A 54-page report by Senators Elizabeth Warren (D-MA), Ron Wyden (D-OR), Richard Blumenthal (D-CT), Tammy Duckworth (D-IL), Bernie Sanders (I-VT) and Sheldon Whitehouse (D-RI) snaps at online tax prep companies H&R Block, TaxAct, and Tax Slayer for sharing sensitive taxpayer data with Meta (Facebook) and Google for purposes of algorithm-based advertising.
Attacks on Tax Privacy: How the Tax Prep Industry Enabled Meta to Harvest Millions of Taxpayers’ Sensitive Data [PDF] was born out of a November 2022 investigation by nonprofit newsroom The Markup that revealed online tax prep companies have been quietly transmitting users’ sensitive financial information to Facebook for years via tracking code called the Meta Pixel. An earlier Markup investigation showed 33 of the country’s top 100 hospitals were transmitting private health data to Facebook through this same tracker.
The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.
The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner Meta.
A pixel on TaxAct’s website sent users’ filing status, adjusted gross income, and the amount of their refund to Facebook. H&R Block’s online prep had their own pixel gathering data on filers’ health savings account usage and details on their dependents’ college tuition and expenses. TaxSlayer was the worst of all:
TaxSlayer, another widely used filing service, sent personal information to Facebook as part of the social media company’s “advanced matching” system, which gathers information on web visitors in an attempt to link them to Facebook accounts. The information gathered through the pixel on TaxSlayer’s site included phone numbers, the name of the user filling out the form, and the names of any dependents added to the return. As with TaxAct, specific demographic information about a user was obfuscated but still usable for Facebook to link a user to an existing profile. TaxSlayer has said it completed 10 million federal and state tax returns last year.
So the senators got wind of this and opened an investigation, the result of which is the 54-page report. “It reveals that Big Tax Prep [Ed. note: LOL] has recklessly shared tens of millions of taxpayers’ sensitive personal and financial data with Meta for years, without appropriately disclosing this data usage or protecting the data, and without appropriate taxpayer consent,” says the report’s executive summary. “The sharing of taxpayer data with Meta has put taxpayer privacy at risk and appears to represent a violation of taxpayer privacy laws.” The extraordinarily sensitive personal and financial information shared with Meta was then used for “diverse advertising purposes.”
When people say Facebook is listening to their phone microphones to spy on them, this data is actually what they’re eavesdropping on. Not your mic but your entire online life, apparently not even your tax returns are safe from Facebook’s all-seeing eye.
The report explains what all the tax prep companies admitted to sending over Big Tech’s way:
TaxAct, H&R Block, and TaxSlayer each revealed, in response to this Congressional inquiry, that they shared taxpayer data via their use of the Meta Pixel and Google’s tools. The Meta Pixel and other Meta tools used by TaxAct collected far more information than was previously reported: in addition to taxpayers’ filing status, approximate AGI, approximate refund amount, and names of dependents, the Pixel collected appropriate federal tax owed and buttons that were clicked and names of text-entry forms that the taxpayer navigated to (both of which could indicate, for example, whether taxpayers were eligible for certain deductions or exemptions). The Pixel also shared full names, email, country, state, city, and zip codes, phone numbers, and gender as hashed values. TaxAct also revealed that all this information was shared for taxpayers who used TaxAct’s Free File service — a public-private partnership between private tax prep companies like TaxAct and the Internal Revenue Service (IRS).
H&R Block and TaxSlayer also revealed an extensive list of data shared via the Meta Pixel, including transmitting information on whether taxpayers had visited pages for many revealing tax situations, such as having dependents, certain types of income (such as rental income or capital gains), and certain tax credits or deductions. Although the tax prep companies and Big Tech firms claimed that all shared data with anonymous, the FTC and experts have indicated that the data could easily be used to identify individuals, or to create a dossier on them that could be used for targeted advertising or other purposes.
Meta also confirmed that it used the data to target ads to taxpayers, including for companies other than the tax prep companies themselves, and to train Meta’s own AI algorithms.
Urged by Congress to explain what exactly the F they thought they were doing, the tax prep companies described pixel use as “ubiquitous” and “common industry practice.” It’s true that nearly every website on the planet uses some kind of tracking code — Going Concern uses Google Analytics, for example — however the senators said it is “particularly reckless” for online tax prep entities to use them on pages where tax return information is entered. The tax prep firms were “shockingly careless with their treatment of taxpayer data,” they said.
These firms indicated they installed Meta and Google tools on their websites without fully understanding the extent to which the tools would send taxpayer data to these tech firms, without consulting with independent compliance or privacy experts, and without full knowledge of Meta’s use of and disposition of the data. In fact, the tax prep companies indicated that they were still not fully aware of the current status of million of taxpayers’ data that had been shared with the Big Tech firms.
Big Tech firms appeared to act “with stunning disregard for taxpayer privacy,” the report said. And thanks to their ineptitude, the tax prep companies may have set themselves up for potential criminal penalties of up to $1,000 per instance and up to a year in prison for violating taxpayer privacy laws.
The senators recommend relevant enforcement entities including the IRS, the Treasury Inspector General for Tax Administration (TIGTA), the Federal Trade Commission (FTC), and the Department of Justice (DOJ) should fully investigate the matter and prosecute any company or individuals who violated the law. “We also welcome the recent IRS announcement of a free, direct file pilot next year, which will give taxpayers the option to file taxes without sharing their data with untrustworthy and incompetent tax preparation firms,” said the senators.
Full report here [PDF]