Federal report reveals tax prep companies shared personal, financial data without consent
Some of the nation’s biggest tax preparation companies have been sharing your private financial information with big tech firms, according to a new congressional investigation.
H&R Block, TaxSlayer and TaxAct are the companies at the center of this report.
The findings show these companies shared the sensitive taxpayer information of tens of millions of customers with Meta and Google for years and without consent. In some cases, the exposed data was misused for targeted advertising.
Lawmakers say these companies and tech firms were reckless about their data sharing practices. They believe it puts taxpayer privacy at risk and potentially violates federal law.
“It’s hard to trust that your privacy is being protected by companies like this,” said John Davisson, Director of Litigation & Senior Counsel at the Electronic Privacy Information Center (EPIC).
The report shows these companies shared more than just name, emails, and phone number. They also shared personal tax info like having dependents, adjusted gross income and refund amounts.
“Tax information, financial information is some of the most closely guarded personal data that we have,” said Davisson.
The findings also outline that the tax companies weren’t fully aware of how much sensitive information was being exposed when they installed Meta and Google tools to their websites.
“These companies know their legal obligations to protect the privacy of taxpayers,” said Davisson. “For them to install technology on their platforms that they didn’t understand that was siphoning off this data is pretty astonishing,” said Davisson.
The Washington News Bureau reached out all three companies in this report.
In a statement, TaxAct said, “we disabled the tools in question while we evaluated potential concerns. Protecting the rights and privacy of our customers is our top priority, and we are committed to engaging with stakeholders to address any concerns and to help advance public policy.”
A spokesperson from H&R Block said the company “takes protecting our clients’ privacy very seriously, and we have taken steps to prevent the sharing of information via pixels.”
We didn’t get a response from TaxSlayer.
In the report, lawmakers say the big tech firms haven’t provided full information about how they would collect taxpayer data and what they did or may be doing with it once it was collected.
A Google spokesperson said, “We have strict policies and technical features that prohibit Google Analytics customers from collecting data that could be used to identify an individual,” while Meta explains that it instructs advertisers not to use its tools to send sensitive data.
Now Davisson wants Congress to pass stronger federal protections.
“Legislation that would prohibit secondary uses of data like this so there would be strong sanctions and penalties associated with this kind of reckless handling of personal data,” he said.
Lawmakers want several agencies including the Justice Department and the Federal Trade Commission investigate what happened. At this time, the FTC is declining to comment.
Below are the full statements from companies named in the report:
TaxAct
“TaxAct has engaged with Senator Warren and her staff to provide transparent, detailed explanations on our use of these standard analytics tools. TaxAct has always complied with laws that protect our customers’ privacy and, as noted in the report, we disabled the tools in question while we evaluated potential concerns. Protecting the rights and privacy of our customers is our top priority, and we are committed to engaging with stakeholders to address any concerns and to help advance public policy.”
H&R BLOCK
“H&R Block takes protecting our clients’ privacy very seriously, and we have taken steps to prevent the sharing of information via pixels.” – H&R Block
META
“We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
“We have strict policies and technical features that prohibit Google Analytics customers from collecting data that could be used to identify an individual. Site owners - not Google - are in control of what information they collect and must inform their users of how it will be used. Additionally, Google has strict policies against advertising to people based on sensitive information.” - Google spokesperson.
