Major US tax filing services such as H&R Block, TaxAct, and TaxSlayer have been transmitting sensitive financial information to Meta when Americans file their taxes online.
The data was sent through widely used code called “Meta Pixel” and included information ranging from names and email addresses to users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.
The information can be used by Meta for its advertising algorithms, according to The Verge and The Markup, and was gathered regardless of whether the person using the tax filing service had a Facebook account or any of Meta’s other platforms. The two publications collected screenshots of the data-sharing in action.
TaxAct has around three million consumer and professional users and also uses Google Analytics on its website. The Markup said it had found similar financial information, but not names, being sent to Google through this tool.
H&R Block embedded a pixel on its site that lapped-up information on users’ health savings account usage and their dependents’ college tuition grants and expenses.
TaxSlayer, meanwhile, sent personal information to Facebook as part of the the social media platform’s “advanced matching” system which gathers online information in order to try and link it to Facebook accounts. The information gathered on TaxSlayer’s site ranged from phone numbers and user names to the names of any dependents on the tax return.
TaxAct and TaxSlayer had “obfuscated” specific demographic information about users but The Markup said it was still usable for Facebook to link a user to an existing profile.
“We take the privacy of our customers’ data very seriously,” said Nicole Coburn, a spokesperson for TaxAct. TaxAct, at all times, endeavors to comply with all IRS regulations.”
Angela Davied, a spokesperson for H&R Block, said the company “regularly evaluate[s] our practices as part of our ongoing commitment to privacy, and will review the information.”
TaxSlayer said that it had removed the pixel from its service to evaluate its use.
“Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” said spokesperson Molly Richardson.
TaxAct stopped sending financial details like income and refund amount to Meta, after it was contacted by The Markup, but continued to send the names of dependents. It also continued to send financial information to Google Analytics. TaxSlayer removed the pixel from its tax filing sites. H&R Block continued to send information on health savings accounts and college tuition grants.
“Advertisers should not send sensitive information about people through our Business Tools,” said Meta spokesperson Dale Hogan in an emailed statement.
“Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Jackie Berté, a spokesperson for Google said that the company “has strict policies against advertising to people based on sensitive information” and that Google Analytics data “is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user.”