ajor tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online, The Markup has learned.
The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.
This article was copublished with The Markup, a nonprofit newsroom that investigates how powerful institutions are using technology to change our society. Sign up for its newsletters here.
The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner Meta.
Each year, the Internal Revenue Service processes about 150 million individual returns filed electronically, and some of the most widely used e-filing services employ the pixel, The Markup found.
When users sign up to file their taxes with the popular service TaxAct, for example, they’re asked to provide personal information to calculate their returns, including how much money they make and their investments. A pixel on TaxAct’s website then sent some of that data to Facebook, including users’ filing status, their adjusted gross income, and the amount of their refund, according to a review by The Markup. Income was rounded to the nearest thousand and refunds to the nearest hundred. The pixel also sent the names of dependents in an obfuscated — but generally reversible — format.
TaxAct, which says it has about 3 million “consumer and professional users” also uses Google’s analytics tool on its website, and The Markup found similar financial data, but not names, being sent to Google through its tool.
TaxAct wasn’t the only tax filing service using the Meta Pixel. Tax preparation giant H&R Block, which also offers an online filing option that attracts millions of customers per year, embedded a pixel on its site that gathered information on filers’ health savings account usage and dependents’ college tuition grants and expenses.
TaxSlayer, another widely used filing service, sent personal information to Facebook as part of the social media company’s “advanced matching” system, which gathers information on web visitors in an attempt to link them to Facebook accounts. The information gathered through the pixel on TaxSlayer’s site included phone numbers, the name of the user filling out the form, and the names of any dependents added to the return. As with TaxAct, specific demographic information about a user was obfuscated but still usable for Facebook to link a user to an existing profile. TaxSlayer has said it completed 10 million federal and state tax returns last year.
The Markup also found the pixel code on a tax preparation site operated by a financial advice and software company called Ramsey Solutions, which uses a version of TaxSlayer’s service. That pixel gathered even more personal data from a tax return summary page, including information on income and refund amounts. This information was not sent immediately upon visiting the page but only when visitors clicked drop-down headings to see more details of their report.
Even Intuit, the company that runs America’s dominant online filing software, employed the pixel. Intuit’s TurboTax, however, did not send financial information to Meta but, rather, usernames and the last time a device signed in. The company kept the pixel entirely off pages beyond sign-in.
“We take the privacy of our customers’ data very seriously,” Nicole Coburn, a spokesperson for TaxAct, said in an email. “TaxAct, at all times, endeavors to comply with all IRS regulations.” Angela Davied, a spokesperson for H&R Block, said the company “regularly evaluate[s] our practices as part of our ongoing commitment to privacy, and will review the information.”
Megan McConnell, a spokesperson for Ramsey Solutions, said in an email that the company “implemented the Meta Pixel to deliver a more personalized customer experience.”
“We did NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” the statement said. “As soon as we found out, we immediately informed TaxSlayer to deactivate the Pixel from Ramsey SmartTax.”
After The Markup contacted TaxSlayer, spokesperson Molly Richardson said in an email that the company had removed the pixel to evaluate its use. “Our customers’ privacy is of utmost importance, and we take concerns about our customers’ information very seriously,” she said, adding that Ramsey Solutions “decided to remove the pixel” as well.
Rick Heineman, a spokesperson for Intuit, said the company’s pixel “does not track, gather, or share information that users enter in TurboTax while filing their taxes,” although Intuit “may share some non-tax-return information, such as username, with marketing partners to deliver a better customer experience,” like not showing Intuit ads on Facebook to people who have accounts already. The company said it’s in compliance with regulations but has modified the pixel to no longer send usernames.
“This is appalling”
Mandi Matlock, a Harvard Law School lecturer focused on tax law, said The Markup’s findings showed taxpayers “providing some of the most sensitive information that they own, and it’s being exploited.”
“This is appalling,” she said. “It truly is.”
On Monday, after TaxAct was contacted by The Markup for comment, the company’s site no longer sent financial details like income and refund amount to Meta but continued to send the names of dependents. The site also continued to send financial information to Google Analytics. Also as of Monday, TaxSlayer and Ramsey Solutions had removed the pixel from their tax filing sites and TurboTax had stopped sending usernames through the pixel at sign-in. H&R Block’s site was continuing to send information on health savings accounts and college tuition grants.
How the Meta Pixel tracks users
Meta makes the pixel code freely available to anyone who wants it, allowing businesses to embed the code on their sites as they wish.
Using the code helps both Facebook and the businesses. When a customer comes to a business’s website, the pixel might record which items the customer browsed, say, a T-shirt, for example. The business can then target its ads on Facebook to people who looked at that shirt, allowing the business to find an audience that may already be interested in its products.
Meta wins financially, too. The company says it can use the data it gleans from tools like the pixel to power its algorithms, providing it insight into the habits of users across the internet.
The strategy has been successful for Facebook. In 2018, the company told Congress that there were more than 2 million pixels across the web — a massive data-harvesting operation most internet users never see.
“The practice is ubiquitous,” said Jon Callas, director of public interest technology at the Electronic Frontier Foundation, who said he was left in “shock but not surprise” at The Markup’s findings.
Some of the sensitive data collection analyzed by The Markup appears linked to default behaviors of the Meta Pixel, while some appears to arise from customizations made by the tax filing services, someone acting on their behalf, or other software installed on the site.
For example, Meta Pixel collected health savings account and college expense information from H&R Block’s site because the information appeared in webpage titles and the standard configuration of the Meta Pixel automatically collects the title of a page the user is viewing, along with the web address of the page and other data. It was able to collect income information from Ramsey Solutions because the information appeared in a summary that expanded when clicked. The summary was detected by the pixel as a button, and in its default configuration, the pixel collects text from inside a clicked button.
The pixels embedded by TaxSlayer and TaxAct used a feature called “automatic advanced matching.” That feature scans forms looking for fields it thinks contain personally identifiable information, like a phone number, first name, last name, or email address, and then sends detected information to Meta. On TaxSlayer’s site, this feature collected phone numbers and the names of filers and their dependents. On TaxAct, it collected the names of dependents.
The data collected by the matching feature is sent in an obfuscated form known as a hash, which Meta states is used in order to “help protect user privacy.” But the company can generally determine the pre-obfuscated version of the data. In fact, Meta explicitly uses the hashed information to link other pixel data to Facebook and Instagram profiles.
This pixel feature was turned off by default when The Markup set up a test pixel attached to a business account but could be turned on by clicking a toggle during setup.
When TaxAct sent dollar amounts like adjusted gross income to Meta, they were transmitted as parameters to a “custom event,” which are sent only if the pixel is configured beyond the default by a website operator or another application the website operator adds to their site. TaxAct did not respond to questions about whether and why it configured the pixel in this manner.