Major tax-filing sites routinely shared users’ financial info with Facebook
A new investigation reveals how companies share users' most personal financial data with advertisers.
The annual tax season looms large for Americans just after the holidays, and millions will soon turn to the $11 billion third-party filing industry to help make sense of their most recent finances—but a damning new exposé has revealed that some of the most popular tax sites routinely offered customers’ most private financial and personal data to Facebook without their knowledge thanks to a tiny, nearly ubiquitous surveillance code.
A deep dive from The Markup and The Verge published this morning explains in detail how some of the country’s most popular tax prep software makers, including H&R Block, TaxSlayer, and TaxAct, utilized the popular Meta Pixel tracking tool to amass sensitive data including names, email addresses, incomes, refunds, filing statuses, and even dependents’ college scholarship amounts from annual filings. Designed and made freely available by Facebook, the code marks a tiny pixel on participating websites that subsequently sends a host of information regarding people’s digital activity to the Meta. Both Meta and businesses that opt-in benefit from the tracking, because it allows them to amass consumer advertiser profiles while personalizing ads to their supposed tastes. Approximately one-third of the 80,000 most popular websites utilize Meta Pixel (disclosure: PopSci included), and overall tracking cookie ecosystem provides the vast majority of revenue for many companies online.
[Related: Hospital patients say a Facebook-linked ad tool violated their privacy.]
However, The Markup‘s most recent investigation into tax filing services’ surveillance presents a particularly egregious and invasive example of data harvesting. For one thing, much of the information amassed by the filing companies aren’t default Meta Pixel configurations, meaning that someone affiliated with these businesses is purposefully going into the settings to toggle specific information gathering parameters. For example, pixels embedded by TaxAct and TaxSlayer used something called “automatic advanced matching,” which scans forms for fields potentially containing personally identifiable info like names, phone numbers, and emails, then sends that info to Meta, according to the report. Mandi Matlock, a Harvard Law School lecturer on tax law, told The Markup that its findings reveal taxpayers are “providing some of the most sensitive information that they own, and it’s being exploited,” adding, “This is appalling. It truly is.”
As the report notes, unfortunately the US financial landscape offers very few alternatives for tax filers other than to turn to these third-party companies. The IRS currently only allows free online tax filing through a governmental portal for people earning $73,000 or less per year. While some private services offer similar free filing, they often obfuscate the option to discourage people from selecting them. The combined result leaves many Americans all-but-forced to pay for these filing services, now with the knowledge that much of their most sensitive data may be harvested by tech companies.
[Related: How data brokers threaten your privacy.]
In a statement provided to PopSci via email, a Meta spokesperson cautioned, “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Since the joint investigation, several of the surveyed sites of since deactivated some of Meta Pixel’s features, according to The Markup. TaxAct continued to send dependents’ names to Facebook, while H&R Block still relayed health savings and college tuition grant amounts. According to legal experts, these services must provide clear and concise consent agreements offering exactly who receives filing information, and how it is used. None of the companies’ privacy agreements mentioned Meta, Facebook, or Google (who also receives some of this data), something Nina Olson, executive director of the nonprofit Center for Taxpayer Rights, argues could be a major regulation infractions.
“Do they have a list saying they’re going to disclose the refund amounts, and your children, and your whatever to Facebook?” she said. “If not, she said, they may be in violation.”
Update 11/23/22: The Markup reports that since publishing its report, both H&R Block and TaxAct have removed the Meta Pixel tracking code from their filing websites.