A recent
The report details the results of an investigation led by Sen. Elizabeth Warren, D-Massachusetts, which was launched in response to
The report singles out one tool in particular, tracking pixels. Tracking pixels, also known as web beacons or pixel tags, are typically small transparent images or snippets of code embedded in web pages or in emails. They are used by advertisers, marketers, and website owners to collect information about user behavior, such as page views, clicks, conversions, or to track the effectiveness of advertising campaigns.
The three companies named, according to the report, confirmed that their software has used tracking pixels for "at least a couple of years" and told the investigators that their use is ubiquitous across the industry. Some of these trackers collect information on a user's filing status, approximate adjusted gross income, approximate refund amount, names of dependents, amount of federal tax owed, the buttons a user clicked and the text-entry forms they navigated (which could indicate whether a taxpayer was eligible for certain deductions or exemptions), and their full name, email, country, city, state, zip code, phone numbers and gender. Further, the trackers collected information about other sites a user has visited that might reveal information about a specific tax situation, such as whether they have dependents or rental income or capital gains.
The report noted that both the tax prep companies and the tech firms they sent data to pointed out that the information was anonymous. However, the Federal Trade Commission told the senators that aggregation of this information could still be used to create a dossier or profile of someone, which could then be shared for marketing or other purposes. For instance, Meta admitted that they do match email addresses collected via trackers with email addresses they have on file to serve targeted ads.
Indeed, Meta, when questioned by senators, said that it used this data to target ads to specific taxpayers, as well as to train their AI algorithms. Google said it does not, itself, use the data it collects unless a user explicitly opts in, and claims it only provides data to website publishers for product data, versus ad targeting or user tracking.
The companies were accused in the report of acting not so much maliciously as recklessly and irresponsibly, and were characterized as "shockingly careless." Representatives claimed their companies installed Meta and Google tools on their websites without fully understanding the extent to which they'd be leaking taxpayer data. They also claimed not to know what Meta was planning to do with the data.
H&R Block, for instance, said that while they did use the Meta pixel, they were unaware of any other kinds being used on their site; Google then confirmed that H&R Block had some of its tools on their website, further raising concerns that the companies may not even know how much data they're leaking. The report said H&R Block took action only after the initial report late last year.
However the report also noted that TaxSlayer, at a certain point, did become aware of the extent of the data collected via these pixels but continued to use them. They claimed to not be aware, however, that their pixel could also track page metadata via the AutoConfig option — despite Meta describing how this works in its own online guides. TaxSlayer also said Meta reps encouraged them to keep this feature on.
On the part of the tech companies receiving the data, the senate report assailed them as acting with "stunning disregard for taxpayer privacy," as they did not fully disclose how they were collecting taxpayer data or what their intended use for it was. While both Google and Meta said they had filtering systems to prevent the collection of sensitive information, the report said it appears they were not effective. Further, while there are policies against collecting and using such personal information, the Senate report said it appears these were rarely enforced.
The report further said that, upon initial reports of data leakage late last year, the tax prep companies attempted to get clarification from Meta to get a better understanding of the kind of data sent to the social media company, and to get the company to delete personal information it may have collected. The companies told the senators that Meta did not provide any further information on the data it collects; while it did tell them it deleted the user data, there was no confirmation of whether or not that happened. The companies asked Meta for more specifics via a letter, but there was no response.
Sen. Warren said that, in light of these revelations, it is possible the tax prep companies may have violated taxpayer privacy laws by sharing this sensitive data. She noted that, under the law, tax preparers may not disclose or use a taxpayer's return information prior to obtaining written consent from the taxpayer. While there are exceptions for an auxiliary service provider in connection with filing a return, Meta and Google do not meet the definition of one.
The senate report concluded by calling for further action from federal agencies.
"This potentially illegal misuse of taxpayer data should be immediately investigated by the Department of Justice, IRS, the Treasury Inspector General for Tax Administration and FTC, and liable actors should be duly prosecuted. This investigation raises serious doubts about the ability of the tax prep industry to safeguard taxpayer information and highlights the urgent need for the IRS to develop its own online tax filing system — to protect taxpayer privacy and provide a better alternative for taxpayers to file their returns," the report concluded.
H&R Block, in a statement, said that it takes these revelations seriously and aims to prevent such privacy breaches from happening in the future.
"H&R Block takes protecting our clients' privacy very seriously, and we have taken steps to prevent the sharing of information via pixels," said the tax prep company's statement.
Meta, in a statement of its own, said that it has been clear about the proper use of sensitive information in its business tools.
"We've been clear in our
TaxAct, meanwhile, emphasized its cooperation with Sen. Warren and her staff, as well as the fact they have now disabled the tracking tools.
"TaxAct has engaged with Senator Warren and her staff to provide transparent, detailed explanations on our use of these standard analytics tools. TaxAct has always complied with laws that protect our customers' privacy and, as noted in the report, we disabled the tools in question while we evaluated potential concerns. Protecting the rights and privacy of our customers is our top priority, and we are committed to engaging with stakeholders to address any concerns and to help advance public policy," said a TaxAct spokesperson.
TaxSlayer did not reply to a request for comment.
'A privacy culture problem'
Brian Tankersley, director of strategic relationships with K2 Enterprises, has spent a number of years warning professionals about this very thing
"The bigger conversation is that we've proven over and over that the data is leaking, and nothing ever seems to get better. The big tech companies pay a fine, pinky swear to not do it again, and two years later, it happens again. I don't understand why we protect health care data with more gusto than we protect other personal and financial data," he said.
He added that the report points to the need for more public conversation about how data is used in cloud financial technology, noting that many of the privacy policies and terms of service offered by these companies are incomprehensible and dense, meaning many users don't even know what it is they're agreeing to.
"The average accounting firm has literally dozens of tools from many different vendors, and they all have similar incomprehensible documents that only a bureaucrat could love. I suspect data is being used by service providers in ways we can't even imagine, and figuring all of this out is way beyond the skill set of the average accounting practitioner," he said.
He was not confident that any of the players in this incident will be held to sufficient account, which means that the underlying cultural issues that led to the incident likely won't change anytime soon.
"The first step in all 12-step recovery programs is to admit that you have a problem — then the next 11 steps are where you get to work on fixing your problem. It's clear that there's a privacy culture problem in Silicon Valley, and the question is whether Silicon Valley even wants to change. Changing culture is hard, and if the Valley can't (or won't) address the underlying issues, how will our government compel Meta and Google to address these privacy issues in a meaningful way? We will all have to wait and see what happens," he said.