Debt collectors beware: On August 12, the U.S. Court of Appeals for the Third Circuit held that a debt collector violates section 1692f(8) of the Fair Debt Collection Practices Act by displaying an unencrypted “quick response” (or “QR”) code on the face of an envelope containing a debt collection letter that, when scanned, reveals the debtor’s internal account number with the collection agency.

Section 1692f(8) of the FDCPA prohibits a debt collector from “[u]sing any language or symbol, other than the debt collector’s address, on any envelope when communicating with a consumer by use of the mails.” Five years ago, in Douglass v. Convergent Outsourcing, 765 F.3d 299 (3rd Cir. 2014), the Third Circuit held that a debt collector violates this section by displaying the debtor’s account number on an envelope.

This week, in DiNaples v. MRS BPO, LLC, the Third Circuit extended its rationale in Douglass by holding that QR codes on the face of an envelope, that display account numbers when scanned, violate the FDCPA.

Donna DiNaples filed a class action lawsuit against MRS BPO, LLC, a debt collector, alleging violations of the FDCPA for sending letters in envelopes bearing a QR code that contained the debtor’s internal account number. While the QR code did not display the debtor’s account number on its face, it could be scanned by a reader downloadable as an application on many devices, including smartphones. Following Douglass, the United States District Court for the Western District of Pennsylvania certified DiNaples’s proposed class and granted summary judgment in her favor, finding there is no meaningful distinction between displaying an account number on an envelope or a QR code that reveals the same information when scanned by a reader. The Third Circuit affirmed this decision for three reasons.

First, the Third Circuit held that DiNaples has standing to sue, finding that the disclosure of account information in itself is a concrete harm under Spokeo v. Robins, 136 S.Ct. 1540 (2016), because it implicates core privacy concerns of the FDCPA. For this reason, DiNaples did not have to show actual or imminent harm – MRS made her account information available to the public, which is contrary to the purpose of the FDCPA and satisfies Spokeo’s concrete injury requirement.

Second, recognizing the FDCPA’s remedial purpose, the Third Circuit held that including the QR code on envelopes – like the account number – is “susceptible to privacy intrusions,” particularly in the age of smartphones where a reader app is a quick download away. The Court declined to rule on whether the Third Circuit recognizes a “benign language exception” that many courts, as well as the Federal Trade Commission, have read into Section 1692f(8), finding that exception clearly does not apply here because the QR code is not “benign.”

Finally, the Court rejected MRS’s bona fide error defense, reiterating that it does not apply to an incorrect interpretation of the FDCPA but instead only to clerical or factual mistakes. MRS’s argument that it committed a mistake of fact by “using industry standards for processing return mail” was rejected because, in the Court’s view, this was a misunderstanding of its obligations under the FDCPA. Acknowledging that MRS “may not have intended to disclose that the contents of the envelope pertain to debt collection,” the Court repeated that “the bona fide error defense does not protect every well-intentioned act.”