With the recent news of data leaks from some of the country’s best-known online tax preparation software providers, tax preparers can expect questions from their clients about what happened and what steps are being taken to protect their sensitive tax information. Preparers also must be ready to answer questions from clients who used the affected software in the past or are concerned about friends and family members who use the software. To help answer your client questions, we have prepared the following list of answers to frequently asked questions (FAQs) you may get from clients.

Is my tax information safe?
The good news for tax pros is that there is nothing in the reports to indicate that professional tax preparation software has been leaking data. The data leaks appear to be confined to the consumer-facing web pages of tax preparation providers that use the pages for data entry purposes. However, if your client has used an online tax preparation provider in the past, it is possible that data has been leaked. Some of the tax prep companies involved have admitted that their sites have compromised taxpayer privacy “for at least a couple of years.”

Which online tax prep companies are involved?
Reports allege that TaxSlayer, H&R Block and TaxAct were sharing sensitive taxpayer data with Meta (Facebook’s parent company) and Google. While TaxAct provides a software product for professionals, TaxAct Professional has not been mentioned in any reports of shared data. This is likely because it is a downloaded product that does not rely on a website interface to collect taxpayer information.

What about TurboTax?
While TurboTax has been found to have shared some taxpayer information with Meta, reports have specified that it did not send taxpayers’ financial information. Initial reports on the issue said Meta was only sent usernames and the last time a device was signed in. In some cases, order ID numbers and user email addresses were also collected. TurboTax has not been included in subsequent investigations focusing on the sharing of taxpayers’ sensitive financial information.

Why is this in the news now?
In November 2022, a report co-published by The Verge and The Markup reported that H&R Block, TaxAct and TaxSlayer were transmitting personal identifying and financial information to Meta and financial information to Google. Those reports motivated a group of Democratic U.S. senators to conduct their own investigation. They released the results of that investigation in a July 12 report: Attacks on Tax Privacy: How the Tax Prep Industry Enabled Meta to Harvest Millions of Taxpayer’s Sensitive Data. The Senate report received a great deal of news coverage and found the information sharing was worse than had initially been reported.

The Senate report also took the additional step of labeling the actions of the tax prep companies as “shockingly careless” and called on the IRS, Federal Trade Commission (FTC) and the Department of Justice to investigate the possible violation of taxpayer privacy laws.

How did the leaks happen?
The websites of the tax prep companies included computer code known as “pixels,” which sends data to Meta and Google. While the tax prep companies have claimed that it is standard practice for web pages to include pixels, the Senate report noted that they took no steps to ensure that pixels did not share sensitive taxpayer information. One tax prep company admitted using a dozen pixels on its website and that they shared the data of millions of taxpayers.

At the request of the Senators, TaxAct, H&R Block and TaxSlayer revealed the taxpayer data that had been revealed to Meta and Google. All three companies claimed the data had been sent anonymously. The senators found that the Meta pixel associated with TaxAct had collected far more information than had previously been reported, including taxpayers’:

• Filing status
• Adjusted gross income (AGI)
• Refund amount
• Names of dependents
• Approximate federal tax owed
• Navigation buttons pushed by the taxpayer
• Name, email address, country, state, city, phone number and gender as hashed values (a method of anonymizing information)

The Meta pixels used by H&R Block and TaxAct transmitted information about web pages visited by taxpayers, including some for revealing tax situations, such as pages for dependents, specific tax credits and various deductions.

Was shared taxpayer information really anonymous?
While all three tax prep companies maintained the identities of each taxpayer from whom information was collected have remained anonymous, some experts have disagreed with that assertion. For example, the FTC and other experts have pointed out that the collected information could easily be used to identify specific individuals or to create a dossier on them that could be used for targeted advertising or other purposes. Additionally, Meta has admitted to using pixel information in targeted advertising campaigns and to train its artificial intelligence (AI).

Has the shared taxpayer information been shared for illegal or criminal purposes?
While the Senate report noted that the tax prep companies may have violated taxpayer privacy laws in sharing the collected information, there have been no reports of the information being used for criminal or other illegal purposes.

What are you doing to protect client information?
This question offers tax professionals the opportunity to point out that there have been no reports of professional tax software sharing sensitive tax information and to explain the steps your firm takes to protect the privacy of its clients. This question also presents an opportunity to explain to the client that your firm is required to implement a data security plan to comply with the FTC’s safeguard rules.

If you do not have a current written information security plan, NATP offers an online training with actionable items so you can walk away with a fully-developed plan.