collector’s incorrect interpretation of the requirements of that statute.’ … Put differently, ‘FDCPA violations forgivable under § 1692k(c) must result from ‘clerical or factual mistakes,’ not mistakes of law.’” The debt collector did not make a mistake of fact, but instead “just misunderstood its obligations under the FDCPA.” By arguing “that it ‘mistakenly believed that its conduct could not conceivably violate the FDCPA[,]” the debt collector essentially admitted that it made a mistake of law, not one of fact.
Accordingly, the trial court’s judgment was affirmed.