Menu
Tax Notes logo

The Emerging Taxpayer Data Protection Problem

Posted on July 12, 2021

Taxpayers who want to opt out of the 2021 advance child tax credit payments — and later this year, those who want to update their information with the IRS so that the payments are accurate and delivered to the correct address — are directed to an identity verification process that uses facial recognition technology. Nonfilers who must submit their information to the IRS to receive the advance payments use the same process.

The company ID.me Inc. provides that service. The IRS is using it to help prevent fraud and protect taxpayer data, both critical objectives in administering the tax system in general and the advance child tax credit in particular.

However, the privacy policy the IRS appears to have agreed to on behalf of taxpayers who must use the portal is broad enough to allow ID.me to collect — and disclose — some types of data from taxpayers unrelated to the identity verification process and for other purposes. Taxpayers have little alternative to using ID.me’s services, so the general privacy policy the company offers to users who visit its site through nongovernmental channels seems inappropriate in the context of confirming taxpayers’ identities to administer the advance child tax credit.

The question here will likely recur for the IRS. The ID.me privacy policy presents a case study, but other situations will likely arise in which the privacy interests of taxpayers should be protected when the IRS uses an online service provided by an outside company. To continue its long practice of being a good custodian of taxpayer information, the IRS should ensure that under agreements with service providers, the providers don’t use or have the option to use any taxpayer data for purposes outside the administrative or security services they’re providing to the government.

Most of the information collected from taxpayers as part of the identity verification process won’t be disclosed, according to ID.me’s policy. The policy explains that information identifying a specific individual, including the photographic images and selfies that users must submit, won’t be shared, sold, rented, or traded and will be used only to verify identity.

But the privacy policy for taxpayers preparing to enter their information into the portal also says that ID.me “may disclose or share Non-Personally Identifiable Information with Third-Party Service Providers and Affiliates.” It defines non-personally identifiable information as information that doesn’t identify a specific user and that “may include things like the Uniform Resource Locator (‘URL’) of the website you visited before coming to the Website, the URL of the website you visit after leaving the Website, the type of browser you are using, your Internet Protocol (‘IP’) address, occupation, language, unique device identifier, approximate geographic location, and time zone.”

Nothing on that nonexclusive list is taxpayer return information subject to the confidentiality requirements of section 6103, and ID.me’s privacy policy suggests that it would aggregate demographic information if it were to share non-personally identifiable information. It also could be some of the most mundane sort of information about taxpayers — whether you checked your email, shopped online for shoes, or read the newspaper after signing off the identity verification website, for example.

The provision of the privacy policy on release of non-personally identifiable information says that “we also use Third-Party Service Providers to track and analyze Non-Personally Identifiable usage and volume statistical information from our Users to administer our Website and constantly improve its quality. We may also publish this information for promotional purposes or as a representative audience for Advertisers.” That language raises the important question whether taxpayers may have no choice but to become part of the audience of a company providing a service to the government. 

Taxpayers have little choice about whether to let ID.me have that information, or to allow the company to potentially use it, if they must use the portal. The IRS uses ID.me to corroborate taxpayers’ identities to ensure that advance payments are delivered to the taxpayers entitled to them and no one else. Only that use of any type of information from taxpayers should be permitted.

Taxpayers who waited until the last minute to unenroll from the advance child tax credit payments starting on July 15 had an unexpected alternative to using the ID.me process. On June 28, the deadline for taxpayers who wished to unenroll before the first advance payment, the IRS posted to its website a note informing taxpayers that “if you don’t have internet access or can’t use the online tool, you can unenroll by contacting the IRS at the phone number on your Advance Child Tax Credit Outreach Letter you should have received from the IRS in June.” That limited alternative was offered a little late, since the portals were launched on June 22.

Taxpayers Should Be Different

Unlike many other online services that allow individuals a genuine choice whether to let the service provider have their information by deciding not to use the service in exchange for their data, taxpayers have no alternative — at least not most of them and not yet. Until the call-in option for opting out was made available on June 28, taxpayers had no alternate method to verify their identities for the advance child tax credit if they didn’t already have an established IRS username for access to some other IRS.gov application. Taxpayers who already have an IRS username include those who have identity protection personal identification numbers. New users are directed from the IRS website to create accounts with ID.me.

The IRS could make available another alternative method for identity verification, and that could be done before most taxpayers have an occasion to sign up with ID.me. Many taxpayers probably won’t choose to opt out of advance payments or otherwise need to provide new information beyond what was included on their 2020 tax returns to the IRS before the end of this year. As time goes on, however, taxpayers who receive the child tax credit who need to change their information on file with the IRS — because they moved or opened a new bank account, for instance — may have no choice.

Privacy Policy Questions

ID.me started about 10 years ago as TroopSwap.com, a daily deal site for military members, veterans, and their families that also verified military affiliation as part of its business model. The terms of the current privacy policy look like they could be a holdover from that business. Its target market appears to have been modified over the years, and ID.me’s founder and CEO described his aspirations for the company recently as similar to Visa Inc.’s electronic funds transfer business, but for personal identities.

The CEO explained the business as a way to reduce friction in logins: “If we already know that you are you, or if we already have other credentials — like you’re a medical provider — here’s all the applications that accept ID.me for login. And you can just open up those applications without being challenged for your password or for identity verification because you’ve already done that. And when you do that, you can save people so much time and money.”

ID.me hasn’t reached the same level of market saturation that Visa has in the United States, so many taxpayers who claim the child tax credit probably don’t already use the company’s services. In late March, ID.me said it had 39 million users, with more than 70,000 new users signing up each day.

ID.me might not do anything with the non-personally identifiable information that it collects from taxpayers using the portal. The privacy policy says that “depending on a User’s particular interaction with us (e.g., Users who solely navigate the Website versus Users who create an account and use the ID.me Service at Third-Party Websites), different portions of this policy may apply to Users at different times.” That leaves open the possibility that the company applies different standards to individuals who come to its website to submit information to a governmental entity and those who come for commercial reasons.

There should be no question whether information from taxpayers might be used for any reason other than providing the identity verification service that the IRS needs to administer the tax law. Perhaps the best solution is to have a completely separate privacy policy for taxpayers and nonfilers using ID.me — and, in the future, any other service — that is more stringent about what the company can collect and use than the policy that applies to individuals who choose to use ID.me’s services for purposes other than interacting with the government.

Short Road to Credit Implementation

It is important to remember that the IRS has had only four months since the enactment of the American Rescue Plan Act of 2021 (P.L. 117-2) to figure out how to verify taxpayer identities and start delivering the advance payments. The agency has clearly been moving at lightning speed to meet the July 15 start date. IRS employees have been working hard to ensure that the 2021 advance child tax credit program is implemented successfully.

The details of the IRS’s agreement with ID.me regarding the identity verification service used to help insure the advance child tax credit payments program against fraud are not yet available. The privacy policy linked from the sign-up page that taxpayers see when they follow the link from the IRS’s website to ID.me’s site may be altered by the IRS’s agreement with the company. But if that’s the case, taxpayers should be informed of those terms, not the general privacy policy.

The IRS has worked with ID.me in the past to obtain identity verification services, so it’s reasonable that it would turn to a previously established business relationship for help with the rapid implementation of the advance child tax credit program. In 2017 the IRS had a pilot program with ID.me to verify information provided by taxpayers who had received a 5071C letter. Government records show that ID.me has had agreements with other administrative agencies, and it’s also recently done identity verification work for states, particularly for unemployment benefits. In June the IRS entered a contract for “ID.me software and software maintenance” for $86 million.

Options for Taxpayers

Until there’s another alternative or a change in the policy, taxpayers have a few choices. First, taxpayers who are eligible for the child tax credit and have filed returns in 2019 or 2020 can choose to not opt out. That might necessitate repaying a portion of the advance payments next year, because unless a taxpayer’s income is below the safe harbor thresholds of $60,000 for a joint return, $50,000 for head of household, and $40,000 for individuals, any advance payments over the amount of the child tax credit that the taxpayer is entitled to must be repaid. Or taxpayers can call the IRS, as announced on June 28. That option doesn’t exist for nonfilers who would like to receive advance payments. It’s unclear if there will be other ways for nonfilers to verify their identity by the filing season in 2022.

Second, although ID.me’s privacy policy doesn’t appear to offer a way to opt out of the collection of non-personally identifiable information, it indicates that users who want to opt out of targeted advertising should visit a particular website that facilitates doing so.

Facebook users might also want to log out of Facebook before logging into ID.me, or not use the option to sign into ID.me using Facebook, because the ID.me privacy policy also says that “if you are logged into ID.me and Facebook, when you click on ‘Connect with Facebook’ your profiles will merge if the email addresses match.” For Facebook Connect users, the policy explains that “depending on the privacy settings that the User has set on his or her Facebook account, the User will be granting us access to the information accessible via that Facebook Account and we will access, make available and store (if applicable and as permitted by Facebook and authorized by the User via his or her Facebook account setting) that information so that it is available on and through the User’s Account on the Website.”

The same provision entitles the company to obtain information about the user’s Facebook “‘friends’ or people with whom the User is associated via the Facebook account,” depending on their privacy settings. Taxpayers can disable Facebook Connect through their profiles in Facebook.

The IRS has a long history of dedication to protecting taxpayers’ information. Consistent with that long-standing practice, it should make clear that an outside service provider collecting any information from taxpayers must use that information only to provide the service requested by the IRS and for no other reason.

Copy RID