Major Tax E-Filing Services Found Leaking Personal and Financial Data to Meta

Several online tax filing services are sending sensitive personal and financial data to Meta, the parent company of Facebook. Once again, the culprit is Meta Pixel, a small JavaScript code snippet embedded in websites to track visitor behavior for effective ad targeting.

According to an investigation by The Markup, tax filing services by H&R Block, TaxAct, TaxSlayer, and Ramsey Solutions have been sharing more data than what their users bargained for. The exposé comes three months following similar revelations that the social networking giant nonconsensually collects healthcare data from 664 healthcare providers, including the personal healthcare information of 1.36 million users of Novant Healthcare.

These e-filing services were sharing user data with Meta, irrespective of whether they have a Facebook account. The collected data is used by Meta to create detailed profiles of people and make its ad-targeting algorithm more efficient.

Tax filer data that H&R Block, TaxAct, TaxSlayer, and Ramsey Solutions (which also leverages TaxSlayer) exposed to Meta includes names, email addresses, phone numbers, income, filing status, refund amounts, and dependents’ college scholarship amounts, and specific (was obfuscated but still useful) demographic information.

Total Education Expenses of an HR Block User Exposed to Meta | Source: TheMarkupOpens a new window

Each e-filing service exposed different kinds of information. For example, TaxSlayer shared phone numbers, the name of the tax filer, and any dependents the filer added to their return. In contrast, TaxAct shared financial information but not the names to both Meta and Google.

See More: Why Google’s $391.5M Settlement With 40 States Over Privacy Concerns is Just a Smokescreen

Sample Screenshot of the Total Income and Tax Return Statement of a Ramsey Solutions User Exposed to Meta | Source: TheMarkupOpens a new window

Meanwhile, Intuit, which kept Meta Pixel off-limits to data beyond the sign-in page, exposed usernames and the last time a user signed inOpens a new window from a device but not financial information.

The Markup didn’t mention the exact or even an approximate number of users that may have been impacted by nonconsensual tracking. However, an estimate of the number of users e-filing taxes on TaxAct (three million), H&R Block (21.2 million between May 2019 and July 2020), TaxSlayer (10 million), Intuit TurboTax (42.7 million units as of July 2022), indicates the scale of the leak.

The Internal Revenue Service declined to comment whether any of the implicated e-filing services violated federal tax laws. By Monday this week, TaxSlayer and Ramsey Solutions removed Meta Pixel from their website, and Intuit’s TurboTax ceased exposing usernames through the pixel at sign-in.

However, even though TaxAct was no longer sending financial details (income and refund amount), it continued sending the dependents’ names to Meta. TaxAct also sends financial data to Google Analytics, while H&R Block still sends health savings accounts and college tuition grants data.

Ramsey Solutions spokesperson Megan McConnell told The Markup, “We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel. As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.” 

The Markup received similar comments from the rest of the online tax filing services.

More than 6.8 million websites have Meta Pixel today, a massive data-harvesting operation feeding the company’s adtech business which contributed 98.27% of its $27.71 billionOpens a new window revenue in Q3 2022.

Meta has been penalized multiple times in recent years for flagrant privacy violations. The company has also been challenged on legal grounds through a couple of class-action lawsuits for illicit collection of sensitive health data of millions of patients without consent and using the information to target individuals with advertisements on Facebook and Instagram.

The company is also being sued separately by iOS users for tracking them despite opting out of being tracked through the App Tracking Transparency feature on iOS.

User trust in Meta was further eroded by a leaked report which suggested that the company cannot keep a tab on collected data. Drafted internally by privacy engineers from Facebook’s Ad and Business Product team, the document was leaked in April 2022, indicating the intricacies in the company’s internal systems, so much so that even its engineers are failing to keep track of where and when the data is being used.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON DATA TRACKING AND USER PRIVACY

• Massachusetts DPH Sued for Forcefully Installing Spyware on One Million Android Devices
• Hundreds of RDS Snapshots Found Exposing PII and Other Data for a Month
• Data Governance Act: A Unique Opportunity to Enhance Data
• Experts Cite Privacy Risks From Two Qatari Apps Required for FIFA World Cup Visitors