Trade Law Daily is a Warren News publication.
Efforts 'Seriously Lacking'

Meta's Capture of Online Tax Return Data a Big Privacy Breach: Suit

Online tax filing services H&R Block, TaxSlayer and TaxAct “secretly deployed” Meta's Pixel code, which intercepted and collected an Erie County, New York, man’s private, sensitive and confidential financial information, alleged a Friday privacy class action (docket 3:23-cv-00735) in U.S. District Court for Northern California in San Francisco.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

Plaintiff C.P. didn't consent to the disclosure of his private, confidential tax return and financial information by the services, except to the IRS, said the complaint, alleging Meta violated state and federal wiretapping laws. That included a California law that makes it unlawful to intercept or record confidential communications without authorization, including the use or transfer of confidential tax return information.

Meta’s alleged interception and transmission of plaintiff’s tax return information violated 28 USC section 7216 that says a crime is committed whenever any business that prepares or provides services in connection with federal tax preparation discloses any information furnished to him about preparation of the return -- “or for any purpose other than to prepare” or assist in preparing a return.

Facebook users are required to agree to Meta’s terms of service and data policy via a checkbox on the signup page, the complaint said. Meta’s Data Policy “requires” businesses using its Pixel tracking code “to have lawful rights to collect, use and share your data before providing any data to [Facebook],” said the complaint. By claiming it’s against Meta’s policies for websites and apps to send “sensitive information about people” via Meta’s business tools, consumers are assured Meta will filter out sensitive data it collects, the complaint said, citing the ad policy: “[We] do not use sensitive personal data for ad targeting.”

In truth, alleged the complaint, Meta doesn't “require” financial service providers to have lawful rights to share tax data with their websites and online portals before sending it to Facebook. Meta instead creates an “honor system"; by using Facebook Business Tools, the publisher represents it provided “robust and sufficient prominent notice to users” about Business Tools data collection and sharing usage, it said.

The Pixel tracking tool, contrary to Meta’s promises, is made available to any publisher, for free, regardless of its privacy policies or the nature of its business, alleged the complaint. Financial service providers and online tax preparers are “encouraged” by Meta to use the Pixel for their marketing campaigns, the complaint said.

Though Facebook’s tools purport to prohibit app developers and third parties from sending financial information, Facebook representatives admitted to the New York State Department of Financial Services (NYDFS) that it “routinely obtains sensitive data from app developers in violation of its own policy,” the complaint said. NYDFS noted Facebook “does little” to check whether app developers violate privacy rules, and its efforts to take action against those that do were “seriously lacking.”

Interception and collection of information from the Facebook Pixel occurs “regardless of whether users are logged in to Facebook.com, and irrespective of whether the user has even registered for a Facebook account,” the complaint alleged. “Meta intercepts and collects the information, analyzes it, and then assimilates it into databases.” Meta can populate the data with information from multiple sources, allowing it to combine, for example, “the taxpayer data identified herein with additional data such as a user’s real name, their location …and device identifiers of their computers and cellular phones,” it said.

The plaintiff claims invasion of privacy, three violations of the Electronic Communications Privacy Act, violation of the California Invasion of Privacy Act and the California Unfair Competition Law, the New York Deceptive and Unfair Trade Practices Act and unjust enrichment. It seeks compensatory and actual damages trebled in an amount exceeding $5 million. It also seeks relief for the plaintiff and class, including actual, nominal, statutory and punitive damages, civil penalties, declaratory and equitable relief, legal costs and an injunction enjoining Meta from engaging in wrongful acts.