Here to add another layer of dread ahead of the upcoming tax season, The Markup reported that some of the biggest online e-filing services—unbeknownst to millions of users—have been sharing sensitive user financial information with Meta. Some services linked user names and email addresses with detailed information like income, refund amounts, filing status, and even the amount of dependents’ college scholarships.
These services include H&R Block, TaxAct, and TaxSlayer, which transmit data via a tool that Meta provides for businesses called the Meta Pixel. The Markup published the data sent to Meta by these companies, which it confirmed was sometimes generated and shared “regardless of whether the person using the tax filing service has an account on Facebook” or other Meta service.
Meta provides the Meta Pixel as a code that businesses can customize and embed on their websites to gather information to help businesses improve targeted marketing campaigns on Meta platforms. In return for this service, Meta gets to use the shared data to drive its own algorithms in its mission to know just about everything that can be known about its own users.
The Markup asked the Internal Revenue Service to verify whether tax preparers sharing sensitive financial information with Meta violated IRS regulations, but the IRS declined to comment.
Tax-filing services respond
H&R Block spokesperson Angela Davied told The Markup that the company would be reviewing the information revealed by The Markup. She told Ars that the company has since decided to change how it uses the Meta Pixel.
“At H&R Block, we take protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels,” Davied told Ars.
A TaxSlayer spokesperson, Molly Richardson, told The Markup that TaxSlayer, like H&R Block, was evaluating its use of the pixel. “Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” Richardson said, confirming that the pixel would be removed until TaxSlayer finished its review.
This week, the Markup reviewed data shared from tax services with Meta. Its reporting confirmed that TaxSlayer no longer has the pixel on its site, and TaxAct currently isn’t sending income and refund amounts to Meta but was still sharing data regarding names of dependents. As of Monday, The Markup said H&R Block was still sharing “information on health savings accounts and college tuition grants.”
A spokesperson for TaxAct, Nicole Coburn, told The Markup, “We take the privacy of our customers’ data very seriously.” She also confirmed that “TaxAct, at all times, endeavors to comply with all IRS regulations.” [Update: Coburn told Ars, “The privacy of our customers is very important to all of us at TaxAct and we continue to comply with all laws and IRS regulations. Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.]
According to Meta, it prohibits businesses from sharing “information about an individual’s financial account or status.” This rule didn’t stop two businesses from sharing income information, The Markup reported.
A Meta spokesperson told Ars that the company detects and filters out some of this data.
“Advertisers should not send sensitive information about people through our business tools,” Meta’s spokesperson told Ars. “Doing so is against our policies and we educate advertisers on properly setting up business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Although the IRS declined to comment, The Markup reported that the IRS strictly regulates the information that tax preparers can collect and share without first gaining user consent. “For anything beyond immediately facilitating filing, the preparer has to get signed consent from the user that explains the recipient and the precise information being disclosed,” The Markup reported.
Tax companies sharing sensitive financial data could risk jail time or fines for not explicitly telling users how information gathered during tax filing was shared with Meta, The Markup reported. A review conducted by The Markup found no such disclosures directly mentioning sharing data with Meta or Facebook posted on H&R Block, TaxAct, or TaxSlayer websites.
https://arstechnica.com/?p=1899620