Debt collection agency MRS BPO LLC. Is under fire for the improper use of a QR code.
A unanimous three-judge panel of the U.S. Court of Appeals for the Third Circuit ruled that an unencrypted QR code that MRS BPO added to a collection letter sent to a customer (Ms. Donna DiNaples), was in violation of the Fair Debt Collection Practices Act (FDCPA). The offending quick response code was linked to the woman’s account number and had been printed on the outside of the envelope, allowing it to be scanned by anyone with a smartphone.
The customer filed a class action suit against MRS BPO.
DiNaples, who had received the collection letter from MRS BPO – which had been hired by Chase Bank for debt collections after DiNaples fell behind on her payments – filed a class action suit against the collection agency. She alleges that the code which appears on the envelope violates the FDCPA. This particular Act bars debt collectors from using any “language or symbol” beyond the debt collector’s address, on any envelope, when communicating with a consumer.
According to Judge Michael Chagares, when the unencrypted QR code on the envelope was scanned, it revealed an internal reference number associated with DiNaples’ account with the collection agency, the Pittsburgh Post-Gazette reports.
In its defense, the collection agency said that QR codes are “facially neutral” and can be found on many commercial mailings. However, Judge Chagares, who wrote the court’s 14-page opinion, relied mostly on the court’s 2014 decision in the Douglass v. Convergent Outsourcing case. This case determined that including a debtor’s account number on the outside of an envelope was in violation of the FDCPA.
“There is no material difference between disclosing an account number directly on the envelope and doing so via a QR code — the harm is the same, especially given the ubiquity of smartphones,” Judge Chagares said, as quoted by the Pittsburgh Post-Gazette.
Displaying an unencrypted QR code is no different than displaying the information to which the code is linked.
Initially, MRS BPO had tried to have the case dismissed, but the U.S. District Court for the Western District of Pennsylvania denied their appeal, finding that there was no meaningful difference between displaying an account number as in the Douglass case and displaying a QR code that can be easily scanned.
Appealing to the Third Circuit, the collection agency argued that In Douglass, the account information had been printed on the front of the envelope, but in DiNaples’ case, the information could only be accessed by scanning the code, which would be illegal as this would be no different than opening a letter addressed to someone else.
“Whether it is illegal to scan someone’s mail, as MRS argues, is beside the point. The debt collector has still exposed private information to the world in violation of the FDCPA,” Judge Chagares stated in his 14-page opinion.
Additionally, the judge noted that unlike opening a letter, which leaves behind tampering evidence, scanning an 
unencrypted QR code leaves no physical signs that someone else has accessed the information. As such, the ruling allows DiNaples to execute a class-action settlement with MRS BPO.
