Millions of taxpayers’ personal information has been shared to Meta, Google, and other Big Tech firms according to the results of a recent Congressional investigation. The investigation was opened by Senators Elizabeth Warren (D-MA), Ron Wyden (D-OR), Richard Blumenthal (D-CT), Tammy Duckworth (D-IL), Bernie Sanders (I-VT), Sheldon Whitehouse (D-RI) and Representative Katie Porter (D-CA) following a November 22, 2022 story in The Markup that reported that popular online tax filing services including those operated by H&R Block, TaxAct, and TaxSlayer were using a piece of computer code called the Meta Pixel to transmit taxpayer information to Meta and other Big Tech companies.
The information transmitted included taxpayer names and e-mail addresses and, in some cases, information on income, filing status, refund amounts, dependents, and college scholarship information. The report concludes “The sharing of taxpayer data with Meta has put taxpayer privacy at risk and appears to represent a violation of taxpayer privacy laws.”
Brad Messner, Enrolled Agent and partner at M&J Tax Service, east of Pittsburg, Pennsylvania, regularly teaches tax professionals about information security and their responsibilities to their clients when using or disclosing information for purposes other than return preparation. Messner notes “It is a scary world we live in where a software product that millions of users trust and rely upon for annual filing requirements can so blatantly and irresponsibly share user data.” The congressional report uses the word “reckless” to describe the companies’ data sharing practices.
Section 7216 of the Internal Revenue Code, states that it is a criminal misdemeanor for any person who is engaged in the business of preparing tax returns (or providing services in connection with return preparation) to knowingly or recklessly disclose information furnished to them for purposes of preparing the return for “any purpose other than to prepare, or assist in preparing” the return and imposes fines and/or prison time for violations of the law.
Tax professionals must obtain written consent to disclose or use taxpayer information furnished in connection with return preparation for other purposes. Additionally, the form of the written consent is governed by Treasury Regulations that require the consent be provided as a separate document, not buried in an end-user license agreement or similar disclosure, and even go so far as to dictate specific language and font sizes for the disclosures.
The original report in The Markup noted that it looked for disclosures that the firms in question were sharing taxpayer data with Meta but did not find them. The report notes “Instead, some companies included relatively broad disclosure agreements.” Such agreements are not in compliance with Treasury Regulations governing use and disclosure of taxpayer information.
Too Big To Fail?
The Markup’s report also reminds readers “American taxpayers have few options but to turn to private companies to file their returns.” Indeed, according to Treasury Department reports many individuals (often half of American taxpayers) use paid providers to file their annual income tax returns. But are the regulations with which paid preparers must comply enforced equally for large and small firms? That remains to be seen.
According to Messner, “Accountability needs to happen, or this opens a huge door for anyone interested with personally identifiable information to ignore both legal requirements of confidentiality as well as well as ethical safeguards that should be put in place. Unfortunately, this type of incident is happening more often than ever and users have just started accepting that their data is not safe or secure. And that is a completely absurd and unreasonable acceptance.”
Messner goes on to state “There should be significant and very public repercussions for this gross breach of user trust and federal compliance. If a small practitioner caused a breach, even accidentally, they would be publicly berated by the local media, and the penalties in recovery cost would force them into closure.”
The professional liability insurance purchased by many smaller practitioners often asks if the firm’s website collects personal or other identifying information because it represents additional risk to the insurance provider. Consequently, many smaller firms are extremely diligent about how their clients’ information is both collected and used as they don’t want to violate the law and they want to keep their insurance costs as low as possible.
Smaller or more local firms also may have developed relationships with their clients that makes them extremely reluctant to engage in practices that could harm the clients or expose them to identity theft. Indeed, Albert J. Campo, CPA-owner of AJC Accounting Services in New Jersey, recommends using a small, local firm instead of one of the popular online retail providers because they “actually care about you.”
The report begs the question of whether large retail tax preparation firms, who were quoted as describing their information sharing as “ubiquitous” and “common industry practice,” should face the same level of scrutiny and consequences as smaller practitioners when it comes to how they are collecting, using, and disclosing client information. Are these behemoths of the return preparation industry “too big to fail.” For taxpayers’ sakes, one certainly hopes not.