The Markup found services including TaxAct, TaxSlayer, and H&R Block sending sensitive data
By: Simon Fondrie-Teitler, Angie Waller, and Colin Lecher
Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online, The Markup has learned.
The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.
The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner, Meta.
Each year, the Internal Revenue Service processes about 150 million individual returns filed electronically, and some of the most widely used e-filing services employ the pixel, The Markup found.
When users sign up to file their taxes with the popular service TaxAct, for example, they’re asked to provide personal information to calculate their returns, including how much money they make and their investments. A pixel on TaxAct’s website then sent some of that data to Facebook, including users’ filing status, their adjusted gross income, and the amount of their refund, according to a review by The Markup. Income was rounded to the nearest thousand and refund to the nearest hundred. The pixel also sent the names of dependents in an obfuscated, but generally reversible, format.
TaxAct, which says it has about three million “consumer and professional users,” also uses Google’s analytics tool on its website, and The Markup found similar financial data, but not names, being sent to Google through its tool.
TaxAct wasn’t the only tax filing service using the Meta Pixel. Tax preparation giant H&R Block, which also offers an online filing option that attracts millions of customers per year, embedded a pixel on its site that gathered information on filers’ health savings account usage and dependents’ college tuition grants and expenses.
TaxSlayer, another widely used filing service, sent personal information to Facebook as part of the social media company’s “advanced matching” system, which gathers information on web visitors in an attempt to link them to Facebook accounts. The information gathered through the pixel on TaxSlayer’s site included phone numbers, the name of the user filling out the form, and the names of any dependents added to the return. As with TaxAct, specific demographic information about a user was obfuscated but still usable for Facebook to link a user to an existing profile. TaxSlayer has said it completed 10 million federal and state tax returns last year.
The Markup also found the pixel code on a tax preparation site operated by a financial advice and software company called Ramsey Solutions, which uses a version of TaxSlayer’s service. That pixel gathered even more personal data from a tax return summary page, including information on income and refund amounts. This information was not sent immediately upon visiting the page but only when visitors clicked dropdown headings to see more details of their report.
Even Intuit, the company that runs America’s dominant online filing software, employed the pixel. Intuit’s TurboTax, however, did not send financial information to Meta but rather usernames and the last time a device signed in. In some circumstances, the pixel also gathered information like an order ID number and user’s email address after they signed in.
“We take the privacy of our customers’ data very seriously,” Nicole Coburn, a spokesperson for TaxAct, said in an email. “TaxAct, at all times, endeavors to comply with all IRS regulations.” Angela Davied, a spokesperson for H&R Block, said the company “regularly evaluate[s] our practices as part of our ongoing commitment to privacy, and will review the information.”
Megan McConnell, a spokesperson for Ramsey Solutions, said in an email that the company “implemented the Meta Pixel to deliver a more personalized customer experience.”
“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” the statement said. “As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.”
After The Markup contacted TaxSlayer, spokesperson Molly Richardson said in an email that the company had removed the pixel to evaluate its use. “Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” she said, adding that Ramsey Solutions “decided to remove the pixel” as well.
Rick Heineman, a spokesperson for Intuit, said the company’s pixel “does not track, gather, or share information that users enter in TurboTax while filing their taxes,” although Intuit “may share some non-tax-return information, such as username, with marketing partners to deliver a better customer experience,” like not showing Intuit ads on Facebook to people who have accounts already. The company said it’s in compliance with regulations but has modified the pixel to no longer send usernames.
Mandi Matlock, a Harvard Law School lecturer focused on tax law, said The Markup’s findings showed taxpayers “providing some of the most sensitive information that they own, and it’s being exploited.”
“This is appalling,” she said. “It truly is.”
On Monday, after TaxAct was contacted by The Markup for comment, the company’s site no longer sent financial details like income and refund amount to Meta but continued to send the names of dependents. The site also continued to send financial information to Google Analytics. Also as of Monday, TaxSlayer and Ramsey Solutions had removed the pixel from their tax filing sites and TurboTax had stopped sending usernames through the pixel at sign in. H&R Block’s site was continuing to send information on health savings accounts and college tuition grants.
As of Wednesday, after this story was published, TaxAct had removed the pixel from its tax filing web application but was still sending financial information to Google Analytics, and H&R Block told The Markup it removed the pixel from its tax filing website “to stop any client tax information from being collected.” The Markup verified that it had been removed.
How the Meta Pixel Tracks Users
Meta makes the pixel code freely available to anyone who wants it, allowing businesses to embed the code on their sites as they wish.
Using the code helps both Facebook and the businesses. When a customer comes to a business’s website, the pixel might record what items the customer browsed, say, a T-shirt, for example. The business can then target its ads on Facebook to people who looked at that shirt, allowing the business to find an audience that may already be interested in its products.
Meta wins financially too. The company says it can use the data it gleans from tools like the pixel to power its algorithms, providing it insight into the habits of users across the internet.
The strategy has been successful for Facebook. In 2018, the company told Congress that there were more than two million pixels across the web—a massive data-harvesting operation most internet users never see.
“The practice is ubiquitous,” said Jon Callas, director of public interest technology at the Electronic Frontier Foundation, who said he was left in “shock but not surprise” at The Markup’s findings.
Some of the sensitive data collection analyzed by The Markup appears linked to default behaviors of the Meta Pixel, while some appears to arise from customizations made by the tax filing services, someone acting on their behalf, or other software installed on the site.
For example, Meta Pixel collected health savings account and college expense information from H&R Block’s site because the information appeared in webpage titles and the standard configuration of the Meta Pixel automatically collects the title of a page the user is viewing, along with the web address of the page and other data. It was able to collect income information from Ramsey Solutions because the information appeared in a summary that expanded when clicked. The summary was detected by the pixel as a button, and in its default configuration the pixel collects text from inside a clicked button.
The pixels embedded by TaxSlayer and TaxAct used a feature called “automatic advanced matching.” That feature scans forms looking for fields it thinks contain personally identifiable information like a phone number, first name, last name, or email address, then sends detected information to Meta. On TaxSlayer’s site this feature collected phone numbers and the names of filers and their dependents. On TaxAct it collected the names of dependents.
The data collected by the matching feature is sent in an obfuscated form known as a hash, which Meta states is used in order to “help protect user privacy.” But the company can generally determine the pre-obfuscated version of the data—in fact Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles.
This pixel feature was turned off by default when The Markup set up a test pixel attached to a business account but could be turned on by clicking a toggle during setup.
When TaxAct sent dollar amounts like adjusted gross income to Meta, they were transmitted as parameters to a “custom event,” which are sent only if the pixel is configured beyond the default by a website operator or another application the website operator adds to their site. TaxAct did not respond to questions about whether and why it configured the pixel in this manner.
There are limits to the types of data Meta says it will collect through the pixel. The company says it doesn’t want sensitive information sent to it, including financial data, and that it uses automated filtering to block potentially sensitive data. Its help center states that it prohibits sending information including bank account or credit card numbers or “information about an individual’s financial account or status.”
Still, one specific type of prohibited data, income, was exactly what two tax sites sent to Facebook, The Markup found. Data sent to Facebook by TaxAct suggests it was also previously sending a parameter labeled “student_loan_interest,” which is now being filtered by the pixel before being sent.
From January to July of this year, The Markup tracked websites’ use of the pixel as part of the Pixel Hunt, a partnership with Mozilla Rally. For the project, participating users installed a browser extension that provided The Markup with a copy of all data shared with Meta via the pixel.
The Markup initially discovered sensitive information was shared by the tax preparers through data shared by Pixel Hunt participants. The Markup then signed up for accounts on the companies’ web applications and used the “Network” section of Chrome DevTools, a tool built into Google’s Chrome browser, to replicate and confirm the data.
Earlier this year, with the help of Pixel Hunt participants, The Markup found sensitive data sent to Facebook on the Education Department’s federal student aid application website, crisis pregnancy websites, and the websites of prominent hospitals.
Meta collects so much data even the company itself sometimes may be unaware of where it ends up. Earlier this year Vice reported on a leaked Facebook document written by Facebook privacy engineers who said the company did not “have an adequate level of control and explainability over how our systems use data,” making it difficult to promise it wouldn’t use certain data for certain purposes.
At the time, a company spokesperson told Vice that Facebook has “extensive processes and controls to manage data and comply with privacy regulations.”
In response to The Markup’s questions about the tax websites’ use of the pixel, Dale Hogan, a spokesperson for Meta, pointed to the company’s rules on sensitive financial information.
“Advertisers should not send sensitive information about people through our Business Tools,” Hogan wrote in an emailed statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Google spokesperson Jackie Berté said in an email that the company “has strict policies against advertising to people based on sensitive information” and that Google Analytics data “is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user.”
The IRS Closely Regulates Tax Data
Nina Olson, the executive director of the nonprofit Center for Taxpayer Rights, was the national taxpayer advocate at the Internal Revenue Service between 2001 and 2019, a position in the agency meant to represent the interests of taxpayers.
As part of her role at the IRS, she said, she contributed to the development of regulations that govern disclosures of tax information. Olson said the IRS regulations controlling the way private tax filing services can use data are intentionally “very strong.”
Under the regulations she helped develop, tax preparers—including e-filing companies—can use the information they receive from taxpayers only for limited purposes; for anything beyond immediately facilitating filing, the preparer has to get signed consent from the user that explains the recipient and the precise information being disclosed.
The government goes so far as to prescribe even the font size of requests for disclosure, saying it must be “the same size as, or larger than, the normal or standard body text used by the website or software package.”
The penalties for disclosing data without consent are potentially steep: Fines and even jail time are possible, although Olson said she wasn’t aware of any criminal cases that have been pursued.
The Markup reviewed the tax preparation websites for disclosures that specifically mentioned Meta or Facebook but did not find them. Instead, some companies included relatively broad disclosure agreements.
TaxAct, for example, requested users approve sending their tax information to its sister company, TaxSmart Research LLC, so it could “develop, offer, and provide products and services” for users. It also stated “TaxSmart Research LLC may use service providers and business partners to accomplish these tasks.” H&R Block, meanwhile, included nearly the same disclosure request so “H&R Block Personalized Services, LLC” could provide products of its own. Those sites provided the user with the option to decline to share tax information, although data was shared with Facebook regardless of what option users chose, according to The Markup’s tests.
Any disclosure from a tax preparer must provide the exact purpose and recipient to be in compliance, Olson said. “Do they have a list saying they’re going to disclose the refund amounts, and your children, and your whatever to Facebook?” she said. If not, she said, they may be in violation of regulations.
The IRS declined to comment or answer questions about whether any of the sites sharing tax information were in violation of tax law.
No Way Out for Taxpayers
American taxpayers have few options but to turn to private companies to file their returns.
Unlike other countries, the United States has a heavily privatized system for filing taxes, one that often requires the use of third-party tax preparers. While in those other countries the government handles the calculations, and taxpayers simply approve the numbers, after a successful lobbying push from private companies, tax preparers in the U.S. effectively act as middlemen between taxpayers and the government.
A free preparation and filing option exists, but it’s limited to people making $73,000 or less and can be difficult to use. Companies offer their tax software at no charge through an agreement with the IRS but have been criticized for not making the option easily available.
The IRS even effectively directs taxpayers attempting to file for free to some of the companies The Markup found using the pixel. A handful of tax preparation services are part of the agreement, known as the Free File Alliance—including TaxAct and TaxSlayer. TurboTax and H&R Block have been part of the program in the past.
Harvard’s Matlock said The Markup’s findings showed the almost inevitable consequences of relying on for-profit companies to handle a government requirement. It’s a process that provides users little choice but to hand over their data to Facebook if they want to comply with the law, she said.
“It’s frustrating because taxpayers have been pushed into the arms of these private, for-profit companies simply to comply with their tax filing obligations,” she said. “We have no choice, really, in the matter.”
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.