The tax prep companies share your data with Google and Facebook

Tax prep companies are often in the news for their peculiar ability to prevent the IRS promoting the same convenient, free online tax filing services enjoyed in other countries. Today they're in the news because they share your personal data with Google and Meta, the company formerly known as Facebook, without your permission. It is a "five-alarm fire for taxpayer privacy," reports CNN.

Beyond ordinary personal data such as people's names, phone numbers and email addresses, the list of information shared also included taxpayer data — details about people's filing status, adjusted gross income, the size of their tax refunds and even information about the buttons and text fields they clicked on while filling out their tax forms, which could reveal what tax breaks they may have claimed or which government programs they use, according to the report.

The report, which drew on congressional interviews and written testimony from Meta, Google and the tax-prep companies, also found that every taxpayer who used TaxAct's IRS Free File service while the tracking was enabled would have had their information shared with the tech companies. Some of the tax-prep companies still do not know whether the data they shared continues to be held by the tech platforms, the report said.

"On a scale from one to 10, this is a 15," said David Vladeck, a law professor at Georgetown University and a former consumer protection chief at the Federal Trade Commission, the country's top privacy watchdog. "This is as great as any privacy breach that I've seen

Here's the congressional report [PDF], from the offices of Sens. Warren, Wyden, Sanders, Blumenthal and others.

Once we decided we were OK with "tax prep companies are hard-to-avoid gatekeepers between taxpayers and the IRS" it was inevitable this would proceed to them spilling the data to big tech and PII brokers–and whatever else they do we don't yet know about. They've already captured the regulators, they know that there's nothing legal anyone can do about it, so why wouldn't they?

One excuse is going to be something like "we didn't know what Google Analytics and Social Media logins do" but they did.