Tax preparation sites aren’t just exploiting you, they’re helping Facebook do it, too

Campaign Action

There’s a snippet of code included on the popular website TaxAct used for electronically filing returns called the Meta Pixel. It includes this data, though not all of the companies transmit all of it. Facebook can use the information to write advertising algorithms and target them more effectively. It gets this data from the tax prep companies “regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner Meta.”

H&R Block has one that “gathered information on filers’ health savings account usage and dependents’ college tuition grants and expenses.” Another, TaxSlayer, “included phone numbers, the name of the user filling out the form, and the names of any dependents added to the return.” The Verge says that specific demographic information was “obfuscated but still usable for Facebook to link a user to an existing profile.”

A tax preparation site run by Ramsey Solutions, built on a version of TaxSlayer, “gathered even more personal data from a tax return summary page, including information on income and refund amounts. This information was not sent immediately upon visiting the page but only when visitors clicked drop-down headings to see more details of their report.” Intuit’s TurboTax, remarkably since they’re among the biggest spenders to keep taxpayer’s reliant on their site, was the least awful, sending only usernames and information about the last time users logged in.

Once The Markup contacted these companies, some of them removed the pixel. “We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” Megan McConnell, a spokesperson for Ramsey Solutions, said in a statement. “As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.” Molly Richardson for TaxSlayer said that they had removed the pixel and were evaluating how it was used. “Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” she said. Intuit’s Rick Heineman said the company’s pixel would no longer send usernames.

That’s smart considering how awful that is. Mandi Matlock, a Harvard Law School lecturer focused on tax law, told The Markup that their findings about how “some of the most sensitive information” about taxpayers is “being exploited” are “appalling.” Shocking but not surprising, Jon Callas, director of public interest technology at the Electronic Frontier Foundation, said. “The practice is ubiquitous.”

As for Meta, it told The Markup that there are limits to the kinds of data it collects, and that its help page says that it prohibits data like bank account and credit card numbers, or “information about an individual’s financial account or status.” Except that two of the sites were sending income figures to Facebook. Which is pretty much information about financial status.

The Markup gathered all this information in a partnership with Mozilla Rally called Pixel Hunt, recruiting people to install a browser extension that captured the data that was shared to Facebook via the pixel and copied it for the project.

Earlier this year, with the help of Pixel Hunt participants, The Markup found sensitive data sent to Facebook on the Education Department’s federal student aid application website,  crisis pregnancy websites, and the websites of prominent hospitals.

Crisis pregnancy websites. “More than a third of the websites sent data to Facebook when someone made an appointment for an ‘abortion consultation’ or ‘pre-termination screening.’ And at least 39 sites sent Facebook details such as the person’s name, email address, or phone number,” The Markup reported earlier this year.

Facebook, in response to this reporting, passed the buck to the advertisers. “Advertisers should not send sensitive information about people through our Business Tools,” Dale Hogan, a spokesperson for Meta, said in an emailed statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.” It’s designed to do that, whether it is or not? 

Meanwhile, federal lawmakers are trying to push a data privacy bill through in the lame duck session. The major roadblock is, of course, Republicans who want a weaker federal bill to preempt state laws that have stronger protections. That’s also a key demand of the tech industry, but lawmakers from states that do have those strict laws want the federal bill to either be stronger or to allow states to enact stricter bars.

The likelihood of Congress doing anything about any of this—either fixing how we file our taxes or of dealing with the myriad problems Facebook poses to privacy—is slim to vanishing.

Daily Kos is the largest progressive organization online, but we don’t have billionaire backers. We rely on readers like YOU. Chip in $5 to help us keep fighting for progressive values.

Election 2022 is officially in overtime, with a Georgia Runoff. We must get out every last Democratic voter for Raphael Warnock. Click here to volunteer in whatever way possible you can.