chevron-down Created with Sketch Beta.

Business Law Today

November 2022

Much Ado About Nothing: Hunstein’s Three Trips to the Eleventh Circuit Did Not Clarify Whether the FDCPA Is a Financial Privacy Statute

Amy Hanna Keeney and Joshua Lesser

Summary

  • Hunstein v. Preferred Collection & Management Services, Inc. took three trips to a federal appellate court to answer the question of whether the Fair Debt Collection Practices Act (“FDCPA”) prohibits routine communications between a debt collector and its vendors.
  • In Hunstein, the debt collector sent information about the debt to its dunning vendor to issue a letter to the plaintiff. The issue was not whether the communications were prohibited by § 1692c(b) of the FDCPA but whether the plaintiff had alleged a “concrete harm” such that he had standing to bring the claim.
  • Hunstein 1 and Hunstein 2 found standing. Hunstein 3 ignored the issue of standing, instead distinguishing between publication and publicity and ruling that Hunstein failed to even allege publicity in his complaint and thus had failed to state a prima facie case for concrete harm.
  • Best practice is to make sure that anyone handling consumer information is contractually obligated to maintain that information in the strictest confidence.
Much Ado About Nothing: Hunstein’s Three Trips to the Eleventh Circuit Did Not Clarify Whether the FDCPA Is a Financial Privacy Statute
iStock/Nikolay Zaiarnyi

Jump to:

By now, those in the financial services, vendor management, and consumer protection spaces have heard of Hunstein v. Preferred Collection & Management Services, Inc. and that case’s rare three trips to a federal appellate court in an effort to answer this question: Does the federal Fair Debt Collection Practices Act (“FDCPA”) apply to prohibit the very routine communications between a debt collector and its vendors? Unfortunately, none of the opinions ultimately provides an answer to this apparent question of first impression, though they imply one.

So, what message do the Hunstein opinions send to companies that regularly transmit personal and potentially sensitive information to third-party vendors?

Brief Procedural History

In Hunstein 1, a three-judge panel of the U.S. Court of Appeals for the Eleventh Circuit first unanimously held that a debt collector’s transmission of a debtor’s private data to a dunning vendor was actionable under the FDCPA.

In Hunstein 2, the same panel then sua sponte vacated and superseded Hunstein 1 (to address the intervening Supreme Court opinion of TransUnion LLC v. Ramirez) but ultimately reached the same conclusion, 2-1, although over a vociferous dissent.

The Eleventh Circuit then granted rehearing en banc and on September 8, 2021, issued its Hunstein 3 opinion vacating Hunstein 2 and remanding to the district court with instructions to dismiss the case without prejudice, finding that the plaintiff failed to properly allege his claim. In doing so, the Hunstein 3 court considered but ultimately did not make a ruling on the pivotal question—that is, whether the FDCPA prohibits a debt collector from sending a consumer’s private data to a dunning vendor.

Background

Section 1692c(b) of the FDCPA provides, in pertinent part, that “without the prior consent of the consumer given directly to the debt collector, . . . a debt collector may not communicate, in connection with the collection of any debt, with any person other than the consumer.” In Hunstein, the plaintiff’s son received medical care, and the plaintiff allegedly did not pay the bill, which was then placed for collections with the defendant. The defendant, Preferred Collection, then sent certain information (including the plaintiff’s status as a debtor, the exact balance of the debt and the entity to which it was owed, the fact that the debt concerned the plaintiff’s son’s medical treatment, and the plaintiff’s son’s name) to its dunning vendor, Compumail, to issue dunning letter(s) to the plaintiff.

The issue in all three Hunstein opinions was not whether this communication of information was prohibited by § 1692c(b) but whether the plaintiff had alleged a “concrete harm” such that he had standing to bring the claim (i.e., whether the courts had a case or controversy sufficient to confer jurisdiction). Concrete harm is normally alleged by showing an injury in fact—some tangible harm to a person’s body or property. In cases of a bare statutory violation unaccompanied by an injury in fact, however, the plaintiff must show an “intangible harm.” Intangible harm is a relatively illusory concept, but one way that courts assess it is by “compar[ing] [the intangible harm] to a harm redressed in a traditional common-law tort.”

In his complaint, Hunstein alleged that Preferred Collection’s communication with Compumail in connection with debt collections was comparable to the common-law tort of public disclosure of private facts (“public disclosure”), which requires showing, among other things, the “publicity” of private information.

The Majority Opinion

The Hunstein 3 majority ultimately punted on whether the plaintiff had shown standing, ruling that Hunstein had failed to even allege publicity in his complaint and thus had failed to state a prima facie case for concrete harm.

According to the majority, publication—“to communicate a fact concerning the plaintiff’s private life to a single person or even to a . . . group of persons”—is insufficient to show a public disclosure. Publicity, on the other hand, “requires either actual public disclosure or a substantial certainty that the disclosed information will reach the public at large.” This was not present in Hunstein’s complaint, the court reasoned, because “Hunstein did not even allege that a single [Compumail] employee ever read or understood the information about his debt.” Thus, the court remanded for dismissal without prejudice because “Hunstein did not allege any publicity at all.”

The majority relied heavily on the Supreme Court’s 2021 decision in TransUnion, where the Court considered whether the plaintiffs (a class) had alleged concrete injury in their claims that TransUnion, the defendant credit reporting agency, failed to use reasonable procedures to ensure the accuracy of their credit reporting so as not to include inaccurate Office of Foreign Assets Control data labeling the plaintiffs as potential terrorists. In order to determine if the plaintiffs alleged concrete injury from a bare statutory violation (i.e., unaccompanied by an injury in fact), the Court compared the plaintiffs’ alleged harm to defamation, which traditionally requires publication (which, unlike publicity, can be a private communication) of a false statement. The Court ultimately concluded that the 1,856 class members whose credit reports had been disseminated to third parties (mainly creditors or potential creditors doing credit checks) had alleged a sufficient intangible injury to confer standing, whereas the 6,332 class members whose credit reports were never disseminated did not:

In cases such as these where allegedly inaccurate or misleading information sits in a company database, the plaintiffs’ harm is roughly the same, legally speaking, as if someone wrote a defamatory letter and then stored it in her desk drawer. A letter that is not sent does not harm anyone, no matter how insulting the letter is.

In reaching its conclusion in Hunstein, the majority reasoned that Hunstein effectively claimed that Preferred Collection sent Hunstein’s information to Compumail, where it “[sat] in a company database.”

So where does that leave us? Technically, Hunstein 3 is nothing more than a guide on how to (and how not to) plead an FDCPA claim. Some value can be gleaned, however, from the majority’s dicta, in which it suggested that it would not have found standing even if Hunstein had alleged that Compumail’s employees read or understood the information because this would have been publication but not publicity.

In drawing the distinction between public (publicity) and private (publication) communications, the court reasoned that “any publication in a newspaper or a magazine, even of small circulation, or in a handbill distributed to a large number of persons, or any broadcast over the radio, or statement made in an address to a large audience, is sufficient to give publicity.” On the other hand, “[w]hen a trade secret is communicated to thousands of new employees after a merger, for example, it does not become public information.”

So, was Preferred Collection’s transmission of Hunstein’s personal information publication or publicity? The court ultimately did not answer this question, but its approach in dicta strongly implies that it would have characterized the communication as a private disclosure, and thus the transmission of information would be insufficient to establish a concrete injury under the comparison to public disclosure:

  • “All that to say, nowhere does Hunstein suggest that Preferred Collection’s communication reached, or was sure to reach, the public. Quite the opposite—the complaint describes a disclosure that reached a single intermediary, which then passed the information back to Hunstein without sharing it more broadly.”
  • “Under even the most generous reading of [Hunstein’s] complaint, one company sent his information to another, where it was ‘populated’ into a private letter that was sent to his own home. That is simply not enough.”
  • “So Preferred [Collection] did indeed disclose information to the mail vendor’s agents, but the complaint describes the same automatic process that the Supreme Court explained does not constitute an injury.”

The Concurrence

The concurrence echoed the majority’s holding but went further to draw a second distinction between Hunstein’s claims and another element of the comparator tort of public disclosure—that the information communicated was “highly offensive.”

Even if there was publicity, the concurrence reasoned, it would not be an actionable public disclosure because the information communicated may have caused personal offense (which is not sufficient) but was not “a kind highly offensive to the ordinary reasonable man.”

The Dissent

The dissent started off by calling into question the majority’s “refusing to give Hunstein’s complaint an appropriately charitable reading and, worse, just flat disregarding its express allegations.” The dissent quoted the complaint where it says, “Preferred [Collection] violated [the FDCPA] when it disclosed information about Mr. Hunstein’s purported [medical] debt to the employees of an unauthorized third-party . . . in connection with the collection of the Debt.” Moreover, the dissent raised “the eminently reasonable inference that the flesh-and-blood individuals to whom that information was disclosed read it.”

The dissent also called into question the majority’s reliance on the Supreme Court’s decision in TransUnion because that case was decided on the merits and appealed postjudgment, whereas the Hunstein 3 opinion was decided at the pleading stage on a motion to dismiss, at which point the plaintiff’s claims are read in the light most favorable to the plaintiff, indulging every inference in the plaintiff’s favor. Under this more forgiving light, the dissent concluded, Hunstein stated a prima facie case for an intangible injury as compared to public disclosure.

Conclusion

The Hunstein case on its face is a little bit of much ado about nothing. Hunstein advanced a relatively novel theory that the FDCPA acts as a consumer-privacy statute, and the Hunstein 1 and 2 panels tacitly approved by finding standing—only to have the en banc Eleventh Circuit effectively overrule and dismiss on the basis that Hunstein failed to adequately allege one of the elements of public disclosure. The court dodged the substantive question, and the ruling ultimately does little more than provide rudimentary-level guidance on how to plead a claim.

But, to the extent that the Eleventh Circuit decision (and potentially that of another circuit) comported with the Hunstein 3 dicta, the conclusion would seemingly be that the FDCPA does not confer standing to bring consumer-privacy claims on the basis of a debt collector’s transmission of a consumer’s information to a dunning vendor. And, of course, the concurrence raises the question not reached: Even if there was publicity, was the information conveyed the type of “highly offensive” disclosure that is actionable in public disclosure? The concurrence concluded that it was not.

This is almost certainly not the final word on the machination of consumer-privacy claims under the FDCPA. Indeed, we may even see Hunstein refile his complaint with the magic missing language. Or Hunstein may decide to appeal the decision up to the Supreme Court for a final resolution on the issue of standing.

Takeaway

Until then, with little to nothing in the way of precedent from the Eleventh Circuit to date, debt collectors and lenders who meet the definition of a debt collector in all jurisdictions need to take affirmative steps to implement policies and procedures to avoid (or at least mitigate) class-action FDCPA cases based upon a defendant’s continued (and prior) use of third-party debt-collection vendors. Even if your company is not a debt collector and would not be subject to the FDCPA, the facts in Hunstein should give you pause if you regularly transmit personal and potentially sensitive information regarding consumers to third-party vendors. What can your company do to avoid a similar suit?

Consumer privacy is a huge concern for regulators of all kinds. This is nothing new. But the focus on vendor management (or lack thereof) and how it contributes to the violation of consumer privacy is relatively new. Whenever your company is negotiating with a vendor that will be touching consumer information, make certain that vendor will be contractually obligated to maintain that information in the strictest confidence. Because Hunstein was decided on a motion to dismiss, we did not get to see what facts Preferred Collection had in its defense. Perhaps its agreement with Compumail restricted access to debtor information to a small group of Compumail employees tasked with preparing its dunning letters. That would certainly have been a fact in favor of showing that there was no publication, let alone publicity, of Hunstein’s information.

Use this opportunity to review your company’s contracts with its vendors and ensure that the confidentiality provisions restrict access to sensitive data. Even if Hunstein was ultimately much ado about nothing, it is a powerful reminder of the risk associated with vendor management.

Background

Section 1692c(b) of the FDCPA provides, in pertinent part, that “without the prior consent of the consumer given directly to the debt collector, . . . a debt collector may not communicate, in connection with the collection of any debt, with any person other than the consumer.” In Hunstein, the plaintiff’s son received medical care, and the plaintiff allegedly did not pay the bill, which was then placed for collections with the defendant. The defendant, Preferred Collection, then sent certain information (including the plaintiff’s status as a debtor, the exact balance of the debt and the entity to which it was owed, the fact that the debt concerned the plaintiff’s son’s medical treatment, and the plaintiff’s son’s name) to its dunning vendor, Compumail, to issue dunning letter(s) to the plaintiff.

The issue in all three Hunstein opinions was not whether this communication of information was prohibited by § 1692c(b) but whether the plaintiff had alleged a “concrete harm” such that he had standing to bring the claim (i.e., whether the courts had a case or controversy sufficient to confer jurisdiction). Concrete harm is normally alleged by showing an injury in fact—some tangible harm to a person’s body or property. In cases of a bare statutory violation unaccompanied by an injury in fact, however, the plaintiff must show an “intangible harm.” Intangible harm is a relatively illusory concept, but one way that courts assess it is by “compar[ing] [the intangible harm] to a harm redressed in a traditional common-law tort.”

In his complaint, Hunstein alleged that Preferred Collection’s communication with Compumail in connection with debt collections was comparable to the common-law tort of public disclosure of private facts (“public disclosure”), which requires showing, among other things, the “publicity” of private information.

The Majority Opinion

The Hunstein 3 majority ultimately punted on whether the plaintiff had shown standing, ruling that Hunstein had failed to even allege publicity in his complaint and thus had failed to state a prima facie case for concrete harm.

According to the majority, publication—“to communicate a fact concerning the plaintiff’s private life to a single person or even to a . . . group of persons”—is insufficient to show a public disclosure. Publicity, on the other hand, “requires either actual public disclosure or a substantial certainty that the disclosed information will reach the public at large.” This was not present in Hunstein’s complaint, the court reasoned, because “Hunstein did not even allege that a single [Compumail] employee ever read or understood the information about his debt.” Thus, the court remanded for dismissal without prejudice because “Hunstein did not allege any publicity at all.”

The majority relied heavily on the Supreme Court’s 2021 decision in TransUnion, where the Court considered whether the plaintiffs (a class) had alleged concrete injury in their claims that TransUnion, the defendant credit reporting agency, failed to use reasonable procedures to ensure the accuracy of their credit reporting so as not to include inaccurate Office of Foreign Assets Control data labeling the plaintiffs as potential terrorists. In order to determine if the plaintiffs alleged concrete injury from a bare statutory violation (i.e., unaccompanied by an injury in fact), the Court compared the plaintiffs’ alleged harm to defamation, which traditionally requires publication (which, unlike publicity, can be a private communication) of a false statement. The Court ultimately concluded that the 1,856 class members whose credit reports had been disseminated to third parties (mainly creditors or potential creditors doing credit checks) had alleged a sufficient intangible injury to confer standing, whereas the 6,332 class members whose credit reports were never disseminated did not:

In cases such as these where allegedly inaccurate or misleading information sits in a company database, the plaintiffs’ harm is roughly the same, legally speaking, as if someone wrote a defamatory letter and then stored it in her desk drawer. A letter that is not sent does not harm anyone, no matter how insulting the letter is.

In reaching its conclusion in Hunstein, the majority reasoned that Hunstein effectively claimed that Preferred Collection sent Hunstein’s information to Compumail, where it “[sat] in a company database.”

So where does that leave us? Technically, Hunstein 3 is nothing more than a guide on how to (and how not to) plead an FDCPA claim. Some value can be gleaned, however, from the majority’s dicta, in which it suggested that it would not have found standing even if Hunstein had alleged that Compumail’s employees read or understood the information because this would have been publication but not publicity.

In drawing the distinction between public (publicity) and private (publication) communications, the court reasoned that “any publication in a newspaper or a magazine, even of small circulation, or in a handbill distributed to a large number of persons, or any broadcast over the radio, or statement made in an address to a large audience, is sufficient to give publicity.” On the other hand, “[w]hen a trade secret is communicated to thousands of new employees after a merger, for example, it does not become public information.”

So, was Preferred Collection’s transmission of Hunstein’s personal information publication or publicity? The court ultimately did not answer this question, but its approach in dicta strongly implies that it would have characterized the communication as a private disclosure, and thus the transmission of information would be insufficient to establish a concrete injury under the comparison to public disclosure:

· “All that to say, nowhere does Hunstein suggest that Preferred Collection’s communication reached, or was sure to reach, the public. Quite the opposite—the complaint describes a disclosure that reached a single intermediary, which then passed the information back to Hunstein without sharing it more broadly.”

· “Under even the most generous reading of [Hunstein’s] complaint, one company sent his information to another, where it was ‘populated’ into a private letter that was sent to his own home. That is simply not enough.”

· “So Preferred [Collection] did indeed disclose information to the mail vendor’s agents, but the complaint describes the same automatic process that the Supreme Court explained does not constitute an injury.”

The Concurrence

The concurrence echoed the majority’s holding but went further to draw a second distinction between Hunstein’s claims and another element of the comparator tort of public disclosure—that the information communicated was “highly offensive.”

Even if there was publicity, the concurrence reasoned, it would not be an actionable public disclosure because the information communicated may have caused personal offense (which is not sufficient) but was not “a kind highly offensive to the ordinary reasonable man.”

The Dissent

The dissent started off by calling into question the majority’s “refusing to give Hunstein’s complaint an appropriately charitable reading and, worse, just flat disregarding its express allegations.” The dissent quoted the complaint where it says, “Preferred [Collection] violated [the FDCPA] when it disclosed information about Mr. Hunstein’s purported [medical] debt to the employees of an unauthorized third-party . . . in connection with the collection of the Debt.” Moreover, the dissent raised “the eminently reasonable inference that the flesh-and-blood individuals to whom that information was disclosed read it.”

The dissent also called into question the majority’s reliance on the Supreme Court’s decision in TransUnion because that case was decided on the merits and appealed postjudgment, whereas the Hunstein 3 opinion was decided at the pleading stage on a motion to dismiss, at which point the plaintiff’s claims are read in the light most favorable to the plaintiff, indulging every inference in the plaintiff’s favor. Under this more forgiving light, the dissent concluded, Hunstein stated a prima facie case for an intangible injury as compared to public disclosure.

Conclusion

The Hunstein case on its face is a little bit of much ado about nothing. Hunstein advanced a relatively novel theory that the FDCPA acts as a consumer-privacy statute, and the Hunstein 1 and 2 panels tacitly approved by finding standing—only to have the en banc Eleventh Circuit effectively overrule and dismiss on the basis that Hunstein failed to adequately allege one of the elements of public disclosure. The court dodged the substantive question, and the ruling ultimately does little more than provide rudimentary-level guidance on how to plead a claim.

But, to the extent that the Eleventh Circuit decision (and potentially that of another circuit) comported with the Hunstein 3 dicta, the conclusion would seemingly be that the FDCPA does not confer standing to bring consumer-privacy claims on the basis of a debt collector’s transmission of a consumer’s information to a dunning vendor. And, of course, the concurrence raises the question not reached: Even if there was publicity, was the information conveyed the type of “highly offensive” disclosure that is actionable in public disclosure? The concurrence concluded that it was not.

This is almost certainly not the final word on the machination of consumer-privacy claims under the FDCPA. Indeed, we may even see Hunstein refile his complaint with the magic missing language. Or Hunstein may decide to appeal the decision up to the Supreme Court for a final resolution on the issue of standing.

Takeaway

Until then, with little to nothing in the way of precedent from the Eleventh Circuit to date, debt collectors and lenders who meet the definition of a debt collector in all jurisdictions need to take affirmative steps to implement policies and procedures to avoid (or at least mitigate) class-action FDCPA cases based upon a defendant’s continued (and prior) use of third-party debt-collection vendors. Even if your company is not a debt collector and would not be subject to the FDCPA, the facts in Hunstein should give you pause if you regularly transmit personal and potentially sensitive information regarding consumers to third-party vendors. What can your company do to avoid a similar suit?

Consumer privacy is a huge concern for regulators of all kinds. This is nothing new. But the focus on vendor management (or lack thereof) and how it contributes to the violation of consumer privacy is relatively new. Whenever your company is negotiating with a vendor that will be touching consumer information, make certain that vendor will be contractually obligated to maintain that information in the strictest confidence. Because Hunstein was decided on a motion to dismiss, we did not get to see what facts Preferred Collection had in its defense. Perhaps its agreement with Compumail restricted access to debtor information to a small group of Compumail employees tasked with preparing its dunning letters. That would certainly have been a fact in favor of showing that there was no publication, let alone publicity, of Hunstein’s information.

Use this opportunity to review your company’s contracts with its vendors and ensure that the confidentiality provisions restrict access to sensitive data. Even if Hunstein was ultimately much ado about nothing, it is a powerful reminder of the risk associated with vendor management.

    Authors