Unencrypted “quick response,” or QR, codes printed on the outside of envelopes that link to a debtor’s information violate the Fair Debt Collection Practices Act, a federal appeals court has ruled, applying five-year-old case law to an open question.

A unanimous three-judge panel of the U.S. Court of Appeals for the Third Circuit ruled Monday that a woman who received a collection letter with a QR code linking to her account number suffered a concrete harm, and that the unencrypted QR code violated the FDCPA. The ruling allows the plaintiff, Donna DiNaples, to execute a class action settlement she entered into with the defendant collection agency, MRS BPO LLC.