Tax filing software caught sending personal financial info to Meta: report

Several tax prep services have been found sending sensitive financial information to Meta, including people’s income, filing status, and even amounts won in college scholarships.

The information comes via an investigative report from The Markup, which claims that Meta Pixel implementation in tax filing services has led to unintended data collection on Meta’s part.

Meta Pixel is a piece of Javascript code created by Meta that lets companies track user activity as a way to “measure the effectiveness of [ads and the design]” of their websites. As it turns out, way more information than user activity was being sent, and all without user consent. Names of filers, dependents, email addresses, and in some cases, phone numbers were among the leaked financial data. And it doesn’t matter if those users didn’t have an account on any Meta-owned platform. Meta can still use this data to bolster its own advertising algorithm, according to the report.

Google was also implicated in the report, but that situation appears less dire. A Google spokesperson states the data collected is all jumbled and can’t be tied to a specific person.

Mixed messages

After looking through the report and the various statements made, there are a lot of mixed messages coming from the companies. Actions aren’t aligning with statements.

According to Meta’s own help center page, the tech giant prohibits other companies from sending financial data; however, information on people’s income was still received. Tax filing services did give users the “option to decline to share tax information”, but that didn’t matter because, again, the data was still sent and received.

Various spokespeople said the tax filing services they represent didn’t know Meta Pixel was sending so much information. 

Now, however, several companies are changing how they use the code. TaxAct, one of the mentioned services, will no longer transmit financial details to Meta but will still send the names of dependents. Both TaxSlayer and Ramsey Solutions have removed the code from their websites. Others, like H&R Block, will continue sending information on “health saving accounts and college tuition grants.” 

The Markup calls into question these services’ claims that they didn’t know Meta Pixel was sending all this data. There is evidence, the report notes, to suggest TaxAct purposely configured the Pixel code to transmit certain dollar amounts as “parameters to a custom event,” allowing them to be tracked. We reached out to TaxAct and asked if it would like to make a statement about The Markup’s claim. This story will be updated if we hear back. 

Currently, there’s no indication any of the information collected has been misused. It’s also unknown if any of the companies involved will face any kind of penalty. The Internal Revenue Service (IRS) has so far declined to comment on the situation, according to The Markup.

In trouble again

This isn’t the first time Meta Pixel has gotten its parent company or others into trouble. The tech giant is currently facing multiple lawsuits from across the United States over the Pixel code allegedly being used to collect people’s health data and serve them targeted ads. One complaint comes from Illinois where it accuses Meta and Advocate Aurora of “intercepting, accessing, and disclosing… patient health information…”

We also asked Meta if it had a statement about The Markup’s report and if there are plans to change the Pixel code given recent controversies. Again, we’ll update this story if we hear back.

Be sure to check out TechRadar’s guide on what to do if your tax information gets stolen. Although nothing malicious has been reported, it never hurts to be careful.