Sen. Elizabeth Warren is coming for the tracking pixels.
Specifically, she, along with fellow Democratic Sens. Ron Wyden, Richard Blumenthal, Tammy Duckworth, Bernie Sanders, and Sheldon Whitehouse, and Rep. Katie Porter, are coming for tax preparation companies that sent tens, if not hundreds, of millions of taxpayers’ data to Big Tech through those tracking pixels.
On Wednesday, the lawmakers released a report detailing how TaxAct, H&R Block, and TaxSlayer put Meta and Google’s tracking pixels on their sites, sharing taxpayers’ data with those companies in what could be a violation of the law. It shows how extensive this data collection and sharing is, even on web services that you’d expect or trust would keep your information private. The situation also shows how a lack of privacy laws has helped make this practice so widespread and ingrained into the fabric of the internet itself, to the point that even companies that may have a legal obligation to keep our data private don’t know or don’t care that they aren’t doing so.
“Giant tax prep companies have recklessly shared millions of taxpayers’ most sensitive, private tax information with Meta in what appears to be a violation of the law,” Warren told Vox. “The Department of Justice and FTC must immediately investigate and prosecute any Big Tax Prep or Big Tech company that broke the law, and we must expand the IRS’ free, direct-file program to ensure taxpayers have the option to protect their privacy from greedy, reckless corporations.”
The seven-month-long investigation was prompted by a report from the Markup, which found Meta’s trackers on the three tax prep companies’ websites. Those trackers, the article said, were sending the sensitive financial and biographical information that the tax prep sites collect to Meta. That data could include names, addresses, phone numbers, which pages users clicked on, and even their income, refund amount, and other financial data. (Intuit, which makes TurboTax, also had trackers on its sites, but the data it shared was limited.)
The three companies acknowledged to the Senate inquiry that they’ve used pixels from Meta, Google, and, in TaxSlayer’s case, several other companies, for years now. The amount and type of data they shared was even more extensive than what the Markup discovered. The tax prep companies along with Meta and Google, which were also consulted in the inquiry, maintained that this data was anonymized, but the inquiry found that it is possible to reidentify individuals from it.
TaxSlayer didn’t respond to a request for comment. H&R Block said it “takes protecting our clients’ privacy very seriously, and we have taken steps to prevent the sharing of information via pixels.” The company told the inquiry that it had Meta pixels on its sites for “at least a couple of years” and denied using any other pixels, even though Google confirmed that H&R Block used the Google Analytics tracker. This discrepancy, the report said, “raises the concern that tax prep companies themselves are unaware of what pixels they are using and how this may be affecting taxpayer privacy.”
TaxAct said it “has engaged with Senator Warren and her staff to provide transparent, detailed explanations on our use of these standard analytics tools.” The company added that it “has always complied with laws that protect our customers’ privacy and, as noted in the report, we disabled the tools in question while we evaluated potential concerns. Protecting the rights and privacy of our customers is our top priority.”
Those companies aren’t the only ones tracking us. This kind of tracking happens all over the internet and on our mobile devices, and there’s very little we can do to stop it or know it’s even happening. Sites and apps do it to get analytics and for advertising, an arrangement that can be mutually beneficial to the companies that embed the trackers and the companies doing the tracking. Those trackers can be recklessly deployed, scooping up and sending off far more information than is actually needed. The Markup’s investigative series into trackers has found several examples of this in addition to the tax prep report. When a company isn’t beholden to privacy laws, it may not want to or care to put the time and effort into monitoring what it’s sending off. But there are regulations about certain kinds of data in limited circumstances. Health data is one. Tax data is another. Oops!
In their defense, the tax prep companies either said they knew about the trackers but didn’t think they violated any laws, or claimed that they didn’t know all of the data that those trackers were sharing. The new congressional report’s authors did not seem to find these excuses or justifications to be sufficient, excoriating the companies for their “complete lack of corporate responsibility and accountability” and asking the heads of the Internal Revenue Service, Federal Trade Commission, Department of Justice, and the Treasury Inspector General for Tax Administration to look into potential violations of the law in a separate letter.
Meta told Vox that it has clear policies about what advertisers should send through their pixels and that the company has tools in place to filter out sensitive information it might receive. But Meta didn’t respond to questions from the tax prep companies or the inquiry itself about what those tools specifically filter nor what data the platform received from the sites. Google also said that it has policies against using its trackers to collect identifiable information and advertising to people based on sensitive information. But the companies that use the trackers are the ones responsible for selecting what information the trackers collect, Google said.
There are a few things you can do to prevent or at least mitigate how much of your data is being shared through pixels. Google and Meta offer privacy choices that they say will stop tracking through pixels or advertising based on that data. There are web browsers built for privacy that block trackers and browser extensions that should do the same. Just know that nothing is foolproof, and companies that rely on your data to power their massive advertising businesses are going to do everything possible to get it.
Congressional inquiries like this may result in legal consequences for the companies that violate the few privacy laws we do have, but there is a large swath of companies that aren’t beholden to anything. Comprehensive privacy legislation could help here, both by creating consequences for companies that violate our privacy and giving us more rights over our data in the first place. That doesn’t look likely to happen on a federal level, despite years of effort from some lawmakers, including Sen. Wyden, one of the report’s authors.
But another solution, at least in these limited circumstances, is that taxpayers don’t have to e-file their taxes through these companies and their sites in the first place. The tax prep industry has lobbied for years to make filing for taxes a complicated process and to be the only place consumers can go to file taxes online. They even had an agreement with the IRS to offer “free” filing services as long as the government didn’t create its own system to compete with them. As a result, the report notes, 200 million Americans filed their taxes electronically last year, and a lot of them used one of the major tax prep services to do it.
That might change. The government is now developing a way to e-file taxes to the IRS directly. Warren has championed this cause, including in a bill she introduced last year, the Tax Filing Simplification Act. Assuming the IRS isn’t throwing a bunch of tracking pixels on its own website, that could go a long way to stop taxpayer data from being shared with Meta and Google — and make it easier and cheaper to file taxes in the first place.
A version of this story was also published in the Vox technology newsletter. Sign up here so you don’t miss the next one!