On August 12, the U.S. Court of Appeals for the 3rd Circuit affirmed a district court ruling that an envelope containing an unencrypted “quick response” (QR) code that revealed a consumer’s account number when scanned violated the FDCPA. The plaintiff in this case received an envelope containing a collection letter with a printed QR code that, when scanned, revealed the internal reference number associated with the plaintiff’s account. The plaintiff filed a class action lawsuit, and the district court granted summary judgment for the plaintiff, finding that printing the QR code was no different than printing the account number on the envelope, which is a violation of the FDCPA. The defendant appealed, arguing, among other things, that (i) the plaintiff had not suffered a concrete injury; (ii) the QR code would have to be unlawfully scanned in order to obtain the account information; and (iii) the defendant’s conduct was covered under the FDCPA’s bona fide error defense, because it “erred by using industry standards for processing return mail.”
On appeal, the 3rd Circuit affirmed the district court’s ruling. Specifically, the appellate court found that, with respect to injury, the plaintiff was not required to demonstrate that anyone actually intercepted the letter or scanned the QR code to determine that the contents related to debt collection—disclosure of the account number is itself the harm. The appellate court also rejected the defendant’s argument that someone needed to unlawfully scan the barcode, finding that there is no material difference between printing a QR code or printing an account number directly on an envelope because protected information was made available to the public. The appellate court also rejected the defendant’s bona fide effort defense, stating that the defendant misunderstood its FDCPA obligations and the printing of the QR code had not been the result of a clerical mistake or accident.