Major tax-filing websites secretly share income data with Meta
Financial data was sent to Meta by TaxAct, H&R Block, and TaxSlayer.
Here to add another layer of dread ahead of the upcoming tax season, The Markup reported that some of the biggest online e-filing services—unbeknownst to millions of users—have been sharing sensitive user financial information with Meta. Some services linked user names and email addresses with detailed information like income, refund amounts, filing status, and even the amount of dependents’ college scholarships.
These services include H&R Block, TaxAct, and TaxSlayer, which transmit data via a tool that Meta provides for businesses called the Meta Pixel. The Markup published the data sent to Meta by these companies, which it confirmed was sometimes generated and shared “regardless of whether the person using the tax filing service has an account on Facebook” or other Meta service.
Meta provides the Meta Pixel as a code that businesses can customize and embed on their websites to gather information to help businesses improve targeted marketing campaigns on Meta platforms. In return for this service, Meta gets to use the shared data to drive its own algorithms in its mission to know just about everything that can be known about its own users.
The Markup asked the Internal Revenue Service to verify whether tax preparers sharing sensitive financial information with Meta violated IRS regulations, but the IRS declined to comment.
Tax-filing services respond H&R Block spokesperson Angela Davied told The Markup that the company would be reviewing the information revealed by The Markup. She told Ars that the company has since decided to change how it uses the Meta Pixel.
“At H&R Block, we take protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels,” Davied told Ars.
A TaxSlayer spokesperson, Molly Richardson, told The Markup that TaxSlayer, like H&R Block, was evaluating its use of the pixel. “Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” Richardson said, confirming that the pixel would be removed until TaxSlayer finished its review.
This week, the Markup reviewed data shared from tax services with Meta. Its reporting confirmed that TaxSlayer no longer has the pixel on its site, and TaxAct currently isn’t sending income and refund amounts to Meta but was still sharing data regarding names of dependents. As of Monday, The Markup said H&R Block was still sharing “information on health savings accounts and college tuition grants.”
A spokesperson for TaxAct, Nicole Coburn, told The Markup, “We take the privacy of our customers’ data very seriously.” She also confirmed that “TaxAct, at all times, endeavors to comply with all IRS regulations.” [Update: Coburn told Ars, "The privacy of our customers is very important to all of us at TaxAct and we continue to comply with all laws and IRS regulations. Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.]
According to Meta, it prohibits businesses from sharing “information about an individual’s financial account or status.” This rule didn’t stop two businesses from sharing income information, The Markup reported.
A Meta spokesperson told Ars that the company detects and filters out some of this data.
“Advertisers should not send sensitive information about people through our business tools,” Meta’s spokesperson told Ars. “Doing so is against our policies and we educate advertisers on properly setting up business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Although the IRS declined to comment, The Markup reported that the IRS strictly regulates the information that tax preparers can collect and share without first gaining user consent. “For anything beyond immediately facilitating filing, the preparer has to get signed consent from the user that explains the recipient and the precise information being disclosed,” The Markup reported.
Tax companies sharing sensitive financial data could risk jail time or fines for not explicitly telling users how information gathered during tax filing was shared with Meta, The Markup reported. A review conducted by The Markup found no such disclosures directly mentioning sharing data with Meta or Facebook posted on H&R Block, TaxAct, or TaxSlayer websites.
Comparing how different tax services used the pixel The Markup’s investigation found that some online tax services had customized the pixel to share sensitive information, while others may have inadvertently shared information due to how the pixel is designed to be used by default.
H&R Block seems to be an example of the latter. The standard pixel configuration they used was designed to pull information from webpage titles. Because of this, health savings account and college expense information were collected. In another example, both TaxSlayer and TaxAct used an “automatic advanced matching” feature of the pixel to collect personally identifiable information like names and phone numbers. Meta has the ability to use this information to link pixel data to individual Facebook or Instagram users, The Markup reported.
Unlike other tax services, TaxAct went beyond default settings to customize its pixel. The Markup found that TaxAct shared detailed financial information with Meta, including gross adjusted income, by creating a custom event to track that specific information. TaxAct did not answer The Markup’s questions to explain why TaxAct chose to track that information. The company did not immediately respond to Ars' request for comment.
Not every major online tax-filing service shared financial data with Meta. Intuit’s TurboTax had been using the pixel only on its signup pages, limiting the information shared with Meta to online usernames and sign-in times. Intuit spokesperson Rick Heineman told Ars that this is an important topic for consumers, confirming that TurboTax complies with IRS regulations and “Intuit does not share tax return information with social media platforms, including Meta (Facebook), for marketing or any other purpose.
“Consistent with our privacy policy we may share some non-tax return information, such as username, with marketing partners to deliver a better customer experience,” Heineman told Ars. “For example, if an individual clicks on a TurboTax ad on Facebook and creates an Intuit account or signs into their account, Meta Pixel allows us to no longer show advertisements to the individual. While we have been consistent with our privacy policy, we have modified the implementation of Meta Pixel to ensure that moving forward username is not transmitted.”
Google is also collecting tax data While The Markup’s report focused on the Meta Pixel, their investigation also revealed that TaxAct was sharing financial information with Google through its use of Google Analytics. In those cases, names weren’t shared, but information like income and refund amounts were.
Google spokesperson Jackie Berté told The Markup that Google Analytics data “is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user.” Berté said that this reflects Google’s “strict policies against advertising to people based on sensitive information.”
When The Markup reviewed data as recently as this Monday, reporters confirmed that TaxAct “continued to send financial information to Google Analytics.”
Google did not immediately respond to Ars’ request for comment.
arstechnica.com |
