About 10 million people type their personal financial information into H&R Block, TaxSlayer and TaxAct websites every year to prepare their taxes, trusting the companies to keep their information safe. Instead, the companies shared that personal information with Google and Facebook, some going as far back as 2011, members of Congress wrote in a new report.
The congressional investigation, led by Sen. Elizabeth Warren (D-Mass.), follows a report last year about such data-sharing with Facebook by the technology journalism website The Markup. Warren and six other lawmakers wrote to the Justice Department on Tuesday urging criminal charges against the tax companies for violating laws that prevent tax preparers from sharing their clients’ personal information.
Calling the three tax prep companies’ extensive sharing of user data with tech companies “outrageous,” the seven Democrats said the episode is reason enough to support a plan being developed by the IRS to build its own free tax preparation software, rather than steering taxpayers to commercial tax preparation software.
H&R Block said its do-it-yourself tax filing website filed 8.4 million returns in the most recent tax filing season. An analysis of IRS data by tax prep company Column Tax found that TaxSlayer filed 1.5 million returns and TaxAct filed 3 million returns for customers in 2022.
In statements to The Washington Post, H&R Block and TaxAct said they have changed their practices to stop sharing sensitive user data via pixels. TaxSlayer did not respond to inquiries from The Post about the congressional report.
The congressional report found that some of the customers affected by the data sharing were using a free version of TaxAct that the company offers in conjunction with the IRS to help low-income filers fill out their tax returns.
The three companies tracked the information that users typed into their tax preparation websites using pixels, a common technology utilized on almost all websites for customer ad targeting on social media. Google and Meta, Facebook’s parent company, offer this tracking technology to website administrators. When users typed their information into the tax forms, the report says, pixel technology sent that data to Google and Facebook — including users’ approximate annual gross income, the amount of money they received as a tax refund, whether they are married and have children, and whether they ever clicked on a long list of tax forms that would reveal more about their income and life events.
Competitor TurboTax shared with Meta its customers’ usernames, not their financial information, the congressional report said.
Much of the tax software data was transmitted in a way that was supposed to make the users anonymous, but the legislators contend that a technology expert could easily get around the attempt at anonymizing the data. And they said that Meta confirmed to the senators that Meta did indeed use the information from the tax software to show targeted ads to Facebook users, including ads that were not for tax preparation services.
“The tax prep firms were shockingly careless with their treatment of taxpayer data. They indicated that they installed the Meta and Google tools on their websites without fully understanding the extent to which they would send taxpayer data to these tech firms, without consulting with independent compliance or privacy experts, and without full knowledge of Meta’s use of and disposition of the data,” the lawmakers wrote in a letter to the IRS, the Federal Trade Commission, and Attorney General Merrick Garland.
If an accountant shared a taxpayer’s personal financial information, that person would face the possibility of criminal prosecution, a $1,000 fine and a year in prison. The lawmakers argued that the same law should apply to the software companies.
In an emailed statement, Meta blamed the tax prep companies. “We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Google sent a similar statement via email: “We have strict policies and technical features that prohibit Google Analytics customers from collecting data that could be used to identify an individual. Site owners — not Google — are in control of what information they collect and must inform their users of how it will be used. Additionally, Google has strict policies against advertising to people based on sensitive information.”
Jacob Bogage contributed to this report.