Popular tax prep software including TaxAct, TaxSlayer and H&R Block sent sensitive financial information to Facebook parent company Meta through its widespread code, known as a pixel, that helps developers track user activity on their sites, an investigation by The Markup found.
In a report published with The Verge on Tuesday, the outlet found Meta pixel trackers in the software sent information like names, email addresses, income information and refund amounts to Meta, violating its policies. The Markup also found that TaxAct had transmitted similar financial information to Google via its analytics tool, though that data did not include names.
As CNBC explained in 2018, Meta uses tiny pixels that publishers and businesses embed on their websites. The dots send a message back to Facebook when you visit. And it allows companies to target ads to people based on sites they previously visited.
The report said Facebook could use the information from the tax websites to power its advertising algorithms, even if someone using the tax service doesn’t have a Facebook account. It’s yet another example of how Facebook’s tools can be used to track people around the web, even if users don’t know it.
Some statements provided to The Markup suggest it may have been a mistake.
A spokesperson for Ramsey Solutions, a financial advice and software company that uses a version of TaxSlayer, told The Markup that it did “NOT know and were never notified that personal tax information was being collected by Facebook from the Pixel,” and that the company informed TaxSlayer to deactivate the Pixel tracking from SmartTax.
An H&R Block spokesperson said the company takes “protecting our clients’ privacy very seriously, and we are taking steps to mitigate the sharing of client information via pixels.”
The Markup discovered the data trail through a project earlier this year with Mozilla Rally called “Pixel Hunt,” where participants installed a browser extension that sent the group a copy of data shared with Meta through its pixel.
“Advertisers should not send sensitive information about people through our Business Tools,” a Meta spokesperson told CNBC in a statement. “Doing so is against our policies and we educate advertisers on properly setting up Business tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect.”
Meta considers potentially sensitive information to include information about income, loan amounts and debt status.
“Any data in Google Analytics is obfuscated, meaning it is not tied back to an individual and our policies prohibit customers from sending us data that could be used to identify a user,” a Google spokesperson told CNBC. “Additionally, Google has strict policies against advertising to people based on sensitive information.”
Representatives for TaxSlayer and TaxAct did not immediately respond to CNBC’s request for comment.
Read the full report on The Verge.