Donna Dinaples v. MRS BPO LLC , 934 F.3d 275 ( 2019 )


Menu:
  •                                           PRECEDENTIAL
    UNITED STATES COURT OF APPEALS
    FOR THE THIRD CIRCUIT
    _____________
    No. 18-2972
    _____________
    DONNA DINAPLES,
    on behalf of herself and all others similarly situated
    v.
    MRS BPO, LLC; JOHN DOES 1-25
    MRS BPO, LLC,
    Appellant
    ____________
    On Appeal from the United States District Court
    for the Western District of Pennsylvania
    (D.C. No. 2-15-cv-01435)
    Chief District Judge: Honorable Mark R. Hornak
    Argued: June 27, 2019
    Before: SMITH, Chief Judge, and CHAGARES and
    GREENAWAY, JR., Circuit Judges
    (Filed August 12, 2019)
    Michael D. Alltmont [ARGUED]
    Bryan C. Shartle
    Sessions Fishman Nathan & Israel
    3850 North Causeway Boulevard
    Lakeway Two, Suite 200
    Metairie, LA 70002
    Andrew J. Blady
    Sessions Fishman Nathan & Israel
    3682 Green Ridge Road
    Furlong, PA 18925
    Ross Enders
    Law Offices of J. Scott Watson
    24 Regency Plaza
    Glen Mills, PA 19342
    Counsel for Appellant MRS BPO, LLC
    Ari H. Marcus
    Yitzchak Zelman [ARGUED]
    Marcus & Zelman
    701 Cookman Avenue
    Suite 300
    Asbury Park, NJ 07712
    Mark G. Moynihan
    Suite 1-N
    112 Washington Place
    Pittsburgh, PA 15219
    Counsel for Appellee Donna DiNaples
    2
    _____________
    OPINION OF THE COURT
    _____________
    CHAGARES, Circuit Judge.
    Five years ago, in Douglass v. Convergent Outsourcing,
    
    765 F.3d 299
    (3d Cir. 2014), we held that a debt collector
    violated the Fair Debt Collection Practices Act (“FDCPA”), 15
    U.S.C. §§ 1692–1692p, when it sent a collection letter in an
    envelope displaying the debtor’s internal account number with
    the collection agency. We are now asked to decide whether the
    same is true when the envelope does not, on its face, show the
    account number but does display an unencrypted “quick
    response,” or “QR,” code that reveals the number when
    scanned. The District Court held that such conduct violates the
    FDCPA. We agree and will affirm.
    I.
    The facts underlying this appeal are undisputed.
    Donna DiNaples had a credit card through Chase Bank.
    Eventually, she fell behind on her payments, so Chase assigned
    her account to a debt collection agency called MRS BPO, LLC
    (“MRS”). MRS sent DiNaples a collection letter as a pressure-
    sealed envelope that had a QR code printed on its face. QR
    codes, including the one here, can be scanned by a reader
    downloadable as an application (better known as an “app”) on
    a smartphone. And this QR code, when scanned with a QR-
    code    reader,      revealed    the   following    sequence:
    3
    “LU4.###1813.3683994.”1 The string “LU4.###1813” was
    the internal reference number associated with DiNaples’s
    account at MRS.
    DiNaples filed a class action lawsuit against MRS,
    alleging that the collection agency, by printing the QR code on
    the envelope, had violated the FDCPA, which prohibits debt
    collectors from “[u]sing any language or symbol, other than the
    debt collector’s address, on any envelope when
    communicating with a consumer by use of the mails.” 15
    U.S.C. § 1692f(8). Each side eventually filed a motion for
    summary judgment.
    The District Court granted DiNaples’s motion on
    liability, concluding that MRS violated the FDCPA. The
    District Court explained that this conclusion was required by
    our decision in Douglass, in which we held that a debt collector
    violates § 1692f(8) by placing on an envelope the consumer’s
    account number with the debt 
    collector. 765 F.3d at 303
    , 306.
    For the District Court, there was no meaningful difference
    between displaying the account number itself and displaying a
    QR code — scannable “by any teenager with a smartphone
    app” — with the number embedded. DiNaples v. MRS BPO,
    LLC, No. 2:15-cv-01435-MAP, 
    2017 WL 5593471
    , at *2
    (W.D. Pa. Nov. 21, 2017). The District Court further rejected
    MRS’s contention that DiNaples had not “suffered a concrete
    injury,” explaining that DiNaples was injured by “the
    disclosure of confidential information.” 
    Id. And the
    District
    Court rejected MRS’s argument that it was protected by the
    1
    Pursuant to Federal Rule of Civil Procedure 5.2(a)(4),
    MRS and DiNaples omitted the first three digits of her account
    number from their summary-judgment filings.
    4
    FDCPA’s “bona fide error defense.” 
    Id. at *3.
    The District
    Court also certified the proposed class.
    The parties thereafter stipulated that, to the extent that
    there was liability, the damages would be $11,000. The
    District Court granted judgment for DiNaples and the class for
    that amount, and this timely appeal followed.
    II.
    We consider first a jurisdictional issue –– DiNaples’s
    standing to sue.2 The District Court, while it did determine that
    DiNaples had suffered a concrete injury, never explicitly
    addressed standing, seemingly assuming it was a non-issue.
    We, though, must assure ourselves of DiNaples’s standing.
    Anthony v. Council, 
    316 F.3d 412
    , 416 (3d Cir. 2003).
    Article III of the Constitution limits the federal courts to
    adjudication of “Cases” and “Controversies.” U.S. Const. art.
    III, § 2, cl. 1. “Courts enforce the case-or-controversy
    requirement” by requiring the plaintiff to have standing to sue.
    Toll Bros., Inc. v. Twp. of Readington, 
    555 F.3d 131
    , 137 (3d
    Cir. 2009). Standing has three elements: “[t]he plaintiff must
    have (1) suffered an injury in fact, (2) that is fairly traceable to
    the challenged conduct of the defendant, and (3) that is likely
    to be redressed by a favorable judicial decision.” Spokeo, Inc.
    v. Robins, 
    136 S. Ct. 1540
    , 1547 (2016). An “injury in fact” is
    one that is “concrete and particularized.” 
    Id. at 1548
    (quoting
    Lujan v. Defenders of Wildlife, 
    504 U.S. 555
    , 560 (1992)). To
    2
    As long as DiNaples has standing, the District Court
    had jurisdiction under 28 U.S.C. § 1331. We have appellate
    jurisdiction under 28 U.S.C. § 1291.
    5
    be concrete, the injury “must actually exist.” 
    Id. It must
    be
    “real,” not “abstract.” 
    Id. The question
    here is whether DiNaples suffered a
    concrete injury when her debt collector sent her a letter in an
    envelope displaying a QR code that, when scanned, revealed
    her account number with the debt collection agency. We
    conclude that she did.
    Because DiNaples’s injury was intangible, we begin our
    analysis with the Supreme Court’s decision in Spokeo. There,
    the Court reaffirmed that, while tangible injuries are typically
    easier to identify, “intangible injuries can nevertheless be
    
    concrete.” 136 S. Ct. at 1549
    . The Court in Spokeo offered
    guidance for determining the concreteness of an intangible
    injury. The Court explained that “both history and the
    judgment of Congress play important roles.” 
    Id. As to
    history,
    courts should “consider whether an alleged intangible harm has
    a close relationship to a harm that has traditionally been
    regarded as providing a basis for a lawsuit in English or
    American courts.” 
    Id. Congress’s “judgment
    is also
    instructive and important,” because Congress “is well
    positioned to identify intangible harms that meet minimum
    Article III requirements.” 
    Id. Granted, just
    because a plaintiff
    asserts a congressionally created cause of action does not
    necessarily mean that the plaintiff has suffered a concrete
    injury. 
    Id. A “bare
    procedural violation” will not meet the
    concreteness requirement. 
    Id. But “the
    violation of a
    procedural right granted by statute can be sufficient in some
    circumstances to constitute injury in fact,” and “a plaintiff in
    such a case need not allege any additional harm beyond the one
    Congress has identified.” 
    Id. 6 We
    have already applied the principles set forth in
    Spokeo to a similar situation. In St. Pierre v. Retrieval-Masters
    Creditors Bureau, 
    898 F.3d 351
    (3d Cir. 2018), we held that a
    debtor suffered a concrete injury when a debt collector, in
    violation of the FDCPA, sent him a collection letter in an
    envelope displaying his account number with the debt
    collector. 
    Id. at 355,
    358. We explained that our earlier
    decision in Douglass –– though not a decision directly
    addressing standing –– resolved the matter. 
    Id. at 357–58.
    In
    Douglass, we had held that displaying a consumer’s account
    number on an envelope was not “benign,” explaining that such
    conduct “implicates a core concern animating the FDCPA—
    the invasion of 
    privacy.” 765 F.3d at 303
    . That number, we
    emphasized in Douglass, was “a core piece of information”
    relating to the debtor’s status as such, and, if “[d]isclosed to the
    public, it could be used to expose her financial predicament.”
    
    Id. Thus, in
    St. Pierre, we concluded that the harm inflicted by
    exposing the debtor’s account number was “a legally
    cognizable 
    injury.” 898 F.3d at 358
    . We explained that,
    because the harm involves the invasion of privacy, it “is closely
    related to harm that has traditionally been regarded as
    providing a basis for a lawsuit in English and American
    courts.” 
    Id. (citing Douglass,
    765 F.3d at 303, and 
    Spokeo, 136 S. Ct. at 1549
    ). And therefore, per Spokeo, the plaintiff in St.
    Pierre had standing.
    St. Pierre, to be sure, did not involve the precise
    situation we have here –– an account number displayed not on
    the face of the envelope but embedded in a QR code. And in
    St. Pierre we explicitly declined to address that scenario. See
    
    id. at 357
    n.6 (“[W]e need not reach the question whether
    exposure of the ‘quick response’ code on the envelope, without
    more, would be sufficient to confer standing under the FDCPA
    7
    because exposure of one’s account number itself suffices.”).
    We similarly declined to consider our QR-code issue in
    Douglass. 
    See 765 F.3d at 301
    n.4 (“Douglass no longer
    presses her argument that Convergent violated the FDCPA by
    including the QR Code on the envelope. . . . We therefore do
    not decide that issue.”).
    Nonetheless, we conclude that the reasoning of those
    two cases inevitably dictates that DiNaples has suffered a
    concrete injury. Disclosure of the debtor’s account number
    through a QR code, which anyone could easily scan and read,
    still “implicates core privacy concerns.” 
    Id. at 304.
    The debt
    collector has “displayed core information relating to the debt
    collection” that is “susceptible to privacy intrusions.” 
    Id. at 305.
    Whether disclosed directly on the envelope or less
    directly through a QR code, the protected information has been
    made accessible to the public. And as we concluded in St.
    Pierre, such an invasion of privacy “is closely related to harm
    that has traditionally been regarded as providing a basis for a
    lawsuit in English and American 
    courts.” 898 F.3d at 357
    –58.
    It thus follows from our Douglass and St. Pierre decisions that
    DiNaples has suffered a sufficiently concrete harm.
    MRS is incorrect to suggest that “to establish Article III
    standing, [DiNaples] would have to show that someone
    actually intercepted her mail, scanned the barcode, read the
    unlabeled string of numbers and determined the contents
    related to debt collection –– or it was imminent someone might
    do so.” MRS Br. 16 (emphases omitted). The teaching of
    Douglass and St. Pierre is that the disclosure of an account
    number is itself the harm –– it “implicates core privacy
    concerns,” 
    Douglass, 765 F.3d at 304
    , and therefore is
    sufficiently concrete under Spokeo to establish an injury-in-
    8
    fact, St. 
    Pierre, 898 F.3d at 357
    –58. In other words, because
    the disclosure is the concrete harm here, DiNaples “need not
    allege any additional harm beyond the one Congress has
    identified.” 
    Spokeo, 136 S. Ct. at 1549
    . Her evidence that she
    received an envelope with a QR code containing private
    information was enough to establish a concrete injury.3
    We hold that DiNaples has standing to sue.
    III.
    Satisfied that DiNaples has standing, we now consider
    whether the District Court correctly determined that she had a
    successful claim under the FDCPA. Our review is de novo.
    See Tundo v. Cty. of Passaic, 
    923 F.3d 283
    , 286 (3d Cir. 2019).
    A.
    The FDCPA, specifically 15 U.S.C. § 1692f(8),
    prohibits debt collectors from:
    [u]sing any language or symbol, other than the
    debt collector’s address, on any envelope when
    communicating with a consumer by use of the
    mails or by telegram, except that a debt collector
    3
    For this reason, MRS’s attempt to distinguish St.
    Pierre as involving a motion to dismiss, and hence a lower
    evidentiary standard, falls flat. Though the motion here is for
    summary judgment, DiNaples has offered sufficient evidence
    of her concrete injury, namely the envelope’s displaying a QR
    code embedded with her account number.
    9
    may use his business name if such name does not
    indicate that he is in the debt collection business.
    There is no dispute that that provision plainly prohibits the QR
    code. Still, as other courts have observed, § 1692f(8) is rather
    expansive when read literally. It would seemingly prohibit
    including “a debtor’s address and an envelope’s pre-printed
    postage,” as well as “any innocuous mark related to the post,
    such as ‘overnight mail’ and ‘forwarding and address
    correction requested.’” Strand v. Diversified Collection Serv.,
    Inc., 
    380 F.3d 316
    , 318 (8th Cir. 2004); see also Goswami v.
    Am. Collections Enter., Inc., 
    377 F.3d 488
    , 493 (5th Cir. 2004).
    To avoid these “bizarre results,” 
    Strand, 380 F.3d at 318
    , many
    courts, as well as the Federal Trade Commission, have read a
    “benign language exception” into § 1692f(8), see 
    Goswami, 377 F.3d at 493
    –94. Although we have never adopted such an
    exception, MRS asks us to do so here and conclude that the QR
    code falls within it.
    But once again, we return to our decision in Douglass.
    To repeat, Douglass involved an envelope displaying the
    debtor’s account number with the debt 
    collector. 765 F.3d at 300
    –01. There, as here, the debt collector urged us to read a
    benign language exception into § 1692f(8), and like MRS, the
    debt collector in Douglass argued that the account number
    should fall within that exception. See 
    id. at 301.
    We declined
    to decide whether § 1692f(8) contains such an exception
    because, regardless, the account number was not benign. 
    Id. at 301,
    303. That number, we explained, was “a core piece of
    information,” the disclosure of which “implicate[d] a core
    concern animating the FDCPA––the invasion of privacy.” 
    Id. at 303.
    We thus rejected the debt collector’s contention that
    the “account number is a meaningless string of numbers and
    10
    letters, and its disclosure has not harmed and could not possibly
    harm Douglass.” 
    Id. at 305–06.
    As with standing, the question is whether the analysis
    changes when the account number is not on the face of the
    envelope but is embedded in a QR code. The panel in Douglass
    explicitly left that question open. See 
    id. at 301
    n.4. But,
    keeping in mind that “the FDCPA must be broadly construed
    in order to give full effect to [its remedial] purposes,” Caprio
    v. Healthcare Revenue Recovery Grp., LLC, 
    709 F.3d 142
    , 148
    (3d Cir. 2013), we agree with the District Court that the
    reasoning of Douglass applies fully to an account number
    embedded in a QR code. As explained above with respect to
    standing, the harm here is still the same –– the unauthorized
    disclosure of confidential information. And if such disclosure
    was not benign, disclosure via an easily readable QR code is
    not either. Protected information has still been compromised.
    MRS argues that Douglass is distinguishable. There,
    the account information was on the face of the envelope,
    capable of being seen by all. Here, by contrast, the envelope
    facially displayed no connection to debt collection. It just
    revealed a QR code, which is facially neutral and appears on
    many commercial mailings. Any account information,
    according to MRS, is hidden from public sight and could only
    be seen by “unlawfully scanning” the envelope. MRS Br. 24
    n.3. MRS suggests that “scanning the QR Code on an envelope
    addressed to another is akin to opening a letter addressed to
    another.” MRS Br. 23.
    We are not persuaded. While we do not decide here
    whether a benign language exception to § 1692f(8) exists, it
    would apply only to language truly benign relative to the
    11
    purposes of the FDCPA. See 
    Douglass, 765 F.3d at 303
    (“[W]e
    cannot find language exempt from § 1692f(8) if its disclosure
    on an envelope would run counter to the very reasons Congress
    enacted the FDCPA.”). If, as we held in Douglass, disclosure
    of a debtor’s account number is an invasion of privacy, it
    follows that disclosure of a QR code embedded with that
    number is not benign. A QR code is still “susceptible to
    privacy intrusions,” even if it does not facially display any
    “core information relating to the debt collection.”4 
    Id. at 305.
    There is no material difference between disclosing an account
    number directly on the envelope and doing so via QR code ––
    the harm is the same, especially given the ubiquity of
    smartphones.5 Whether it is illegal to scan someone’s mail, as
    MRS argues, is beside the point. The debt collector has still
    exposed private information to the world in violation of the
    FDCPA.6
    4
    We do not consider whether a debt collector violates §
    1692f(8) by including on an envelope a QR code that does not
    contain a consumer’s account number.
    5
    For this reason, it also does not matter where on the
    envelope the QR code is printed, which MRS suggests makes
    a difference. The account number has still been disclosed,
    regardless of its location on the envelope.
    6
    And contrary to MRS’s contentions, there is a
    difference between scanning a letter and opening it. The
    former can be done surreptitiously without leaving any
    evidence of tampering. Not so when a letter is physically
    opened.
    12
    We therefore hold that a debt collector violates §
    1692f(8) when it sends to a debtor an envelope displaying an
    unencrypted QR code that, when scanned, reveals the debtor’s
    account number. We thus agree with the District Court that
    MRS, in doing so here, violated the FDCPA.
    B.
    MRS argues that, even if its conduct violated the
    FDCPA, it is subject to the bona fide error defense. We
    disagree.
    The FDCPA’s bona fide error defense is found in 15
    U.S.C. § 1692k(c), which provides:
    [a] debt collector may not be held liable in any
    action brought under this subchapter if the debt
    collector shows by a preponderance of evidence
    that the violation was not intentional and resulted
    from a bona fide error notwithstanding the
    maintenance of procedures reasonably adapted
    to avoid any such error.
    In Jerman v. Carlisle, McNellie, Rini, Kramer & Ulrich L.P.A.,
    
    559 U.S. 573
    (2010), the Supreme Court held “that the bona
    fide error defense in § 1692k(c) does not apply to a violation
    of the FDCPA resulting from a debt collector’s incorrect
    interpretation of the requirements of that statute.” 
    Id. at 604–
    05. Put differently, “FDCPA violations forgivable under §
    1692k(c) must result from ‘clerical or factual mistakes,’ not
    mistakes of law.” Daubert v. NRA Grp., LLC, 
    861 F.3d 382
    ,
    394 (3d Cir. 2017) (quoting 
    Jerman, 559 U.S. at 587
    ).
    13
    MRS contends that it committed a mistake of fact. It
    argues that it “erred by using industry standards for processing
    return mail and appreciating that no person has ever used a QR
    Code to determine a letter concerned debt collection.” MRS
    Br. 26. MRS insists that it “did not mistakenly interpret the
    FDCPA.” MRS Br. 26. But that is precisely what it did. While
    MRS tries to characterize its error as one of fact, MRS
    ultimately just misunderstood its obligations under the
    FDCPA. Indeed, MRS all but admits that point when it argues
    that it “mistakenly believed that its conduct could not
    conceivably violate the FDCPA.” MRS Br. 31. That is not a
    mistake of fact; it is a mistake of law. Had MRS’s printing of
    the QR code been the result of a clerical mistake, accidentally
    included contrary to the agency’s normal procedures, then it
    could conceivably avail itself of the bona fide error defense.
    See 
    Jerman, 559 U.S. at 587
    . But that is not MRS’s argument;
    indeed, MRS explains that using QR codes is “the industry
    standard.” MRS Br. 34. MRS may not have intended “to
    disclose that the contents of the envelope pertain to debt
    collection,” MRS Br. 27, but the bona fide error defense does
    not protect every well-intentioned act, see 
    Jerman, 559 U.S. at 584
    –85. It applies only to clerical or factual mistakes. See
    
    Daubert, 861 F.3d at 394
    . The bona fide error defense is
    therefore inapplicable here.
    IV.
    For the foregoing reasons, we will affirm the judgment
    of the District Court.
    14