Meta and major tax preparation companies inappropriately shared millions of taxpayers’ financial data for years, according to a congressional report released today that was spurred by a Markup article.
Our investigation, which was published in November, revealed how tax filing services including H&R Block, TaxAct, and TaxSlayer were transmitting data to Facebook’s parent company, Meta, through a tool called the Meta Pixel. The data was sent as taxpayers filed their taxes and included personal information like first and last names, income, filing status, and refund amounts. Some data was also sent to Google through its analytics tools, and Google was also a subject of the congressional investigation.
Today’s report from lawmakers was informed by interviews with representatives of Meta, Google, and major tax prep services. It cited and confirmed The Markup’s report and chided the tax companies for being ”shockingly careless with their treatment of taxpayer data” and the tech firms for acting “with stunning disregard for taxpayer privacy.”
Tax Filing Websites Have Been Sending Users’ Financial Information to Facebook
The Markup found services including TaxAct, TaxSlayer, and H&R Block sending sensitive data
The report determined that the tax prep companies installed tracking tools from Meta and Google on their services without a full understanding of how tax data might be collected and used, and that the companies were “still not fully aware of the current status of millions of taxpayers’ data.”
Tax data is tightly regulated, with penalties for improper sharing including fines and jail time. The report found the companies involved likely didn’t receive proper consent to share the data and could face criminal penalties.
The lawmakers provided the report today to various federal enforcement agencies and asked them in a letter to investigate and prosecute any company or individual who broke the law. The agencies include the Internal Revenue Service, the Treasury Inspector General for Tax Administration, the Department of Justice, and the Federal Trade Commission.
Meta, H&R Block, and TaxSlayer didn’t immediately respond to requests for comment. Angela Krieger, a spokesperson for Google, said the company has “strict policies and technical features” to stop Google Analytics users from collecting sensitive data and that it is site owners’ responsibility to police the information they collect.
Dermot Halpin, executive chair of TaxAct, said in a statement emailed after publication that the company cooperated with Warren’s staff and had disabled the “standard analytics tools” to evaluate concerns. “Protecting the rights and privacy of our customers is our top priority, and we are committed to engaging with stakeholders to address any concerns and to help advance public policy,” he said.
The government enforcement agencies the letter was sent to did not respond to a request for comment, except the FTC, which declined to comment.
The investigation was led by Massachusetts senator Elizabeth Warren and signed on to by Sens. Ron Wyden of Oregon, Richard Blumenthal of Connecticut, Tammy Duckworth of Illinois, Bernie Sanders of Vermont, and Sheldon Whitehouse of Rhode Island, as well as California representative Katie Porter. All are Democrats except Sanders, who is an independent.
The Meta Pixel is a widely used piece of tracking code that businesses and organizations can place on their websites to better target ads on Facebook. When web users visit a website with a pixel, the tool can record information about the visit and send it back to Facebook, and companies can then use that information to tailor ads. A business may put a pixel on their checkout page to advertise new products to past customers on Facebook, for example.
But while the code is used on millions of sites around the web, Meta cautions against using it to collect potentially sensitive information, like financial and health data. Nonetheless, as part of a project called Pixel Hunt, The Markup has found several cases in which sensitive data has been repeatedly sent to Meta, including from major hospitals, telehealth companies, and the U.S. Department of Education.
Meta claims to have automated mechanisms to filter out sensitive data, but the lawmakers’ report claims those safeguards are “woefully inadequate” and appear to exist only to provide “a modicum of deniability.” According to the report, Meta told congressional staff that it sent notifications to tax prep companies about the data after The Markup requested comment ahead of publication, but the tax prep companies said they never received those notifications.
The tax prep companies also contacted Meta multiple times after The Markup’s article was published to learn about the final status of their customers’ data, according to the report, but walked away without a satisfying answer.
In one instance, according to comments from TaxSlayer provided to the lawmakers, a Meta advertising representative specifically advised using a feature to collect data on pages viewed by web visitors. TaxSlayer told lawmakers’ staff that it was unaware how much data would be collected.
Unlike many other countries, the United States does not have a widely available, free tax-filing option run by the government itself, essentially forcing many taxpayers to go through tax preparation companies. The report urges the IRS to change that, concluding that the “investigation raises serious doubts about the ability of the tax prep industry to safeguard taxpayer information and highlights the urgent need for the IRS to develop its own online tax filing system—to protect taxpayer privacy and provide a better alternative for taxpayers to file their returns.”
Update July 13, 2023
This article has been updated to add a response from TaxAct that was received after publication.