Tax preparers that shared private data with Meta, Google could be fined billions
EnlargePgiam | iStock / Getty Images Plus
reader comments
58 with Yesterday, Congress members revealed the results of a seven-month investigation into tax-filing companies. Lawmakers found that H&R Block, TaxAct, and TaxSlayer "recklessly shared" potentially hundreds of millions of taxpayers' sensitive personal and financial data with Google and Meta "for years" in apparent violation of laws prohibiting tax preparers from sharing tax return information without customers' consent. In a press release provided to Ars from the office of Senator Elizabeth Warren (D-Mass.), lawmakers alleged a "massive, likely illegal breach of taxpayer privacy." Insisting upon urgent redress, lawmakers are now calling upon the Department of Justice, the Internal Revenue Service (IRS), the Federal Trade Commission, and the Treasury Inspector General for Tax Administration to "fully investigate this matter and prosecute any company or individuals who violated the law." The Congress members' report said that "any tax return preparer who 'knowingly or recklessly discloses'" tax return information "is subject to a fine up to $1,000 per violation, and a prison term of up to one year." "The companies shared millions of taxpayers' tax return data, meaning they could face billions of dollars in potential criminal liability," lawmakers wrote in a letter to federal agencies. For its investigation, congressional staff interviewed representatives at tax-filing sites, as well as at Meta and Google. These interviews uncovered what their report said was "a troubling pattern and practice of data sharing by tax prep companies, a complete lack of corporate responsibility and accountability on the part of tax prep companies and Big Tech firms, and a potentially illegal use of sensitive taxpayer information." "Under the law, 'a tax return preparer may not disclose or use a taxpayer's tax return information prior to obtaining a written consent from the taxpayer,'" lawmakers' letter said. The only exception allows for data sharing with "auxiliary service providers" working "in connection with the preparation of a tax return." However, lawmakers said that "Meta and Google likely do not meet the definition of 'auxiliary service providers,'" partly because "the data sharing with Meta was for advertising purposes—not 'in connection with the preparation of a tax return.'" Advertisement The congressional probe followed a bombshell report from The Markup in November 2022, revealing that tax-filing websites had been sharing customers' sensitive financial information with Meta. After being contacted by The Markup, all three tax-filing websites confirmed that they'd removed or disabled the Meta Pixel tracking tools that were gathering sensitive data. But while tax-filing websites were quick to stop collecting data, nobody's sure how much information was collected. One unnamed company told Congress that "every single taxpayer who used their websites could have had at least some of their data shared." Lawmakers in their letter called tax prep companies "untrustworthy and incompetent." Attempting to research if tax prep companies had gained consent to disclose and use data from its users, Congress was blocked by the companies, who refused to "provide current and historical versions of disclosure agreements and privacy policies." Undeterred, Congress consulted Internet archives to access historical versions of company policies and pieced together that none of the companies appeared to have gained consent from their customers to share the sensitive data with Meta and Google. TaxSlayer and H&R Block did not immediately responded to Ars' request to comment, but a TaxAct spokesperson told Ars that the company cooperated with lawmakers and works to protect user privacy. "TaxAct has engaged with Senator Warren and her staff to provide transparent, detailed explanations on our use of these standard analytics tools," TaxAct's spokesperson told Ars. "TaxAct has always complied with laws that protect our customers' privacy and, as noted in the report, we disabled the tools in question while we evaluated potential concerns. Protecting the rights and privacy of our customers is our top priority, and we are committed to engaging with stakeholders to address any concerns and to help advance public policy." A Meta spokesperson told Ars that Meta stands by a statement provided to Ars last year, saying that "advertisers should not send sensitive information about people through our business tools. Doing so is against our policies and we educate advertisers on properly setting up business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect." A Google spokesperson told Ars that the company has "strict policies and technical features that prohibit Google Analytics customers from collecting data that could be used to identify an individual. Site owners—not Google —are in control of what information they collect and must inform their users of how it will be used. Additionally, Google has strict policies against advertising to people based on sensitive information."
