Banking and Finance Law Daily Envelope printed with unencrypted QR code with debtor’s account number violates FDCPA
News
Tuesday, August 13, 2019

Envelope printed with unencrypted QR code with debtor’s account number violates FDCPA

By Nicole D. Prysby, J.D.

A debt collector violated the FDCPA when it sent to a debtor an envelope displaying an unencrypted QR code that, when scanned, revealed the debtor’s account number.

An envelope that did not directly display a debtor’s internal account number with the collection agency but did display an unencrypted "quick response" or "QR" code that revealed the number when scanned violates the Fair Debt Collection Practices Act (FDCPA), held the Third Circuit Court of Appeals. Given the ubiquity of smartphones with QR scanning apps, there is no meaningful difference between displaying an account number itself and displaying a QR code with the number embedded, said the court. And the debt collector may not take advantage of the bona fide error defense because printing of the QR code was not the result of a clerical mistake, but an error in understanding obligations under the FDCPA (Dinaples v. MRS BPO, LLC, Aug. 12, 2019, Chagares, M.).

After the consumer fell behind on her credit card payments, the bank assigned her account to a debt collection agency called MRS BPO, LLC (MRS). MRS sent the consumer a collection letter in an envelope that had a QR code printed on its face. The QR code, when scanned with a QR-code reader, revealed the internal reference number associated with the consumer’s account at MRS. The consumer filed a class action lawsuit against MRS, alleging that the collection agency, by printing the QR code on the envelope, had violated the FDCPA, which prohibits debt collectors from "[u]sing any language or symbol, other than the debt collector’s address, on any envelope when communicating with a consumer by use of the mails." 15 U.S.C. §1692f(8). The district court granted summary judgment to the consumer on liability, reasoning that there is no meaningful difference between displaying an account number itself (which violates the FDCPA) and displaying a QR code with the number embedded.

Analysis. The Third Circuit first concluded that the consumer suffered a concrete injury when the debt collector sent her a letter in an envelope displaying a QR code that, when scanned, revealed her account number with the debt collection agency. Disclosure through a QR code, which anyone could easily scan and read, implicates the same core privacy concerns as direct disclosure of the account number. The consumer was not required to demonstrate that anyone did actually intercept the letter, scan the QR code, and determine that the contents related to debt collection; disclosure of the account number is itself the harm.

The court also agreed with the district court that the consumer had a successful claim under the FDCPA, which prohibits debt collectors from using any language or symbol, other than the debtor’s address, on the envelope. Some courts have found exceptions for benign language (e.g., "forwarding and address correction requested"), but the QR code does not fall within any benign language exception. An account number is a core piece of information that implicates a core concern of the FDCPA, invasion of privacy. The court rejected MRS’s argument that account information could only be seen by someone "unlawfully scanning" the envelope. There is no material difference between disclosing an account number directly on the envelope and doing so via QR code––the harm is the same, especially given the ubiquity of smartphones with QR scanning apps. Whether it is illegal to scan someone’s mail is beside the point.

MRS may not take advantage of the bona fide error defense. Had MRS’s printing of the QR code been the result of a clerical mistake, accidentally included contrary to MRS’s normal procedures, then it could conceivably avail itself of the bona fide error defense. But that was not MRS’s argument. MRS asserted that using QR codes is the industry standard and that it committed a mistake by using that standard. This was not a factual error that would give rise to the bona fide error defense, but an error in understanding obligations under the FDCPA.

The case is No. 18-2972.

Attorneys: Ari H. Marcus (Marcus & Zelman, LLC) for Donna Dinaples. Michael D. Alltmont (Sessions Fishman Nathan & Israel) for MRS BPO LLC.

Companies: MRS BPO LLC

MainStory: TopStory DebtCollection DelawareNews NewJerseyNews PennsylvaniaNews Privacy

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More
Banking and Finance Law Daily

Banking and Finance Law Daily: Breaking legal news at your fingertips

Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on banking and finance legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.

Free Trial Learn More