A congressional investigation released earlier in 2023 has led to a class action lawsuit being filed in the Northern District of California against H&R Block, Google and Meta related to an agreement between the three to include tracking software / tracking cookies in H&R Block’s tax filing software to share customer information with Google and Meta to aid targeted advertising. The case, Hunt vs. Meta, Google, Alphabet, H&R Block was filed on behalf of Justin Hunt, an H&R Block user between 2018 and 2023.
Besides two RICO charges, the indictment also includes an IRS tax code violation, a federal wiretapping violation (for electronic capture of private data), and a state violation of California Invasion of Privacy Act (CIPA).
The mechanism described in the suit has been in place since 2015. Whether using H&R Blocks app or their web site, H&R Block provided name, filing status, federal taxes owed and number of dependents correlated to unique identifiers in the app or tracking cookie that Google and Meta could use to correlate to their tracking mechanisms, essentially mapping that private data to a vast amount of other surfing behavior.
The essence of the suit is that that information submitted by users is considered Tax Return Information (TRI) which subjects tax preparers to specific IRS rules for protection of that information and a requirement to obtain consent before sharing that information. Mapping that TRI data to tracking mechanisms – even if claims are made that they “anonymized” the data – constitutes “disclosure” under IRS rules and the software did not collect consent from users.
Section VIII of the lawsuit is particularly damning.
Although Meta’s policies make the representation that Meta seeks to prevent companies such as H&R Block from sending sensitive data to Meta, Meta does not enforce these policies, as the receipt of such data is highly valuable to Meta. Meta takes no steps to ensure that consent has been obtained from taxpayers before it receives their sensitive data. Instead, Meta makes its Pixel available to any company regardless of the companies’ privacy policies or consent requirements.48
Meta does not require developers such as H&R Block to read or sign any authorizations or acknowledgments regarding privacy prior to allowing them to install the Meta Pixel on their websites.
Meta also makes public statements that it attempts to filter sensitive information in order to create a false sense of security for consumers and developers, but Meta’s filtering system does not filter for TRI.49
Meta even misrepresented to Congress that it provided notifications to tax preparers such as H&R Block that it was receiving sensitive TRI data a few weeks prior to the public release of a report on TRI mishandling written by the nonprofit journalism outfit, The Markup.50 However, when asked by Congress to produce those notifications, Meta failed to produce any proof of their existence.51
One has to ponder how many other examples of blatant market abuse would be turned up if the federal government had even fifty percent of the funding required to truly enforce antitrust laws. Of course, that would require majority support from Congress for pushing DOJ to actually do something with the inevitable results from those investigations.
Very interesting the data on who and how people are targeted can be sorted out by the government. Or the government can get a warrant and see? I think the former. Kind of a surprise but it should not be.
@WatchingTheHerd I was shocked to read this since I have used H&R Block tax software for many years. This is software downloaded onto my hard drive via Amazon.com. I file the old-fashioned way, with mailed-in paper, not electronically.
Please help me understand. You wrote, “Whether using H&R Blocks app or their web site, H&R Block provided name, filing status, federal taxes owed and number of dependents…” Would they be able to access my information since I file on paper?
The sense I get from reading the complaint is that the capture mechanism was implemented on their web portal based tool and their “app.” Nowadays, “app” is usually a reference to an application running on a smart phone or tablet operating system (Android or iOS). If you download an “application” that runs on a Windows or MacOS PC, it isn’t clear if that was involved.
Could PC-app entered data be involved with this behavior? Dunno. Normally, if you visit www.companya.com and www.companyb.com, each site can only read / write cookies within your browser to their individual “space” as keyed by the site’s DNS name. That doesn’t prevent CompanyA and CompanyB from sharing with each other your data though. Each can combine the real data (name / filing status / tax owed / dependents), attach it to a long random “hash string” then share that combination with CompanyB who has similar data on you tied to their own random hash string. But what if your name is Jim Smith? There are thousands with that name. How good can the match be? They also have IP address and date/time information on where you browsed. If both have a record for “Jim Smith” that surfed from 164.82.99.41 at 17:49:52 GMT, those two “Jim Smiths” are probably the SAME Jim Smith.
This type of data sharing would normally involve a browser-based encoding which would allow it to be joined with other cookie data Meta and Google had dropped to allow it to be used in targeting ads (“Congrats on your $2000 tax return, interested in a new Ford F-150?” LOL). If you used an application running at the Windows OS or MacOS layer (NOT inside a browser), it would normally be the case that other apps could not read or write cookie data into the browser’s cache to allow the cross-correlation. But all things are possible with software and the right (wrong?) intent. The full-blown application could have executed a POST of the desired data in the background directly to a web service at HRBlock without your browser running and still tied it to your IP address.
If you go back to the PC you used to prepare the return and find a dedicated folder in your “C:\Program Files” folder or Mac equivalent that says HRBlock or something similar, chances are that is a true standalone OS level application binary and they might not have shared your data. If you find nothing like that left on your PC, the “app” you used might have been downloaded from their web site to run as a Java (or JavaScript) app within the browser using this data collection scheme.
I read most of the complaint, and it was not totally clear to me whether the downloaded executable was involved in this data sharing issue. It seems that it was omitted from references to the “app” or “web site” - therefore, hard to tell.
I have been downloading and using H&R Block tax software since 2014 - ever since I switched from being a loyal TurboTax user from way back in 1990.