The Facebook Pixel and Unauthorized Use and Disclosure of Tax Return and Tax Return Information
Last week The Markup, an online investigative journalism site, published a report about the presence of a Facebook (or Meta) pixel on various tax software websites that discloses taxpayer identity and financial information, gathered in the course of preparing and filing tax returns online, to Facebook. The data includes “not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.” For example, “[o]nce a tax return was filled out on taxact.com, information including an individual’s adjusted gross income, federal refund amount, and number of dependents was sent to Meta via the Meta Pixel.” According to The Markup, the H&R Block program sent data regarding health savings account and dependent college tuition grants and expenses.
I note at the outset that the implications of this investigative report are far-reaching. Not only do tens of millions of US taxpayers use online tax preparation software each year to file their returns, but the IRS itself directs taxpayers, via Free File, to online software products implicated in the investigation. Further, the IRS provides Tax Slayer, one of the software packages embedding the pixel, to Volunteer Income Tax Assistance (VITA) sites. These latter two tax preparation services – Free File and VITA – are directed toward low income, elderly, and disabled taxpayers.
According to The Markup,
When a website uses the code, data on the visitor is sent back to Facebook and can be used by the business or organization to find an audience for its ads. Facebook also retains that data and can use it for its own advertising purposes—although it’s not always clear what those purposes are.
So now we have a new investigation that shows the Meta Pixel embedded in tax software, with evidence that return and return information has been disclosed to Facebook and can be used by the companies and Facebook for …. what and under what authorization? The words “return,” “return information,” “use,” “disclosure,” and “unauthorized” all implicate Internal Revenue Code sections 6103(c), 7216, 6713, and 7431(b). Let’s try to work through this – stick with me, it is labyrinthine.
Section 6103 and confidentiality of tax returns and return information
As anyone who works in tax should know, IRC § 6103 provides that tax returns and return information shall be confidential, and shall not be disclosed except as authorized by Title 26 (i.e., the Internal Revenue Code). “Return” and “return information” are defined very broadly, with the latter term including the taxpayer’s identity. One of the exceptions for disclosure is contained in § 6103(c), which authorizes the Secretary to prescribe regulations to allow a taxpayer to designate a third party to receive return or return information. The IRS has established fairly restrictive procedures for taxpayer consent, especially after Congress stepped in with the Taxpayer First Act and required even more protection. (You can read my legislative recommendation which was largely adopted by Congress here at page 554.) Section 2202(a) of the Taxpayer First Act amended § 6103(c) by adding the following sentence:
Persons designated by the taxpayer under this subsection to receive return information shall not use the information for any purpose other than the express purpose for which consent was granted and shall not disclose return information to any other person without the express permission of, or request by, the taxpayer.
Unauthorized use or disclosure of tax return or return information by a tax return preparer
Persons, including software packages, that assist in preparing federal tax returns receive some of the most sensitive financial information a taxpayer possesses. So what happens if a tax return preparer uses or discloses return or return information without the consent of the taxpayer? One place we can turn to is IRC § 7216, a criminal statute that demonstrates Congress’ clear concern about the potential for misuse and abuse of taxpayers’ sensitive financial information by return preparers. Section 7216 applies to
“[a]ny person who is engaged in the business of preparing, or providing services in connection with the preparation of, returns of the tax imposed by chapter 1, or any person who for compensation prepares any such return for any other person, and who knowingly or recklessly—
(2) uses any such information for any purpose other than to prepare, or assist in preparing, any such return
Section 7216 carves out some limited exceptions to this broad protection and also authorizes the Secretary to create more exceptions via regulation. Section 6713 is a parallel civil penalty, however the regulatory authority arises in the criminal statute. (In 2007, I made a legislative recommendation to Congress to move the regulatory authority into the civil section (see page 547 here), a recommendation that remains in the National Taxpayer Advocate’s Purple Book today.)
In 2005 and 2006, as National Taxpayer Advocate, I and TAS attorney-advisors worked closely with Treasury and Chief Counsel in drafting and promulgating regulations implementing § 7216. We all met with many groups representing those “engaged in the business of preparing” etc. tax returns. The final regulations were carefully crafted to ensure the greatest protection of tax return and return information while not hamstringing legitimate business practices of return preparers. We were concerned about the use of taxpayer information to sell taxpayers mortgage refinancing or various other services or products not related to tax return preparation. And what with the rise of identity theft and international hacking, we were also concerned about the increasing use of offshore preparers and the transfer of sensitive taxpayer data like social security numbers offshore. You see all of these concerns directly addressed in the final regulations.
Treasury Regulations promulgated under IRC § 7216
Treasury Regulation 301.7216-1 broadly defines a tax return preparer to include “[a]ny person who is engaged in the business of providing auxiliary services in connection with the preparation of tax returns, including a person who develops software that is used to prepare or file a tax return and any Authorized IRS e-file Provider…” [Emphasis added.]
The term “tax return information” is also defined broadly in the regulation to provide the taxpayer maximum protection. Example 1 of 301.7216-1 demonstrates the broad scope protection granted in the interaction between the return preparer and tax return information definitions. Note that under the regulation, information provided in the course of registering of one’s purchase of tax preparation software is tax return information.
Taxpayer A purchases computer software designed to assist with the preparation and filing of her income tax return. When A loads the software onto her computer, it prompts her to register her purchase of the software. In this situation, the software provider is a tax return preparer under paragraph (b)(2)(i)(B) of this section and the information that A provides to register her purchase is tax return information because she is providing it in connection with the preparation of a tax return.
Further key to our analysis of this situation is the regulation’s definition of “disclosure:”
Disclosure. The term disclosure means the act of making tax return information known to any person in any manner whatever. To the extent that a taxpayer’s use of a hyperlink results in the transmission of tax return information, this transmission of tax return information is a disclosure by the tax return preparer subject to penalty under section 7216 if not authorized by regulation.
When would a disclosure by a tax return preparer be authorized by regulation and thus not subject to criminal penalty under IRC § 7216? Regulation 301-7216-2 sets forth the instances where disclosure or use can be made by a return preparer in the course of preparing a tax return without the consent of the taxpayer. And Regulation 301-7216-3 describes when disclosure or use is permitted only with the taxpayer’s consent.
Specifically, such use or disclosure may occur only when the taxpayer has provided written consent that is knowing and voluntary. “[C]onditioning the provision of any services on the taxpayer’s furnishing consent will make the consent involuntary, and the consent will not satisfy the requirements of this section.” (There’s an exception to this rule where the preparer wants to share with another preparer for purposes of preparing the return or for ancillary services. This exception again demonstrates the effort in the regulation to allow for legitimate and reasonable tax preparation practices.)
§301.7216-3(a)(3) lays out the requirements that must be satisfied for a consent to be valid, including:
- The consent must specify the tax return information to be disclosed or used;
- The consent must identify the specific recipient or recipients to which the information will be disclosed;
- The consent must identify the particular use authorized;
- The consent must be signed and dated; and
- The consent may specify a duration but if no duration is specified, the consent is limited to one year from the date of signing.
The regulation also requires one consent document for uses, and a separate consent document for disclosure. Where such documents seek consent for multiple uses or multiple disclosures, they must list each such use or consent specifically.
With respect to the Form 1040 series of tax returns, the regulation authorizes the Secretary to issue additional guidance regarding the form of consent, which has been done in Revenue Procedure 2013-14. This notice prescribes the exact look of the consent – the format, type size, etc. both on paper and in the virtual (software) environment, requiring a single page or separate window, and requiring specific language to alert the taxpayer about the risks of consent to use and disclosure, the voluntary nature of the consent, and the duration of the consent. Further, for virtual consents, “[a]ll of the text placed by the preparer on each screen must pertain solely to the disclosure or use of tax return information authorized by the consent, except for computer navigation tools.” Finally, the Revenue Procedure requires all consents to include information about contacting the Treasury Inspector General for Tax Administration (TIGTA).
Where does the Meta Pixel fit into all this?
Given this review of the requirements of § 7216 for use and disclosure of tax return/information by tax return preparers, including tax software companies, where does the Meta pixel come in?
First of all, we know that § 7216 applies from the moment the taxpayer enters their name in to register the software – that is tax return and tax return information. Hypothetically, it seems to me an alleged § 7216 violation occurs if the Meta Pixel captures that data and sends it to Facebook before a separate pop-up screen appears requesting the taxpayer’s consent to send covered data to Facebook (the disclosure consent). A second violation allegedly occurs if the data is sent without a separate pop-up outlining how, specifically, Facebook and the tax software propose to use the data disclosed (the use consent). A further violation allegedly occurs if those consents don’t include the mandatory language. Under the regulations, none of these alleged violations can be cured by getting a consent after the disclosure or use, or adding the mandatory language later.
Tax Software companies know about § 7216 because they commented on and participated in discussions about the regulations. They have developed pop-ups to obtain taxpayer consent for various uses or disclosures, and their legal departments most assuredly have reviewed them for compliance with § 7216. But do the legal departments even know about the embedding of the Mega Pixel? The Department of Education did not know it was embedded in the FAFSA.
As noted earlier, the IRS makes Tax Slayer, one of the tax software programs implicated in The Markup’s investigation, available for free to Volunteer Income Tax Assistance sites. I think it would be really interesting to see if the IRS-provided software has the Mega pixel embedded in it, or if the pixel must be activated by each VITA site. I’ve asked folks to check with any VITA sites they work with. In fact, the privacy statement on taxslayerpro.com says:
It is interesting that TaxSlayer seems to indicate that folks have to opt in to the Facebook information sharing on their privacy page. https://www.taxslayerpro.com/company/privacy. Although opting in could be consent for privacy purposes, for 7216 purposes the consent (“share-button or interactive miniprograms”) would have to meet the requirements of 7216, be on a separate screen, and have the mandatory revenue procedure language. You can’t bury the information in a privacy statement.
So, if there is a violation of Section 7216, and tax return information has been disclosed or used by a return preparer without the taxpayer’s consent, what avenue does the taxpayer have for relief other than waiting for the Department of Justice to bring an action against the software company? Well, there is always IRC § 7431(a)(2), which authorizes a civil action for damages in the US District Court against “any person” who knowingly or by reason of negligence inspects or discloses any return or return information with respect to that taxpayer in violation of IRC § 6103.
Congress and the IRS need to act on this matter. At the very least, the IRS should prohibit all who are considered a “tax return preparer” under IRC § 7216 from requiring mandatory arbitration with respect to any claim that may be brought pursuant to IRC § 7431(a)(2). Taxpayers should not be forced to give up important taxpayer rights protections and remedies just for the privilege of preparing and filing their taxes.
And certainly TIGTA and the Department of Justice should be investigating what happened here, including the IRS’s apparently lax oversight of tax preparation software companies’ use of the pixel.
Stay tuned. This is clearly a developing story. We at PT will be following it closely.