Large tax preparation companies H&R Block, TaxAct, and TaxSlayer sent sensitive client financial information to Facebook’s parent company Meta after customers used the firms’ software to file their income taxes online, according to a report published last week by The Markup.
The data “includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts,” the report states.
Facebook can then use that information from the tax preparation companies “to power its advertising algorithms and is gathered regardless of whether the person using the tax-filing service has an account on Facebook or other platforms operated by its owner Meta,” according to the report.
TaxAct also uses Google’s analytics tool on its website, and The Markup found similar financial data—but not names—being sent to Google through its tool.
The Markup used TaxAct as an example of how the data is sent to Facebook:
When users sign up to file their taxes with the popular service TaxAct, for example, they’re asked to provide personal information to calculate their returns, including how much money they make and their investments. A pixel on TaxAct’s website then sent some of that data to Facebook, including users’ filing status, their adjusted gross income, and the amount of their refund, according to a review by The Markup. Income was rounded to the nearest thousand and refunds to the nearest hundred. The pixel also sent the names of dependents in an obfuscated—but generally reversible—format.
When asked to comment on the investigation, spokespeople from the three tax preparation companies claimed to not know users’ personal tax information was being collected by Facebook from the pixel and would have it removed from their tax-filing websites.
As of Nov. 23, The Markup said TaxAct had removed the pixel from its tax-filing web application but was still sending financial information to Google Analytics. The Markup also verified that H&R Block removed the pixel, as did TaxSlayer.
The investigation also found that Intuit was using the pixel, but its TurboTax software was not sending tax information to Meta; instead it was transmitting usernames and the last time a device was signed in. In some circumstances, the pixel also gathered information like an order ID number and a user’s email address after they signed in, The Markup said.
As of Nov. 21, TurboTax had stopped sending usernames through the pixel at sign-in, the report stated.