DiNaples v. MRS BPO, LLC, et al.
In a recent published decision, the Third Circuit Court of Appeals upheld a judgment issued by the Western District of Pennsylvania in a class action matter regarding the lawfulness of printing confidential information in the form of “QR” codes on the outside of collection letter envelopes.
Under the Federal Debt Collection Practices Act (FDCPA), collectors are prohibited from printing confidential or sensitive personal information on the accessible portion of an envelope or other mailer sent to a borrower for the purpose of collecting a debt. Under the court's prior decision in Douglass v. Convergent Outsourcing (765 F.3d 299), it was determined that printing a borrower's internal collections account number on the outside of a collections letter envelope constituted unauthorized disclosure of confidential information in violation of the FDCPA.
In reviewing the recent matter of DiNaples v. MRS BPO, LLC, et al. (D.C. No. 2-15-cv-01435), the court was faced with the question of whether a “QR” (or “quick response”) code in which a debtor's account number is in bedded constitutes an unlawful act or a violation of the FDCPA. In DiNaples, the plaintiff debtor received a debt collection letter inside an envelope bearing not only the plaintiff's name and address but also a scannable QR code. Upon scanning the code with a free app on the plaintiff's smart phone, the plaintiff was directed without any further action or barrier to her account number provided by the debt collector.
On filing legal action on her own behalf and on behalf of those similarly situated, the plaintiff sued the defendant collector for violating the FDCPA by making unauthorized disclosures of confidential information. The district court certified the class action and, in response to cross motions for summary judgment, found in favor of the plaintiff class, finding unequivocally that the actions of the defendant collections agency violated the FDCPA. The defendant timely filed an appeal, arguing that it was a simple, harmless error of fact and that it innocently misunderstood the law's specific prohibitions regarding printing information on collections envelopes. The Third Circuit Court of Appeals reviewed the matter and sided in full with the lower court's ruling in the plaintiffs' favor.
In its de novo review, the appellate court asked whether there was a legal equivalent between the QR codes printed on the envelopes at issue and printing the borrowers' account numbers as was determined prohibitive in the Douglass case. The Third Circuit panel found that the problem with printing account numbers on collections envelopes is because it results in disclosure of confidential information and that providing account numbers by QR code is not functionally different. In the case at issue, the same confidential information was simply made available via a QR code that can be scanned without tampering or otherwise leaving any indication for the recipient that sensitive information was accessed by a third party. Since QR codes can be scanned using any number of free applications and since nearly everyone is in constant possession or at least has access to a smart phone these days, the account number revealed by scanning the code is effectively equally accessible as simply printing the account number on the envelope.
The court made no finding as to whether the same violation would occur if a password or other information were required to access the account information after scanning the QR code, but the appellate court was clear in its rejection of the defendant-appellant's argument that providing access to the account numbers via unprotected QR codes was excusable error. In sum, the court concluded that printing embedded confidential information in a QR code on the outside of a collections envelope is the legal equivalent of printing the confidential information directly on the envelope and that both constitute unauthorized disclosures in violation of the FDCPA.
Significantly, the appellate court's opinion also included an analysis of the plaintiff's standing to file the matter in Federal court in the first instance. The Court notably disagreed with the defendant-appellant collector that some actual incident of harm must be shown by the plaintiff in order to meet the requisite threshold and, instead, found that the mere disclosure of sensitive or confidential information, including the disclosure of a collection account number embedded in a QR code, constitutes a tangible injury. No evidence or allegation of interception or access by an intended third party is required to show requisite harm. The disclosure itself is sufficient to establish injury.