Tax prep websites have been sending sensitive financial data to Facebook

Meta’s Pixel tracking tool is causing more headaches, this time for people filing their taxes online. The Markup has discovered that large tax prep services like H&R Block, TaxAct and TaxSlayer have been sending users’ sensitive contact and financial information to Facebook through the Pixel. This sometimes included income data, filing statuses and even kids’ college tuition grants.

Intuit’s TurboTax also uses the Pixel to send data, although that’s limited to usernames and the last sign-in dates for given devices. The tool isn’t used beyond the login page, and a spokesperson told The Markup that the non-tax info goes to marketers to provide a “better customer experience.” You don’t see ads for TurboTax on Facebook if you already have an account, for instance. TaxAct is also delivering financial data to Google through that company’s analytics tool. 

The companies involved are altering or reevaluating their uses of the Meta Pixel. TaxAct has stopped sending financial data through the tracker, although it’s still transmitting similar content to Google as of this writing. TaxSlayer has pulled the Pixel to rethink its usage. H&R Block hasn’t changed its approach, but a spokesperson told The Markup the tax firm will “review the information.”

We’ve asked Meta for comment. Representative Dale Hogan pointed The Markup to Meta’s rules barring advertisers from sharing sensitive info, and noted that the system is meant to filter out this content. Google’s spokesperson, meanwhile, said the company had “strict policies” against targeting ads using sensitive content and that it anonymized analytics data to avoid linking it to users.

It’s not clear if any of the tax filing sites were misusing the data. Whether or not they were, they could still face penalties for gathering details without permission. Internal Revenue Service regulations require that tax prep firms obtain signed consent for using info for any reason beyond the filing. None of the websites in the report mentioned Meta or Facebook by name, and in some cases had only generic disclosure agreements. The sites gave users the option to decline sharing tax data, but Facebook received it regardless of what users selected.

Meta is already in legal trouble over the Pixel. Two proposed class action lawsuits filed earlier this year accused the social media giant and hospitals of violating privacy laws by scooping up patient data without consent. The plaintiffs also claimed Meta failed to enforce its own policies. In that sense, the tax site revelation just adds to the company’s problems.