H&R Block, TaxAct, and TaxSlayer are some of the major tax filing services that transmit sensitive financial information to Facebook.

The data that is sent through the widely used code called the MetaPixel includes not only names and email addresses, but also more detailed information such as income, filing status, refunds, and dependents' college scholarship amounts.

The article was co-published by The Markup, which investigates how powerful institutions are using technology to change society. You can sign up for the newsletter here.

The information sent to Facebook can be used by the company to power its advertising algorithm and is gathered regardless of whether the person has an account on Facebook or not.

The Internal Revenue Service processes about 150 million individual returns each year, and some of the most widely used e-filing services use thepixel.

Users of TaxAct are asked to provide personal information to calculate their returns, including how much money they make and their investments. The data that was sent to Facebook from TaxAct's website included users' filing status, adjusted gross income, and the amount of their refunds, according to a review. The income was rounded to the nearest thousand and the refunds to the closest hundred. The names of dependents were sent in a format that was obfuscated but still readable.

TaxAct isn't the only service that uses the MetaPixel. Tax preparation giant H&R Block, which also offers an online filing option that attracts millions of customers per year, embedded a pixel on its site that gathers information on filers' health account savings usage and dependents' college tuition grants and expenses

TaxSlayer sent personal information to Facebook as part of the social media company's "advanced matching" system, which gathers information on web visitors in an effort to link them to Facebook accounts Specific demographic information about a user was nixed but still usable for Facebook to link a user to an existing profile. TaxSlayer finished 10 million tax returns last year.

A version of TaxSlayer's service is used on a tax preparation site operated by Ramsey Solutions. Personal data from a tax return summary page included information on income and refunds. When visitors clicked on the drop-down headings, more details of their report were sent.

The company that runs America's dominant online filing software employed thepixel The financial information that was sent to Meta was not financial, but usernames and the last device to sign in. The company didn't allow the pixel to go beyond sign-in.

Nicole Coburn said that TaxAct takes the privacy of their customers very seriously. The TaxAct tries to comply with all IRS regulations. H&R Block reviews its practices as part of its commitment to privacy, and will do so again, according to a spokeswoman.

Megan McConnell stated in an email that the company implemented the MetaPixel to deliver a more personalized customer experience.

The statement said that they didn't know that personal tax information was being collected by the social network. We immediately told TaxSlayer to remove the device from Ramsey SmartTax.

Molly Richardson said in an email that the company had removed the piece of paper to evaluate its use. She said that the privacy of their customers is of paramount importance and that Ramsey Solutions decided to remove thepixel.

Although the company does not track, gather, or share information that users enter in TurboTax while filing their taxes, it does share some non-tax-return information, such as usernames, with marketing partners to deliver. The company said it is in compliance with the regulations, but has changed the way it does business.

According to Mandi Matlock, a Harvard Law School lecturer focused on tax law, taxpayers are giving some of the most sensitive information that they own.

She called it appalling. It's definitely true.

After being contacted by The Markup, TaxAct stopped sending financial details like income and refunds to Meta but continued to send the names of dependents. Financial information was sent to the site by the website. TaxSlayer and Ramsey Solutions have removed the pixel from their tax filing websites. Health savings accounts and college tuition grants were still being sent to the H&R Block website.

How the Meta Pixel tracks users

Businesses can make use of the code on their websites as they please.

Both Facebook and the businesses use the code. A T-shirt that a customer browsed on a business website might be recorded. The business can use Facebook to target its ads to people who are already interested in its products.

Meta is a winner financially as well. The company says it can use the data it gleans from tools to power its algorithms and give it insight into the habits of users across the internet.

The strategy has been a success. The company told Congress that there were more than two million pieces of data across the web.

Jon Callas, director of public interest technology at the Electronic Frontier Foundation, said he was left in shock but not surprised by the findings.

Some of the sensitive data collection analyzed by The Markup appears linked to default behaviors of the MetaPixel, while some appears to arise from customizations made by the tax filing service, someone acting on their behalf, or other software installed on the site.

The title of the page the user is viewing, along with the web address of the page and other data, is automatically collected by Meta Pixel. Income information from Ramsey Solutions was collected because the summary expanded when clicked. In the default configuration, the summary is detected as a button and the text is collected from inside the button.

Automatic advanced matching is a feature embedded in the pixels. The feature scans forms looking for personally identifiable information, like a phone number, first name, last name, or email address, and then sends it to Meta. This feature on TaxSlayer collected phone numbers and names of people who filed. The names of dependents were collected on Tax Act.

Meta states that the data collected by the matching feature is used to protect user privacy. The pre-obfuscated version of the data is usually determined by the company. The hashed information is used by Meta to link other data to profiles on social networks.

The feature was turned off by default, but could be turned on by clicking a button.

When TaxAct sent dollar amounts like adjusted gross income to Meta, they were transmitted as parameters to a " custom event" which are only sent if the website operator adds to their site. TaxAct didn't reply to questions about whether or not it configured thepixel in this way.

Illustrative example of user data running through the Meta Pixel, marked with AGI, Federal Refund Amount, and number of dependentsIllustrative example of user data passing through Meta Pixel including AGI, Federal refund amount, and number of dependents.


Once a tax return was filled out on Taxact.com, information including an individual’s adjusted gross income, federal refund amount, and number of dependents was sent to Meta via the Meta Pixel. Data in the screenshots is not real user data.
Image: Taxact.com and The Markup

There are limits to the data that can be collected. The company doesn't want sensitive information sent to it and uses automated filters to block potentially sensitive data. Information about an individual's financial account or status is not allowed, according to the help center.

Income was one of the types of data that tax sites send to Facebook. The data sent to Facebook by TaxAct shows that it was previously sending a student loan interest parameters, which is now being removed.

Meta doesn't want to get sensitive financial data.

From January to July of this year, The Markup tracked websites' use of thepixel as part of the Pixel Hunt. Users installed a browser extension that gave them a copy of the data shared with Meta.

Sensitive information was shared by tax preparers and participants in the Pixel Hunt. The "Network" section of the Chrome browser was used to confirm the data after the Markup signed up for accounts on the companies' websites.

The Education Department's federal student aid application website, as well as crisis pregnancy websites, and the websites of prominent hospitals, were found to have sensitive data sent to Facebook.

Even the company might not be aware of where Meta ends up. Vice reported on a leaked Facebook document that said the company did not have an adequate level of control and explainability over how its systems use data.

Facebook has strict processes and controls to manage data and comply with privacy regulations, according to a company spokesman.

Dale Hogan, a spokesman for Meta, pointed out that the company has rules on sensitive financial information.

Hogan said that advertisers shouldn't send sensitive information about people through the business tools. We educate advertisers on how to set up business tools to prevent this from happening. Our system is designed to prevent sensitive data from being detected.

The company has strict policies against advertising to people based on sensitive information, and it is not tied back to an individual, according to an email from the company's spokesman.

The IRS closely regulates tax data

The director of the Center for Taxpayer Rights was the national taxpayer advocate at the IRS from 2001 to 2019.

She was involved in the development of regulations that govern disclosures of tax information. The way the IRS regulates private tax filing services is very strong.

Tax preparers can only use the information they receive from taxpayers for limited purposes under the regulations she helped develop.

The government says that requests for disclosure must be the same size as or larger than the body text on the website or software package.

Penalties for leaking data can be steep.

Even jail time is a possibility for disclosing data without consent, although she was unaware of any criminal cases that have been pursued.

The tax preparation websites mentioned Meta but did not find them in the review. Some companies did not include broad disclosures.

Users were asked to approve sending their tax information to TaxAct's sister company, TaxSmart Research. Service providers and business partners could be used by TaxSmart Research. H&R Block's disclosure request allowed it to provide products of its own. The data was shared with Facebook regardless of which option users chose, according to The Markup.

The exact purpose and recipient of a tax preparer's disclosure is required to be in compliance. She asked if they had a list of what they were going to reveal. They might be in violation of regulations if not.

The IRS wouldn't say if any of the sites were in violation of tax law.

No way out for taxpayers

American taxpayers don't have a lot of options when it comes to filing their taxes.

Unlike other countries, the United States has a heavily privatized system for filing taxes. The calculations are handled by the government in other countries. Tax preparers act as a middleman between taxpayers and the government after a successful lobbying push.

Market researchers estimate that tax preparation is an $11 billion industry in the US.

It is possible to get a free preparation and filing option, but only if you make $73,000 or less. Companies offer their tax software at no charge through an agreement with the IRS, but have been criticized for not making the option easy to use.

The IRS directed taxpayers trying to file for free to some of the companies, according to The Markup. TaxAct and TaxSlayer are two of the tax preparation services that are part of the free file alliance. H&R Block has been involved in the program before.

The consequences of relying on for-profit companies to handle government requirements were shown in the findings by The Markup. If users want to comply with the law, they must give their data to Facebook.

Taxpayers have been pushed into the arms of private for-profit companies to comply with their tax filing obligations. We have no choice.