Hand holding a card with QR code Photo: Shutterstock

Unencrypted “quick response,” or QR, codes printed on the outside of envelopes that link to a debtor’s information violate the Fair Debt Collection Practices Act, a federal appeals court has ruled, applying five-year-old case law to an open question.

A unanimous three-judge panel of the U.S. Court of Appeals for the Third Circuit ruled Monday that a woman who received a collection letter with a QR code linking to her account number suffered a concrete harm, and that the unencrypted QR code violated the FDCPA. The ruling allows the plaintiff, Donna DiNaples, to execute a class action settlement she entered into with the defendant collection agency, MRS BPO LLC.

Although the collection agency had contended that QR codes—which are two-dimensional barcodes that can be read using apps downloaded onto smartphones—were “facially neutral and appear[ed] on many commercial mailings,” Judge Michael Chagares, who wrote the court’s 14-page opinion, relied heavily on the court’s 2014 decision in Douglass v. Convergent Outsourcing, which determined that including a debtor’s account number on the outside of an envelope violates the FDCPA.

“There is no material difference between disclosing an account number directly on the envelope and doing so via a QR code—the harm is the same, especially given the ubiquity of smartphones,” Chagares said.

According to Chagares, DiNaples had a credit card with Chase Bank, but fell behind on her payments, so Chase assigned MRS BPO to collect the debt. The company eventually sent her a letter with a QR code printed on its face. Chagares said that, when scanned, the QR code revealed an internal reference number associated with DiNaples’ account with MRS.

DiNaples filed a class action, alleging the QR code appearing on the envelope violated the FDCPA, which bars debt collectors from using any “language or symbol, other than the debt collector’s address, on any envelope when communicating with a consumer.”

The U.S. District Court for the Western District of Pennsylvania denied MRS BPO’s efforts to dismiss the case, finding there was no meaningful difference between displaying an account number and displaying an easily scannable QR code. Much of the lower court’s ruling relied on Douglass.

The company appealed to the Third Circuit, contending that Douglass was distinguishable. In Douglass, the account information was on the face of the envelope, but in DiNaples’ case, the information can only be accessed by scanning the envelope—an activity MRS BPO contended was illegal and akin to opening a letter addressed to another person.

Chagares, however, said he was unpersuaded, noting in a footnote opening a letter leaves evidence that he had been tampered with, while scanning a QR code does not show any physical signs that the information has been accessed.

“Whether it is illegal to scan someone’s mail, as MRS argues, is beside the point,” Chagares said in the body of the opinion. “The debt collector has still exposed private information to the world in violation of the FDCPA.”

Chagares was joined by Judges D. Brooks Smith and Joseph Greenaway.

According to Chagares, the parties stipulated to $11,000 in damages for the settlement, which, DiNaples’ attorney, Yitzchak Zelman of New Jersey- and New York-based Marcus & Zelman, said should come to about $35 per claimant.

“We are gratified that the Third Circuit has agreed with the district court that debt collectors cannot embed private information in easily scannable QR codes displayed on the outside of collection mailings,” Zelman said. “We now look forward to finally distributing the class damages earmarked for the hundreds of class members who also benefited from this decision.”

MRS BPO’s attorney, New Orleans-based Michael Alltmont of Sessions, Fishman, Nathan & Israel, declined to comment.