
    Donna DINAPLES, on behalf of herself and all others similarly situated v. MRS BPO, LLC; John Does 1-25 MRS BPO, LLC, Appellant
    No. 18-2972
    United States Court of Appeals, Third Circuit.
    Argued: June 27, 2019 Filed August 12, 2019
    Michael D. Alltmont [ARGUED], Bryan C. Shartle, Sessions Fishman Nathan & Israel, 3850 North Causeway Boulevard, Lakeway Two, Suite 200, Metairie, LA 70002, Andrew J. Blady, Sessions Fishman Nathan & Israel, 3682 Green Ridge Road, Furlong, PA 18925, Ross Enders, Law Offices of J. Scott Watson, 24 Regency Plaza, Glen Mills, PA 19342, Counsel for Appellant MRS BPO, LLC
    Ari H. Marcus, Yitzchak Zelman [ARGUED], Marcus & Zelman, 701 Cookman Avenue, Suite 300, Asbury Park, NJ 07712, Mark G. Moynihan, Suite 1-N, 112 Washington Place, Pittsburgh, PA 15219, Counsel for Appellee Donna DiNaples
    Before: SMITH, Chief Judge, and CHAGARES and GREENAWAY, JR., Circuit Judges
    OPINION OF THE COURT
   CHAGARES, Circuit Judge.

Five years ago, in Douglass v. Convergent Outsourcing, 765 F.3d 299 (3d Cir. 2014), we held that a debt collector violated the Fair Debt Collection Practices Act ("FDCPA"), 15 U.S.C. §§ 1692 - 1692p, when it sent a collection letter in an envelope displaying the debtor's internal account number with the collection agency. We are now asked to decide whether the same is true when the envelope does not, on its face, show the account number but does display an unencrypted "quick response," or "QR," code that reveals the number when scanned. The District Court held that such conduct violates the FDCPA. We agree and will affirm.

I.

The facts underlying this appeal are undisputed. Donna DiNaples had a credit card through Chase Bank. Eventually, she fell behind on her payments, so Chase assigned her account to a debt collection agency called MRS BPO, LLC ("MRS"). MRS sent DiNaples a collection letter as a pressure-sealed envelope that had a QR code printed on its face. QR codes, including the one here, can be scanned by a reader downloadable as an application (better known as an "app") on a smartphone. And this QR code, when scanned with a QR-code reader, revealed the following sequence: "LU4.###1813.3683994." The string "LU4.###1813" was the internal reference number associated with DiNaples's account at MRS.

DiNaples filed a class action lawsuit against MRS, alleging that the collection agency, by printing the QR code on the envelope, had violated the FDCPA, which prohibits debt collectors from "[u]sing any language or symbol, other than the debt collector's address, on any envelope when communicating with a consumer by use of the mails." 15 U.S.C. § 1692f(8). Each side eventually filed a motion for summary judgment.

The District Court granted DiNaples's motion on liability, concluding that MRS violated the FDCPA. The District Court explained that this conclusion was required by our decision in Douglass, in which we held that a debt collector violates § 1692f(8) by placing on an envelope the consumer's account number with the debt collector. 765 F.3d at 303, 306. For the District Court, there was no meaningful difference between displaying the account number itself and displaying a QR code - scannable "by any teenager with a smartphone app" - with the number embedded. Dinaples v. MRS BPO, LLC, No. 2:15-cv-01435-MAP, 2017 WL 5593471, at *2 (W.D. Pa. Nov. 21, 2017). The District Court further rejected MRS's contention that DiNaples had not "suffered a concrete injury," explaining that DiNaples was injured by "the disclosure of confidential information." Id. And the District Court rejected MRS's argument that it was protected by the FDCPA's "bona fide error defense." Id. at *3. The District Court also certified the proposed class.

The parties thereafter stipulated that, to the extent that there was liability, the damages would be $11,000. The District Court granted judgment for DiNaples and the class for that amount, and this timely appeal followed.

II.

We consider first a jurisdictional issue -- DiNaples's standing to sue. The District Court, while it did determine that DiNaples had suffered a concrete injury, never explicitly addressed standing, seemingly assuming it was a non-issue. We, though, must assure ourselves of DiNaples's standing. Anthony v. Council, 316 F.3d 412, 416 (3d Cir. 2003).

Article III of the Constitution limits the federal courts to adjudication of "Cases" and "Controversies." U.S. Const. art. III, § 2, cl. 1. "Courts enforce the case-or-controversy requirement" by requiring the plaintiff to have standing to sue. Toll Bros., Inc. v. Twp. of Readington, 555 F.3d 131, 137 (3d Cir. 2009). Standing has three elements: "[t]he plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins, --- U.S. ----, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016). An "injury in fact" is one that is "concrete and particularized." Id. at 1548 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ). To be concrete, the injury "must actually exist." Id. It must be "real," not "abstract." Id.

The question here is whether DiNaples suffered a concrete injury when her debt collector sent her a letter in an envelope displaying a QR code that, when scanned, revealed her account number with the debt collection agency. We conclude that she did.

Because DiNaples's injury was intangible, we begin our analysis with the Supreme Court's decision in Spokeo. There, the Court reaffirmed that, while tangible injuries are typically easier to identify, "intangible injuries can nevertheless be concrete." 136 S. Ct. at 1549. The Court in Spokeo offered guidance for determining the concreteness of an intangible injury. The Court explained that "both history and the judgment of Congress play important roles." Id. As to history, courts should "consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts." Id. Congress's "judgment is also instructive and important," because Congress "is well positioned to identify intangible harms that meet minimum Article III requirements." Id. Granted, just because a plaintiff asserts a congressionally created cause of action does not necessarily mean that the plaintiff has suffered a concrete injury. Id. A "bare procedural violation" will not meet the concreteness requirement. Id. But "the violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact," and "a plaintiff in such a case need not allege any additional harm beyond the one Congress has identified." Id.

We have already applied the principles set forth in Spokeo to a similar situation. In St. Pierre v. Retrieval-Masters Creditors Bureau, 898 F.3d 351 (3d Cir. 2018), we held that a debtor suffered a concrete injury when a debt collector, in violation of the FDCPA, sent him a collection letter in an envelope displaying his account number with the debt collector. Id. at 355, 358. We explained that our earlier decision in Douglass -- though not a decision directly addressing standing -- resolved the matter. Id. at 357-58. In Douglass, we had held that displaying a consumer's account number on an envelope was not "benign," explaining that such conduct "implicates a core concern animating the FDCPA-the invasion of privacy." 765 F.3d at 303. That number, we emphasized in Douglass, was "a core piece of information" relating to the debtor's status as such, and, if "[d]isclosed to the public, it could be used to expose her financial predicament." Id. Thus, in St. Pierre, we concluded that the harm inflicted by exposing the debtor's account number was "a legally cognizable injury." 898 F.3d at 358. We explained that, because the harm involves the invasion of privacy, it "is closely related to harm that has traditionally been regarded as providing a basis for a lawsuit in English and American courts." Id. (citing Douglass, 765 F.3d at 303, and Spokeo, 136 S. Ct. at 1549 ). And therefore, per Spokeo, the plaintiff in St. Pierre had standing.

St. Pierre, to be sure, did not involve the precise situation we have here -- an account number displayed not on the face of the envelope but embedded in a QR code. And in St. Pierre we explicitly declined to address that scenario. See id. at 357 n.6 ("[W]e need not reach the question whether exposure of the 'quick response' code on the envelope, without more, would be sufficient to confer standing under the FDCPA because exposure of one's account number itself suffices."). We similarly declined to consider our QR-code issue in Douglass. See 765 F.3d at 301 n.4 ("Douglass no longer presses her argument that Convergent violated the FDCPA by including the QR Code on the envelope. ... We therefore do not decide that issue.").

Nonetheless, we conclude that the reasoning of those two cases inevitably dictates that DiNaples has suffered a concrete injury. Disclosure of the debtor's account number through a QR code, which anyone could easily scan and read, still "implicates core privacy concerns." Id. at 304. The debt collector has "displayed core information relating to the debt collection" that is "susceptible to privacy intrusions." Id. at 305. Whether disclosed directly on the envelope or less directly through a QR code, the protected information has been made accessible to the public. And as we concluded in St. Pierre, such an invasion of privacy "is closely related to harm that has traditionally been regarded as providing a basis for a lawsuit in English and American courts." 898 F.3d at 357-58. It thus follows from our Douglass and St. Pierre decisions that DiNaples has suffered a sufficiently concrete harm.

MRS is incorrect to suggest that "to establish Article III standing, [DiNaples] would have to show that someone actually intercepted her mail, scanned the barcode, read the unlabeled string of numbers and determined the contents related to debt collection -- or it was imminent someone might do so." MRS Br. 16 (emphases omitted). The teaching of Douglass and St. Pierre is that the disclosure of an account number is itself the harm -- it "implicates core privacy concerns," Douglass, 765 F.3d at 304, and therefore is sufficiently concrete under Spokeo to establish an injury-in-fact, St. Pierre, 898 F.3d at 357-58. In other words, because the disclosure is the concrete harm here, DiNaples "need not allege any additional harm beyond the one Congress has identified." Spokeo, 136 S. Ct. at 1549. Her evidence that she received an envelope with a QR code containing private information was enough to establish a concrete injury.

We hold that DiNaples has standing to sue.

III.

Satisfied that DiNaples has standing, we now consider whether the District Court correctly determined that she had a successful claim under the FDCPA. Our review is de novo. See Tundo v. Cty. of Passaic, 923 F.3d 283, 286 (3d Cir. 2019).

A.

The FDCPA, specifically 15 U.S.C. § 1692f(8), prohibits debt collectors from:

[u]sing any language or symbol, other than the debt collector's address, on any envelope when communicating with a consumer by use of the mails or by telegram, except that a debt collector may use his business name if such name does not indicate that he is in the debt collection business.

There is no dispute that that provision plainly prohibits the QR code. Still, as other courts have observed, § 1692f(8) is rather expansive when read literally. It would seemingly prohibit including "a debtor's address and an envelope's pre-printed postage," as well as "any innocuous mark related to the post, such as 'overnight mail' and 'forwarding and address correction requested.' " Strand v. Diversified Collection Serv., Inc., 380 F.3d 316, 318 (8th Cir. 2004) ; see also Goswami v. Am. Collections Enter., Inc., 377 F.3d 488, 493 (5th Cir. 2004). To avoid these "bizarre results," Strand, 380 F.3d at 318, many courts, as well as the Federal Trade Commission, have read a "benign language exception" into § 1692f(8), see Goswami, 377 F.3d at 493-94. Although we have never adopted such an exception, MRS asks us to do so here and conclude that the QR code falls within it.

But once again, we return to our decision in Douglass. To repeat, Douglass involved an envelope displaying the debtor's account number with the debt collector. 765 F.3d at 300-01. There, as here, the debt collector urged us to read a benign language exception into § 1692f(8), and like MRS, the debt collector in Douglass argued that the account number should fall within that exception. See id. at 301. We declined to decide whether § 1692f(8) contains such an exception because, regardless, the account number was not benign. Id. at 301, 303. That number, we explained, was "a core piece of information," the disclosure of which "implicate[d] a core concern animating the FDCPA--the invasion of privacy." Id. at 303. We thus rejected the debt collector's contention that the "account number is a meaningless string of numbers and letters, and its disclosure has not harmed and could not possibly harm Douglass." Id. at 305-06.

As with standing, the question is whether the analysis changes when the account number is not on the face of the envelope but is embedded in a QR code. The panel in Douglass explicitly left that question open. See id. at 301 n.4. But, keeping in mind that "the FDCPA must be broadly construed in order to give full effect to [its remedial] purposes," Caprio v. Healthcare Revenue Recovery Grp., LLC, 709 F.3d 142, 148 (3d Cir. 2013), we agree with the District Court that the reasoning of Douglass applies fully to an account number embedded in a QR code. As explained above with respect to standing, the harm here is still the same -- the unauthorized disclosure of confidential information. And if such disclosure was not benign, disclosure via an easily readable QR code is not either. Protected information has still been compromised.

MRS argues that Douglass is distinguishable. There, the account information was on the face of the envelope, capable of being seen by all. Here, by contrast, the envelope facially displayed no connection to debt collection. It just revealed a QR code, which is facially neutral and appears on many commercial mailings. Any account information, according to MRS, is hidden from public sight and could only be seen by "unlawfully scanning" the envelope. MRS Br. 24 n.3. MRS suggests that "scanning the QR Code on an envelope addressed to another is akin to opening a letter addressed to another." MRS Br. 23.

We are not persuaded. While we do not decide here whether a benign language exception to § 1692f(8) exists, it would apply only to language truly benign relative to the purposes of the FDCPA. See Douglass, 765 F.3d at 303 ("[W]e cannot find language exempt from § 1692f(8) if its disclosure on an envelope would run counter to the very reasons Congress enacted the FDCPA."). If, as we held in Douglass, disclosure of a debtor's account number is an invasion of privacy, it follows that disclosure of a QR code embedded with that number is not benign. A QR code is still "susceptible to privacy intrusions," even if it does not facially display any "core information relating to the debt collection." Id. at 305. There is no material difference between disclosing an account number directly on the envelope and doing so via QR code --the harm is the same, especially given the ubiquity of smartphones. Whether it is illegal to scan someone's mail, as MRS argues, is beside the point. The debt collector has still exposed private information to the world in violation of the FDCPA.

We therefore hold that a debt collector violates § 1692f(8) when it sends to a debtor an envelope displaying an unencrypted QR code that, when scanned, reveals the debtor's account number. We thus agree with the District Court that MRS, in doing so here, violated the FDCPA.

B.

MRS argues that, even if its conduct violated the FDCPA, it is subject to the bona fide error defense. We disagree.

The FDCPA's bona fide error defense is found in 15 U.S.C. § 1692k(c), which provides:

[a] debt collector may not be held liable in any action brought under this subchapter if the debt collector shows by a preponderance of evidence that the violation was not intentional and resulted from a bona fide error notwithstanding the maintenance of procedures reasonably adapted to avoid any such error.

In Jerman v. Carlisle, McNellie, Rini, Kramer & Ulrich L.P.A., 559 U.S. 573, 130 S.Ct. 1605, 176 L.Ed.2d 519 (2010), the Supreme Court held "that the bona fide error defense in § 1692k(c) does not apply to a violation of the FDCPA resulting from a debt collector's incorrect interpretation of the requirements of that statute." Id. at 604-05, 130 S.Ct. 1605. Put differently, "FDCPA violations forgivable under § 1692k(c) must result from 'clerical or factual mistakes,' not mistakes of law." Daubert v. NRA Grp., LLC, 861 F.3d 382, 394 (3d Cir. 2017) (quoting Jerman, 559 U.S. at 587, 130 S.Ct. 1605 ).

MRS contends that it committed a mistake of fact. It argues that it "erred by using industry standards for processing return mail and appreciating that no person has ever used a QR Code to determine a letter concerned debt collection." MRS Br. 26. MRS insists that it "did not mistakenly interpret the FDCPA." MRS Br. 26. But that is precisely what it did. While MRS tries to characterize its error as one of fact, MRS ultimately just misunderstood its obligations under the FDCPA. Indeed, MRS all but admits that point when it argues that it "mistakenly believed that its conduct could not conceivably violate the FDCPA." MRS Br. 31. That is not a mistake of fact; it is a mistake of law. Had MRS's printing of the QR code been the result of a clerical mistake, accidentally included contrary to the agency's normal procedures, then it could conceivably avail itself of the bona fide error defense. See Jerman, 559 U.S. at 587, 130 S.Ct. 1605. But that is not MRS's argument; indeed, MRS explains that using QR codes is "the industry standard." MRS Br. 34. MRS may not have intended "to disclose that the contents of the envelope pertain to debt collection," MRS Br. 27, but the bona fide error defense does not protect every well-intentioned act, see Jerman, 559 U.S. at 584-85, 130 S.Ct. 1605. It applies only to clerical or factual mistakes. See Daubert, 861 F.3d at 394. The bona fide error defense is therefore inapplicable here.

IV.

For the foregoing reasons, we will affirm the judgment of the District Court. 
      
      Pursuant to Federal Rule of Civil Procedure 5.2(a)(4), MRS and DiNaples omitted the first three digits of her account number from their summary-judgment filings.
     
      
      As long as DiNaples has standing, the District Court had jurisdiction under 28 U.S.C. § 1331. We have appellate jurisdiction under 28 U.S.C. § 1291.
     
      
      For this reason, MRS's attempt to distinguish St. Pierre as involving a motion to dismiss, and hence a lower evidentiary standard, falls flat. Though the motion here is for summary judgment, DiNaples has offered sufficient evidence of her concrete injury, namely the envelope's displaying a QR code embedded with her account number.
     
      
      We do not consider whether a debt collector violates § 1692f(8) by including on an envelope a QR code that does not contain a consumer's account number.
     
      
      For this reason, it also does not matter where on the envelope the QR code is printed, which MRS suggests makes a difference. The account number has still been disclosed, regardless of its location on the envelope.
     
      
      And contrary to MRS's contentions, there is a difference between scanning a letter and opening it. The former can be done surreptitiously without leaving any evidence of tampering. Not so when a letter is physically opened.
     