FTC warns tax preparers not to sell taxpayer data to Big Tech
Five tax preparation companies were warned of potential civil penalties if they use or share confidential consumer tax preparation data for unrelated matters, the Federal Trade Commission (FTC) said Monday.
In a press release, the FTC warned H&R Block, Intuit, TaxAct, TaxSlayer, and The Lampo Group that they will be penalized if they use tax preparation data for advertising or other unrelated purposes without consumers’ consent.
The results of a seven-month Congressional investigation unveiled in July found that H&R Block, TaxAct, and TaxSlayer shared sensitive taxpayer financial data with Google and Meta for years. Lawmakers said millions of taxpayers' sensitive personal and financial data was shared despite laws which prohibit tax preparers from doing so without customers' consent.
The report was accompanied by a letter, which asserted that tax preparers were “reckless” in disclosing the return data. The letter also said such disclosures are potentially illegal and the tax prep firms could face large fines and a prison term of up to one year for decision makers. The lawmakers’ report did not single out Intuit or the Lampo Group, though the FTC included the firms in its warning.
The FTC release noted that a company’s inclusion on the list is not an “indication that it has done anything wrong.”
Tania Mercado, a spokesperson for Intuit, said via email that the company does not share tax return information with social media platforms for marketing or any other purpose.
“Intuit is committed to being a responsible steward of our customers’ data,” she said.
A spokesperson for Google stressed in an emailed statement that the company has “strict policies and technical features that prohibit Google Analytics customers from collecting data that could be used to identify an individual.”
It emphasized that site owners — not Google — are in “control of what information they collect and must inform their users of how it will be used.”
The other firms mentioned here did not respond to a request for comment.
Tax prep firms were “stunningly careless” with customer data, the report said.
Big Tech firms “also appeared to act with stunning disregard for taxpayer privacy — failing to provide full and complete information about how they would collect taxpayer data, and what they did — or are doing — with it once it was collected,” the report said.
It noted that while both Meta and Google pointed to filtering systems they use to prevent sensitive taxpayer information from being collected by mistake, “these filtering systems appeared to be ineffective.”
In its press release Monday, the FTC said it is relying on its penalty offense authority to put the five companies on notice, warning them that they face civil penalties of up to $50,120 per violation if they misuse taxpayers’ personal data by selling it to big tech for advertising or otherwise exploit it in ways in which it is not meant to be used.
The commission’s Notice of Penalty Offenses announced Monday warns tax preparers against using information collected in a context where an individual “reasonably expects that such information will remain confidential for purposes not explicitly requested by the individual.” It also cautions them not to use the tax data in order to financially benefit themselves and not to use the data to advertise or sell services.
Additionally, the FTC warned the companies that use of tracking technologies such as pixels and cookies to “amass, analyze, infer, or transfer personal information” without first obtaining consumers’ “express consent” will be considered a deceptive and unfair practice.
The lawmakers’ letter to the FTC, the Department of Justice, the IRS, and the Treasury Department noted that the tax prep companies described the use of pixels and Google Analytics to send taxpayer data to Meta and Google as “ubiquitous” and “common industry practice.”
“One tax prep company revealed it had employed an additional 11 pixels on its website and that, because of the way these pixels operated and were set up, they potentially shared data for every single user of the company’s websites – millions of taxpayers,” the letter said.
The Meta Pixel and other Meta tools used by TaxAct collected an astonishing amount of personal taxpayer data, including filing status, approximate adjusted gross income, approximate refund amount, and names of dependents, the letter said. The Pixel then shared taxpayers’ full names, email, country, state, city, ZIP code, phone number, and gender as hashed values, which represent vast amounts of data as much smaller numeric values and are used with digital signatures.
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.