PRECEDENTIAL
UNITED STATES COURT OF APPEALS
FOR THE THIRD CIRCUIT
_____________
No. 18-2972
_____________
DONNA DINAPLES,
on behalf of herself and all others similarly situated
v.
MRS BPO, LLC; JOHN DOES 1-25
MRS BPO, LLC,
Appellant
____________
On Appeal from the United States District Court
for the Western District of Pennsylvania
(D.C. No. 2-15-cv-01435)
Chief District Judge: Honorable Mark R. Hornak
Argued: June 27, 2019
Before: SMITH, Chief Judge, and CHAGARES and
GREENAWAY, JR., Circuit Judges
(Filed August 12, 2019)
Michael D. Alltmont [ARGUED]
Bryan C. Shartle
Sessions Fishman Nathan & Israel
3850 North Causeway Boulevard
Lakeway Two, Suite 200
Metairie, LA 70002
Andrew J. Blady
Sessions Fishman Nathan & Israel
3682 Green Ridge Road
Furlong, PA 18925
Ross Enders
Law Offices of J. Scott Watson
24 Regency Plaza
Glen Mills, PA 19342
Counsel for Appellant MRS BPO, LLC
Ari H. Marcus
Yitzchak Zelman [ARGUED]
Marcus & Zelman
701 Cookman Avenue
Suite 300
Asbury Park, NJ 07712
Mark G. Moynihan
Suite 1-N
112 Washington Place
Pittsburgh, PA 15219
Counsel for Appellee Donna DiNaples
2
_____________
OPINION OF THE COURT
_____________
CHAGARES, Circuit Judge.
Five years ago, in Douglass v. Convergent Outsourcing,
765 F.3d 299 (3d Cir. 2014), we held that a debt collector
violated the Fair Debt Collection Practices Act (“FDCPA”), 15
U.S.C. §§ 1692–1692p, when it sent a collection letter in an
envelope displaying the debtor’s internal account number with
the collection agency. We are now asked to decide whether the
same is true when the envelope does not, on its face, show the
account number but does display an unencrypted “quick
response,” or “QR,” code that reveals the number when
scanned. The District Court held that such conduct violates the
FDCPA. We agree and will affirm.
I.
The facts underlying this appeal are undisputed.
Donna DiNaples had a credit card through Chase Bank.
Eventually, she fell behind on her payments, so Chase assigned
her account to a debt collection agency called MRS BPO, LLC
(“MRS”). MRS sent DiNaples a collection letter as a pressure-
sealed envelope that had a QR code printed on its face. QR
codes, including the one here, can be scanned by a reader
downloadable as an application (better known as an “app”) on
a smartphone. And this QR code, when scanned with a QR-
code reader, revealed the following sequence:
3
“LU4.###1813.3683994.”1 The string “LU4.###1813” was
the internal reference number associated with DiNaples’s
account at MRS.
DiNaples filed a class action lawsuit against MRS,
alleging that the collection agency, by printing the QR code on
the envelope, had violated the FDCPA, which prohibits debt
collectors from “[u]sing any language or symbol, other than the
debt collector’s address, on any envelope when
communicating with a consumer by use of the mails.” 15
U.S.C. § 1692f(8). Each side eventually filed a motion for
summary judgment.
The District Court granted DiNaples’s motion on
liability, concluding that MRS violated the FDCPA. The
District Court explained that this conclusion was required by
our decision in Douglass, in which we held that a debt collector
violates § 1692f(8) by placing on an envelope the consumer’s
account number with the debt collector. 765 F.3d at 303, 306.
For the District Court, there was no meaningful difference
between displaying the account number itself and displaying a
QR code — scannable “by any teenager with a smartphone
app” — with the number embedded. DiNaples v. MRS BPO,
LLC, No. 2:15-cv-01435-MAP, 2017 WL 5593471, at *2
(W.D. Pa. Nov. 21, 2017). The District Court further rejected
MRS’s contention that DiNaples had not “suffered a concrete
injury,” explaining that DiNaples was injured by “the
disclosure of confidential information.” Id. And the District
Court rejected MRS’s argument that it was protected by the
1
Pursuant to Federal Rule of Civil Procedure 5.2(a)(4),
MRS and DiNaples omitted the first three digits of her account
number from their summary-judgment filings.
4
FDCPA’s “bona fide error defense.” Id. at *3. The District
Court also certified the proposed class.
The parties thereafter stipulated that, to the extent that
there was liability, the damages would be $11,000. The
District Court granted judgment for DiNaples and the class for
that amount, and this timely appeal followed.
II.
We consider first a jurisdictional issue –– DiNaples’s
standing to sue.2 The District Court, while it did determine that
DiNaples had suffered a concrete injury, never explicitly
addressed standing, seemingly assuming it was a non-issue.
We, though, must assure ourselves of DiNaples’s standing.
Anthony v. Council, 316 F.3d 412, 416 (3d Cir. 2003).
Article III of the Constitution limits the federal courts to
adjudication of “Cases” and “Controversies.” U.S. Const. art.
III, § 2, cl. 1. “Courts enforce the case-or-controversy
requirement” by requiring the plaintiff to have standing to sue.
Toll Bros., Inc. v. Twp. of Readington, 555 F.3d 131, 137 (3d
Cir. 2009). Standing has three elements: “[t]he plaintiff must
have (1) suffered an injury in fact, (2) that is fairly traceable to
the challenged conduct of the defendant, and (3) that is likely
to be redressed by a favorable judicial decision.” Spokeo, Inc.
v. Robins, 136 S. Ct. 1540, 1547 (2016). An “injury in fact” is
one that is “concrete and particularized.” Id. at 1548 (quoting
Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)). To
2
As long as DiNaples has standing, the District Court
had jurisdiction under 28 U.S.C. § 1331. We have appellate
jurisdiction under 28 U.S.C. § 1291.
5
be concrete, the injury “must actually exist.” Id. It must be
“real,” not “abstract.” Id.
The question here is whether DiNaples suffered a
concrete injury when her debt collector sent her a letter in an
envelope displaying a QR code that, when scanned, revealed
her account number with the debt collection agency. We
conclude that she did.
Because DiNaples’s injury was intangible, we begin our
analysis with the Supreme Court’s decision in Spokeo. There,
the Court reaffirmed that, while tangible injuries are typically
easier to identify, “intangible injuries can nevertheless be
concrete.” 136 S. Ct. at 1549. The Court in Spokeo offered
guidance for determining the concreteness of an intangible
injury. The Court explained that “both history and the
judgment of Congress play important roles.” Id. As to history,
courts should “consider whether an alleged intangible harm has
a close relationship to a harm that has traditionally been
regarded as providing a basis for a lawsuit in English or
American courts.” Id. Congress’s “judgment is also
instructive and important,” because Congress “is well
positioned to identify intangible harms that meet minimum
Article III requirements.” Id. Granted, just because a plaintiff
asserts a congressionally created cause of action does not
necessarily mean that the plaintiff has suffered a concrete
injury. Id. A “bare procedural violation” will not meet the
concreteness requirement. Id. But “the violation of a
procedural right granted by statute can be sufficient in some
circumstances to constitute injury in fact,” and “a plaintiff in
such a case need not allege any additional harm beyond the one
Congress has identified.” Id.
6
We have already applied the principles set forth in
Spokeo to a similar situation. In St. Pierre v. Retrieval-Masters
Creditors Bureau, 898 F.3d 351 (3d Cir. 2018), we held that a
debtor suffered a concrete injury when a debt collector, in
violation of the FDCPA, sent him a collection letter in an
envelope displaying his account number with the debt
collector. Id. at 355, 358. We explained that our earlier
decision in Douglass –– though not a decision directly
addressing standing –– resolved the matter. Id. at 357–58. In
Douglass, we had held that displaying a consumer’s account
number on an envelope was not “benign,” explaining that such
conduct “implicates a core concern animating the FDCPA—
the invasion of privacy.” 765 F.3d at 303. That number, we
emphasized in Douglass, was “a core piece of information”
relating to the debtor’s status as such, and, if “[d]isclosed to the
public, it could be used to expose her financial predicament.”
Id. Thus, in St. Pierre, we concluded that the harm inflicted by
exposing the debtor’s account number was “a legally
cognizable injury.” 898 F.3d at 358. We explained that,
because the harm involves the invasion of privacy, it “is closely
related to harm that has traditionally been regarded as
providing a basis for a lawsuit in English and American
courts.” Id. (citing Douglass, 765 F.3d at 303, and Spokeo, 136
S. Ct. at 1549). And therefore, per Spokeo, the plaintiff in St.
Pierre had standing.
St. Pierre, to be sure, did not involve the precise
situation we have here –– an account number displayed not on
the face of the envelope but embedded in a QR code. And in
St. Pierre we explicitly declined to address that scenario. See
id. at 357 n.6 (“[W]e need not reach the question whether
exposure of the ‘quick response’ code on the envelope, without
more, would be sufficient to confer standing under the FDCPA
7
because exposure of one’s account number itself suffices.”).
We similarly declined to consider our QR-code issue in
Douglass. See 765 F.3d at 301 n.4 (“Douglass no longer
presses her argument that Convergent violated the FDCPA by
including the QR Code on the envelope. . . . We therefore do
not decide that issue.”).
Nonetheless, we conclude that the reasoning of those
two cases inevitably dictates that DiNaples has suffered a
concrete injury. Disclosure of the debtor’s account number
through a QR code, which anyone could easily scan and read,
still “implicates core privacy concerns.” Id. at 304. The debt
collector has “displayed core information relating to the debt
collection” that is “susceptible to privacy intrusions.” Id. at
305. Whether disclosed directly on the envelope or less
directly through a QR code, the protected information has been
made accessible to the public. And as we concluded in St.
Pierre, such an invasion of privacy “is closely related to harm
that has traditionally been regarded as providing a basis for a
lawsuit in English and American courts.” 898 F.3d at 357–58.
It thus follows from our Douglass and St. Pierre decisions that
DiNaples has suffered a sufficiently concrete harm.
MRS is incorrect to suggest that “to establish Article III
standing, [DiNaples] would have to show that someone
actually intercepted her mail, scanned the barcode, read the
unlabeled string of numbers and determined the contents
related to debt collection –– or it was imminent someone might
do so.” MRS Br. 16 (emphases omitted). The teaching of
Douglass and St. Pierre is that the disclosure of an account
number is itself the harm –– it “implicates core privacy
concerns,” Douglass, 765 F.3d at 304, and therefore is
sufficiently concrete under Spokeo to establish an injury-in-
8
fact, St. Pierre, 898 F.3d at 357–58. In other words, because
the disclosure is the concrete harm here, DiNaples “need not
allege any additional harm beyond the one Congress has
identified.” Spokeo, 136 S. Ct. at 1549. Her evidence that she
received an envelope with a QR code containing private
information was enough to establish a concrete injury.3
We hold that DiNaples has standing to sue.
III.
Satisfied that DiNaples has standing, we now consider
whether the District Court correctly determined that she had a
successful claim under the FDCPA. Our review is de novo.
See Tundo v. Cty. of Passaic, 923 F.3d 283, 286 (3d Cir. 2019).
A.
The FDCPA, specifically 15 U.S.C. § 1692f(8),
prohibits debt collectors from:
[u]sing any language or symbol, other than the
debt collector’s address, on any envelope when
communicating with a consumer by use of the
mails or by telegram, except that a debt collector
3
For this reason, MRS’s attempt to distinguish St.
Pierre as involving a motion to dismiss, and hence a lower
evidentiary standard, falls flat. Though the motion here is for
summary judgment, DiNaples has offered sufficient evidence
of her concrete injury, namely the envelope’s displaying a QR
code embedded with her account number.
9
may use his business name if such name does not
indicate that he is in the debt collection business.
There is no dispute that that provision plainly prohibits the QR
code. Still, as other courts have observed, § 1692f(8) is rather
expansive when read literally. It would seemingly prohibit
including “a debtor’s address and an envelope’s pre-printed
postage,” as well as “any innocuous mark related to the post,
such as ‘overnight mail’ and ‘forwarding and address
correction requested.’” Strand v. Diversified Collection Serv.,
Inc., 380 F.3d 316, 318 (8th Cir. 2004); see also Goswami v.
Am. Collections Enter., Inc., 377 F.3d 488, 493 (5th Cir. 2004).
To avoid these “bizarre results,” Strand, 380 F.3d at 318, many
courts, as well as the Federal Trade Commission, have read a
“benign language exception” into § 1692f(8), see Goswami,
377 F.3d at 493–94. Although we have never adopted such an
exception, MRS asks us to do so here and conclude that the QR
code falls within it.
But once again, we return to our decision in Douglass.
To repeat, Douglass involved an envelope displaying the
debtor’s account number with the debt collector. 765 F.3d at
300–01. There, as here, the debt collector urged us to read a
benign language exception into § 1692f(8), and like MRS, the
debt collector in Douglass argued that the account number
should fall within that exception. See id. at 301. We declined
to decide whether § 1692f(8) contains such an exception
because, regardless, the account number was not benign. Id. at
301, 303. That number, we explained, was “a core piece of
information,” the disclosure of which “implicate[d] a core
concern animating the FDCPA––the invasion of privacy.” Id.
at 303. We thus rejected the debt collector’s contention that
the “account number is a meaningless string of numbers and
10
letters, and its disclosure has not harmed and could not possibly
harm Douglass.” Id. at 305–06.
As with standing, the question is whether the analysis
changes when the account number is not on the face of the
envelope but is embedded in a QR code. The panel in Douglass
explicitly left that question open. See id. at 301 n.4. But,
keeping in mind that “the FDCPA must be broadly construed
in order to give full effect to [its remedial] purposes,” Caprio
v. Healthcare Revenue Recovery Grp., LLC, 709 F.3d 142, 148
(3d Cir. 2013), we agree with the District Court that the
reasoning of Douglass applies fully to an account number
embedded in a QR code. As explained above with respect to
standing, the harm here is still the same –– the unauthorized
disclosure of confidential information. And if such disclosure
was not benign, disclosure via an easily readable QR code is
not either. Protected information has still been compromised.
MRS argues that Douglass is distinguishable. There,
the account information was on the face of the envelope,
capable of being seen by all. Here, by contrast, the envelope
facially displayed no connection to debt collection. It just
revealed a QR code, which is facially neutral and appears on
many commercial mailings. Any account information,
according to MRS, is hidden from public sight and could only
be seen by “unlawfully scanning” the envelope. MRS Br. 24
n.3. MRS suggests that “scanning the QR Code on an envelope
addressed to another is akin to opening a letter addressed to
another.” MRS Br. 23.
We are not persuaded. While we do not decide here
whether a benign language exception to § 1692f(8) exists, it
would apply only to language truly benign relative to the
11
purposes of the FDCPA. See Douglass, 765 F.3d at 303 (“[W]e
cannot find language exempt from § 1692f(8) if its disclosure
on an envelope would run counter to the very reasons Congress
enacted the FDCPA.”). If, as we held in Douglass, disclosure
of a debtor’s account number is an invasion of privacy, it
follows that disclosure of a QR code embedded with that
number is not benign. A QR code is still “susceptible to
privacy intrusions,” even if it does not facially display any
“core information relating to the debt collection.”4 Id. at 305.
There is no material difference between disclosing an account
number directly on the envelope and doing so via QR code ––
the harm is the same, especially given the ubiquity of
smartphones.5 Whether it is illegal to scan someone’s mail, as
MRS argues, is beside the point. The debt collector has still
exposed private information to the world in violation of the
FDCPA.6
4
We do not consider whether a debt collector violates §
1692f(8) by including on an envelope a QR code that does not
contain a consumer’s account number.
5
For this reason, it also does not matter where on the
envelope the QR code is printed, which MRS suggests makes
a difference. The account number has still been disclosed,
regardless of its location on the envelope.
6
And contrary to MRS’s contentions, there is a
difference between scanning a letter and opening it. The
former can be done surreptitiously without leaving any
evidence of tampering. Not so when a letter is physically
opened.
12
We therefore hold that a debt collector violates §
1692f(8) when it sends to a debtor an envelope displaying an
unencrypted QR code that, when scanned, reveals the debtor’s
account number. We thus agree with the District Court that
MRS, in doing so here, violated the FDCPA.
B.
MRS argues that, even if its conduct violated the
FDCPA, it is subject to the bona fide error defense. We
disagree.
The FDCPA’s bona fide error defense is found in 15
U.S.C. § 1692k(c), which provides:
[a] debt collector may not be held liable in any
action brought under this subchapter if the debt
collector shows by a preponderance of evidence
that the violation was not intentional and resulted
from a bona fide error notwithstanding the
maintenance of procedures reasonably adapted
to avoid any such error.
In Jerman v. Carlisle, McNellie, Rini, Kramer & Ulrich L.P.A.,
559 U.S. 573 (2010), the Supreme Court held “that the bona
fide error defense in § 1692k(c) does not apply to a violation
of the FDCPA resulting from a debt collector’s incorrect
interpretation of the requirements of that statute.” Id. at 604–
05. Put differently, “FDCPA violations forgivable under §
1692k(c) must result from ‘clerical or factual mistakes,’ not
mistakes of law.” Daubert v. NRA Grp., LLC, 861 F.3d 382,
394 (3d Cir. 2017) (quoting Jerman, 559 U.S. at 587).
13
MRS contends that it committed a mistake of fact. It
argues that it “erred by using industry standards for processing
return mail and appreciating that no person has ever used a QR
Code to determine a letter concerned debt collection.” MRS
Br. 26. MRS insists that it “did not mistakenly interpret the
FDCPA.” MRS Br. 26. But that is precisely what it did. While
MRS tries to characterize its error as one of fact, MRS
ultimately just misunderstood its obligations under the
FDCPA. Indeed, MRS all but admits that point when it argues
that it “mistakenly believed that its conduct could not
conceivably violate the FDCPA.” MRS Br. 31. That is not a
mistake of fact; it is a mistake of law. Had MRS’s printing of
the QR code been the result of a clerical mistake, accidentally
included contrary to the agency’s normal procedures, then it
could conceivably avail itself of the bona fide error defense.
See Jerman, 559 U.S. at 587. But that is not MRS’s argument;
indeed, MRS explains that using QR codes is “the industry
standard.” MRS Br. 34. MRS may not have intended “to
disclose that the contents of the envelope pertain to debt
collection,” MRS Br. 27, but the bona fide error defense does
not protect every well-intentioned act, see Jerman, 559 U.S. at
584–85. It applies only to clerical or factual mistakes. See
Daubert, 861 F.3d at 394. The bona fide error defense is
therefore inapplicable here.
IV.
For the foregoing reasons, we will affirm the judgment
of the District Court.
14