Recently, the Markup discovered that various tax filing websites, including TaxAct, TaxSlayer, and H&R Block, were sending user financial information to Facebook, which is owned by Meta Platforms. The leak occurred through the filing websites’ use of a piece of code called Meta Pixel. It is a snippet of JavaScript code that collects information about a visitor and transfers it to Meta, ostensibly to provide analytic data back to the website owner. Generally, it’s limited to things such as a visitor’s geographic location and time spent on the page. But optional payloads can also be attached, and it seems the tax filing websites were neatly packing up sensitive financial information and e-shipping it off to Facebook.
You Are the Product
Let’s take a look at TaxAct’s privacy policy. An eagle-eyed observer will notice that there is no mention of the use of Meta Pixel, but the policy does disclaim the use of Google Analytics, Crazy Egg, Contentsquare, and Neustar. Google Analytics is the Google platform that, in a fashion similar to Meta, provides a dashboard and analytic data of visitor information. Google has had its own problems with privacy.
Users of TaxAct are sharing their financial information not only with TaxAct itself but also with at least five separate entities, each subject to its own potential for data breaches and vulnerabilities. Crazy Egg, for example, provides heatmaps and other specialty lenses into analytic data. It allegedly had open security vulnerabilities as late as 2020, though the company didn’t confirm the alleged breach.
Similarly, Contentsquare is an analytics company that uses artificial intelligence to provide insights into user behavior and is venture funded by a number of entities, including BlackRock Private Equity Partners. Neustar is a TransUnion company—yes, the credit score people.
The simple reason a tax preparation website has four or five different methods and partners tasked to collect information about visitors is because there is more value in that information collected than there is risk in its potential for misuse—at least for them. Some of this data may not even be of any value, but when storage is cheap, the cost to collecting all you can is minimal.
Compounding this risk is the relatively lax punishment if information is misused, owing to the nature of venture capital-funded entities. The system does not incentivize long haul, my-brand-is-my-baby executives. Take the TaxAct example—the Meta Pixel data breaches were occurring prior to their acquisition by Cinven for $720 million. Whatever happens owing to the breach, the shareholders in TaxAct are left in a better position than when they started. Simply put, not collecting user data and selling it to third parties would be leaving money on the table.
Reforming Permissible Disclosures
The best solution is to eliminate private, for-profit tax preparation software and development and to support public, free options. Absent that unlikely turn of events, Treas. Reg. 301-7216 must be reformed to reflect the changing landscape of tax preparation. It limits what can be done with tax return information and prohibits the selling of return information even, in most cases, in the aggregate. It says nothing, however, about limiting additional information gathered by tax return preparers at the time of prep.
Let’s say there is an accountant with an office on Main Street in your town. You ask them to prepare your tax return for the year—you’re an avid reader of Bloomberg Tax, but you’re not about to prepare your own returns. The accountant gives you a stack of paperwork to fill out, and unknown to you, there are strategically placed forms that are unnecessary for the return preparation.
What they are necessary for, however, is the accountant’s side business making and selling hats. The accountant collects the disparate bits of information without ever looking at the returns themselves for said information and derives from it a list of addresses to sell those high-end hats to. Using various other means, the accountant can even sort out income ranges for each taxpayer and target only those above a certain threshold. These are fancy hats, after all.
Did the accountant misuse your private financial information? Not really. Is there a functional difference for you, the person now receiving dozens of haberdashery fliers in your mailbox each week? Nope. Your interaction with the marketplace for tax preparation forced you, against your will and without your knowledge, to engage in the marketplace for hats—or, dropping the metaphor, for data.
As our data is “out there” in more places, and more entities become chiefly data brokers, a significant subset of what amounts to private financial information about a given taxpayer can be collected, cross-referenced, analyzed, and reconstituted using various means, including artificial intelligence. Treas. Reg. 301-7216 doesn’t permit the aggregate sale of taxpayer data, but it is silent as to aggregating data about an individual taxpayer and connecting it with data from other sources.
The tax code must be expanded to restrict a tax return preparer from collecting information about a given taxpayer beyond the information they provide for processing their return, which constitutes private financial information. Protecting a taxpayer’s private financial information but allowing for the collection of other information just opens the door to breaches such as the Meta Pixel debacle, and it’s not future-proofed against aggregation methods that will be the equivalent to a breach. In marrying up short-term profit engines like the venture capital-backed software industry with our most sensitive data, we are basically playing with fire.
This requires a reconceptualization of what private financial information is when it comes to tax returns. The existing code makes private any financial information that could plausibly be used to identify a single taxpayer, and the same standard should be used for the mere act of having had your taxes prepared. In other words, there should be no collection of data by a tax preparer that would be able to identify an individual even only as a customer of said tax preparer.
If the government is going to force taxpayers to engage with private entities for tax preparation by not providing a comparable public option, it should at least ensure it’s also not forcing said taxpayers to engage in the data economy. If advertising and data harvesting models are permitted in the tax preparation space, they will compete with and best options that derive revenue purely from use of the service.
This is a regular column from tax and technology attorney Andrew Leahey, principal at Hunter Creek Consulting and a sales suppression expert. Look for Leahey’s column on Bloomberg Tax, and follow him on Mastodon at @andrew@esq.social.
Learn more about Bloomberg Tax or Log In to keep reading:
See Breaking News in Context
From research to software to news, find what you need to stay ahead.
Already a subscriber?
Log in to keep reading or access research tools and resources.