WASHINGTON, D.C. — Three large tax preparation firms sent “extraordinarily sensitive” information on tens of millions of taxpayers to Facebook parent company Meta over the course of at least two years, a group of congressional Democrats reported on Wednesday.
They say some of that data was then used by Meta to create targeted advertising to its own users, other companies, and to train Meta’s algorithms.
The Democrats’ report urges federal agencies to investigate and potentially go to court over the wealth of information that H&R Block, TaxAct and TaxSlayer shared with the social media giant.
In a letter to the heads of the IRS, the Department of Justice, the Federal Trade Commission and the IRS watchdog, seven lawmakers say their findings “reveal a shocking breach of taxpayer privacy by tax prep companies and by Big Tech firms.”
Their report said highly personal and financial information about sources of taxpayers’ income, tax deductions and exemptions was made accessible to Meta as taxpayers used the tax software to prepare their taxes.
That data came to Meta through its Pixel code, which the tax firms installed on their websites to gather information on how to improve their own marketing campaigns. In exchange, Meta was able to access the data to write targeted algorithms for its own users.
The program collected information on taxpayers’ filing status, income, refund amounts, names of dependents, approximate federal tax owed, which buttons were clicked on the tax preparers’ websites and the names of text entry forms that the taxpayer navigated, the report states.
Taxpayer data was also shared with Google, through its own tracking tools — though the firm told lawmakers that it never used the information to track users on the internet, according to the report.
The letter to federal agencies was signed by Sens. Elizabeth Warren, Ron Wyden, Richard Blumenthal, Tammy Duckworth, Bernie Sanders, Sheldon Whitehouse and Rep. Katie Porter. The lawmakers called for the agencies to “immediately open an investigation into this incident.”
They ask the agencies to investigate “and prosecute any company or individuals who violated the law,” saying it could result in billions of dollars in criminal liability to the firms.
The Markup, a nonprofit journalism outlet focusing on technology, initially reported on the data-sharing between tax firms and Meta in November. A TaxAct representative said the firm has engaged with Warren’s office to explain its usage of the analytical tools and that protecting customers is its top priority.
A TaxSlayer representative said Wednesday that the report “contains numerous false or misleading statements” regarding the taxpayers’ personal and filing information sent to Meta and Google and it will request a retraction or correction from Warren’s office.
H&R Block said that it takes protecting client privacy very seriously and has taken steps to prevent the sharing of information through the Pixel coding.
And Meta said that it has been clear in its policies that advertisers “should not send sensitive information about people through our Business Tools.”
“Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring,” the company said in an emailed statement. “Our system is designed to filter out potentially sensitive data it is able to detect.”
This May, the FTC proposed sweeping new changes to its standing privacy order for Meta that would bar the company from using any data collected from children under 18, including via its virtual reality technologies. The new rules would also force Meta to pause new products and services until an independent assessor confirms that they comply with the FTC order. The under-18 concerns stem largely from Facebook’s Messenger for Kids app, which has long drawn fire for insufficient privacy protections for its younger users.
Also in 2018, the company disclosed that almost 50 million accounts had been vulnerable to the theft of digital “user tokens” that attackers could use to log into personal accounts. Facebook admitted the same year that most of its then 2.2 billion users had likely had their public data “scraped” by malicious actors.
Representatives from the IRS and FTC did not immediately respond to requests for comment. DOJ and the IRS watchdog declined to comment.
