September 6, 2019, Trial News
Displaying QR code on debt collection envelope violates privacy, Third Circuit rules
Using a scannable QR code containing a debtor’s account number on the outside of a debt collection envelope violates the Fair Debt Collection Practices Act, the Third Circuit has ruled. The QR code, which anyone who downloads a scanning app can read, disclosed confidential information and violated the plaintiff’s privacy. Even though there was no evidence that anyone tried to access the code or use the information, the court also found that the plaintiff had Article III standing because the invasion of privacy is a cognizable injury in and of itself.
Using a scannable QR code containing a debtor’s account number on the outside of a debt collection envelope violates the Fair Debt Collection Practices Act (FDCPA), the Third Circuit has ruled. The QR code, which anyone who downloads a scanning app can read, disclosed confidential information and violated the plaintiff’s privacy. Even though there was no evidence that anyone tried to access the code or use the information, the court also found that the plaintiff had Article III standing because the invasion of privacy is a cognizable injury in and of itself under the U.S. Supreme Court’s 2016 decision in Spokeo v. Robins. (DiNaples v. MRS BPO, LLC, 2019 WL 3773014 (3d Cir. Aug. 12, 2019).)
When Donna DiNaples couldn’t keep up with the payments on her Chase Bank credit card, her account was assigned to debt collection agency MRS BPO, LLC. The agency sent DiNaples an envelope with a QR code—a scannable matrix barcode—printed on the outside. QR codes can be deciphered easily by downloading an app to a smartphone. When scanned, the QR code on the envelope revealed a string of numbers and letters that included DiNaples’s account number.
DiNaples filed a class action against MRS, alleging that displaying the QR code on the envelope violated §1692f(8) of the FDCPA, which prohibits the use of “any language or symbol, other than the debt collector’s address, on any envelope when communicating with a consumer by use of the mails.” The provision is intended to protect the privacy and confidential information of a person who has been assigned to debt collection. Both parties moved for summary judgment; the district court granted the plaintiff’s motion on liability.
Pointing to Third Circuit precedent in Douglass v. Convergent Outsourcing (765 F.3d 299 (2014))—which held that displaying an internal account number on a debt collection envelope violated the FDCPA—the district court found that a QR code falls within this same category of disclosure. It noted that “there was no meaningful difference between displaying the account number itself and displaying a QR code.” The defendant appealed, and the Third Circuit affirmed.
The Third Circuit first addressed whether DiNaples had Article III standing to bring a claim. The defendant argued that she did not because there was no evidence that the QR code had been accessed or misused by another party. The court disagreed, however, based on the contours for a cognizable injury set out in Spokeo. Although DiNaples’s injury was “intangible,” it was “concrete.” In Spokeo, the Supreme Court explained that an intangible injury can satisfy Article III standing requirements if it “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Another important factor in this analysis is the judgment that Congress exercises in creating the cause of action the plaintiff alleges. The Third Circuit found that both circumstances applied here.
The court explained that it applied these Spokeo principles in two analogous cases involving account numbers on debt collection envelopes and doing so was not a benign oversight but “such conduct [that] ‘implicates a core concern animating the FDCPA—the invasion of privacy.’” The reasoning of those cases extended to QR codes because they implicate the same core privacy concerns and, even though the numbers were not explicitly displayed on the envelope, anyone with a smartphone could easily scan and read them. This disclosure is the harm caused to the plaintiff, and therefore, the plaintiff alleged a sufficiently concrete injury to confer standing.
Next, the court examined the merits of the FDCPA claim. Many courts have interpreted the language of §1692f(8) broadly, implementing a “benign language exception” when evaluating claims to avoid “bizarre results,” such as a postage mark being considered a “symbol” in violation of the statute. But the Third Circuit concluded that such an exception does not apply here because concluding that disclosure of an account number on the envelope is benign would run counter to the statute’s intent: to protect debtors’ privacy. Finding that “there is no material difference” between a QR code and displaying the actual account number on the envelope, the court held that the defendant’s actions violated the plaintiff’s privacy.
“The defendant’s arguments about the legality of scanning barcodes on mail and the unlikelihood that anyone would ever do so thus collapses like the proverbial house of cards. The defendant’s arguments are all built on its underlying premise that an account number is ‘not a big deal’ and that ‘it doesn't mean anything,’” said Asbury Park, N.J., attorney Ari Marcus, who represents the plaintiff. “Common sense cuts right through that argument, because otherwise a collection agency can conceivably place any of the debtor’s information in the unencrypted QR code and claim that the information is protected by the laws prohibiting strangers from scanning another person’s mail.”