Tax Filing Software Sent Sensitive User Information to Facebook: Report

Popular tax filing software, such as TaxAct, TaxSlayer, and H&R Block, reportedly violated financial privacy by sending sensitive personal information to Meta’s Facebook.

The Internal Revenue Service says that it processes about 150 million electronic individual tax returns a year.

Unlike other countries, the United States has a privatized tax filing system that utilizes third parties to prepare individual filings, leaving American taxpayers at the mercy of private companies to file their returns.

Facebook allegedly took the sensitive tax data to boost its advertising algorithms, even if an individual using the tax filing services did not have an account on platforms owned by its parent, Meta, said the report.

This is not the first time Facebook’s code has been exposed for tracking people online without their consent, and Meta has long been known for exploiting its technology that publishers and businesses embed on their websites.

The trackers were willingly installed by companies to allow them to target ads toward potential customers based on sites that they previously visited and would later send a message back to Facebook recording each visit.

“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” Megan McConnell, a spokesperson for Ramsey Solutions, a financial advisory firm that uses TaxSlayer, told The Markup.

McConnell said that Ramsey told TaxSlayer to remove Pixel tracking from its SmartTax software, which suggested that many clients were unaware of the security breach.

She explained an email that the company only “implemented the Meta Pixel to deliver a more personalized customer experience.”

Intuit’s TurboTax, the most used online filing software in the United States, also utilized the Pixel, but they denied sending financial information to Meta, but only forwarded usernames along with the last time a customer signed in.

The tax service company told The Markup that the Pixel is not used on its website past the sign-in page.

Intuit’s use of Pixels “does not track, gather, or share information that users enter in TurboTax while filing their taxes,” Rick Heineman, a company spokesperson told The Markup.

“The privacy of our customers is very important to all of us at TaxAct, and we continue to comply with all laws and IRS regulations,” a TaxAct spokesperson told CNBC, regarding The Markup report.

“Data provided to Facebook is used at an aggregate level, not the individual level, by TaxAct to analyze our advertising effectiveness. TaxAct is not using the information provided by its customers and referenced in the report issued by The Markup to target advertising with Facebook.”

TaxSlayer told The Markup in an email that the company had removed the Pixel from its software and would reevaluate its use.

“Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” said TaxSlayer spokesperson, Molly Richardson, who added that Ramsey Solutions had also “decided to remove the pixel.”

TaxSlayer and Ramsey Solutions have since removed the Pixel from their tax filing sites, while TurboTax has stopped sending usernames through the Pixel at sign-in, The Markup reported.

“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” Google spokesperson Jackie Berté told The Markup.

“Additionally, Google has strict policies against advertising to people based on sensitive information.”

“Advertisers should not send sensitive information about people through our Business Tools,” Dale Hogan, a Meta spokesperson, told The Markup in a statement.

“Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”