Some of America’s largest tax-prep companies have spent years sharing Americans’ sensitive financial data with tech titans including Meta and Google in a potential violation of federal law — data that in some cases was misused for targeted advertising, according to a seven-month congressional investigation.
The report highlights what legal experts described to CNN as a “five-alarm fire” for taxpayer privacy that could lead to government and private lawsuits, criminal penalties or perhaps even a “mortal blow” for some industry giants involved in the probe including TaxSlayer, H&R Block and TaxAct.
Using visitor tracking technology embedded on their websites, the three tax-prep companies allegedly sent tens of millions of Americans’ personal information to the tech industry without consent or appropriate disclosures, according to the congressional report reviewed by CNN.
Beyond ordinary personal data such as people’s names, phone numbers and email addresses, the list of information shared also included taxpayer data — details about people’s filing status, adjusted gross income, the size of their tax refunds and even information about the buttons and text fields they clicked on while filling out their tax forms, which could reveal what tax breaks they may have claimed or which government programs they use, according to the report.
The report, which drew on congressional interviews and written testimony from Meta, Google and the tax-prep companies, also found that every taxpayer who used TaxAct’s IRS Free File service while the tracking was enabled would have had their information shared with the tech companies. Some of the tax-prep companies still do not know whether the data they shared continues to be held by the tech platforms, the report said.
“On a scale from one to 10, this is a 15,” said David Vladeck, a law professor at Georgetown University and a former consumer protection chief at the Federal Trade Commission, the country’s top privacy watchdog. “This is as great as any privacy breach that I’ve seen other than exploiting kids. This is a five-alarm fire, if what we know about this so far is true.”
It is also an example, Vladeck said, of why the United States needs federal legislation guaranteeing every American a basic right to data privacy — an issue that has languished in Congress for years despite electronic data becoming an ever-larger part of the global economy.
What was being tracked
The congressional findings represent the latest claims of wrongdoing to hit the embattled tax-prep industry after a report last year by the investigative journalism outlet The Markup highlighted the tracking practice.
Wednesday’s bombshell report adds to those earlier revelations by identifying a previously unreported category of data that was allegedly being collected and shared: the webpage titles in online tax software that can reveal what tax forms users have accessed, said an aide to Democratic Sen. Elizabeth Warren, who helped lead the congressional probe. For example, taxpayers who entered information about their college savings contributions or rental income may have done so on webpages bearing titles reflecting that information, which would then have been shared with the tech companies, the aide said.
During the probe, Meta told investigators it used the taxpayer data it received to target third-party ads to users of its platform and to train its artificial intelligence algorithms, the report said. The Warren aide told CNN it was unclear whether Meta knew it was inappropriately using taxpayer data at the time. A Meta spokesperson said the company instructs its partners not to use its tools to share sensitive information and that Meta’s systems are “designed to filter out potentially sensitive data it is able to detect.”
The technology behind the data collection, known as a tracking pixel, is commonly used across the entire internet. A small snippet of code that website owners can insert onto their sites, tracking pixels gather information that can help companies, including but not limited to Meta and Google, understand the behavior or interests of website visitors.
Because of the tracking technology used by TaxAct, TaxSlayer and H&R Block, “every single taxpayer who used their websites to file their taxes could have had at least some of their data shared,” the report said.
‘Reckless sharing’ of protected data
The tax-prep companies at the center of the investigation told lawmakers the collected data had been scrambled to help protect privacy, according to the report. But the report also said some of the tax-prep firms themselves were not fully aware of how much information was being exposed to the tech platforms, and the report cited past FTC research concluding that even “anonymized” data can be easily reverse-engineered to identify a person.
The pixels’ use in a taxpayer context resulted in the “reckless” sharing of legally protected data that could put taxpayers at risk, according to the report by Warren and her Democratic colleagues Sens. Ron Wyden; Richard Blumenthal; Tammy Duckworth; and Sheldon Whitehouse; Sen. Bernie Sanders, an independent who caucuses with Democrats; and Democratic Rep. Katie Porter.
The FTC, the Internal Revenue Service, the Justice Department and the Treasury Inspector General for Tax Administration “should fully investigate this matter and prosecute any company or individuals who violated the law,” the lawmakers wrote in a letter dated Tuesday to the agencies and obtained by CNN. The FTC and DOJ declined to comment; the IRS and TIGTA didn’t immediately respond to a request for comment.
In a statement, H&R Block said it takes client privacy “very seriously, and we have taken steps to prevent the sharing of information via pixels.” Wednesday’s report said H&R Block had testified to using the tracking technology for “at least a couple of years.”
TaxAct and TaxSlayer didn’t immediately respond to a request for comment. The report said TaxAct had been using Meta’s tools since 2018 and Google’s since about 2014, while TaxSlayer began using Meta’s tools in 2018 and Google’s in 2011. The investigation found that all three tax-prep companies had discontinued their use of Meta’s pixel after The Markup’s report last November.
Intuit, the maker of TurboTax, received an initial inquiry letter from the lawmakers in December but was not a focus of Wednesday’s report because the company did not use tracking pixels to the same extent, the investigation found.
Increased scrutiny
Tax preparation firms have faced mounting scrutiny in recent years amid reports that many have turned to data harvesting as a business model and that the largest among them have spent millions lobbying against legislation that could make it easier for Americans to file their tax returns. An IRS report this year found that 72% of Americans would be interested in using a free, electronic tax filing service if it were provided by the agency as an alternative to private online filing services. The IRS plans to launch a pilot version of that service to a limited number of taxpayers in the 2024 tax filing season.
Google told CNN it prohibits business customers from uploading to its platform sensitive data that could be traced back to a person.
“We have strict policies and technical features that prohibit Google Analytics customers from collecting data that could be used to identify an individual,” a Google spokesperson said. “Site owners — not Google — are in control of what information they collect and must inform their users of how it will be used. Additionally, Google has strict policies against advertising to people based on sensitive information.”
Legal risk
Wednesday’s report focuses more heavily on Meta’s use of taxpayer data, the Warren aide told CNN, because Google did not appear to have used the information for its own commercial purposes as overtly as Meta and the investigation was unable to fully determine whether Google may have used the data for other applications.
The allegations could nevertheless create extensive legal risk for both the tech companies as well as the tax-preparation firms, according to tax and privacy legal experts.
The tax-prep companies could face billions in fines under US tax law if the federal government decides to sue, said Steven Rosenthal, a senior fellow at the Urban-Brookings Tax Policy Center. In addition, the US government could seek criminal penalties.
“The scope of ‘taxpayer information’ is broad by design,” Rosenthal said, adding that tax-prep companies can be sued for “knowingly” or “recklessly” leaking that information. “The companies shouldn’t be sharing it in a way that some third party could obtain it.”
Theoretically, he said, the tax code also affords individual taxpayers the right to file private lawsuits against the tax-prep companies. But most if not all of those firms require customers to submit to mandatory arbitration that could realistically make bringing a private claim more challenging, said the Warren aide.
Apart from the tax code, both the tech giants as well as the tax-prep firms could also face civil liability from the FTC — which can police data breaches and hold companies accountable for their commitments to user privacy — and potentially from state governments that have their own privacy laws on the books, said Vladeck.
Depending on the strength of the allegations, the tax-prep companies could quickly be forced into a binding settlement, said a former FTC official who requested anonymity in order to speak more freely.
“If the facts are really strong, these companies would probably rather settle than go to court. This is very embarrassing,” the former official said. “It could be a mortal blow to the tax prep companies.”