TaxAct, a popular tax preparation software, shared sensitive tax filing data with Meta Platforms (formerly Facebook) and Google without users’ knowledge or consent between January 2018 and December 2022. The company embedded tracking pixels—invisible code snippets—into its tax preparation platform that transmitted personal financial information including income, Social Security numbers, and investment holdings to these advertising companies whenever users filed their federal tax returns. This practice violated user privacy expectations and federal privacy laws, leading to a $23 million settlement approved in November 2024. When a TaxAct user filed their 2020 tax return online, for example, details about their income bracket and filing status were quietly funneled to Meta’s servers through these tracking tools.
The user had no way to know this was happening—there was no consent checkbox, no disclosure, and no opt-out option. TaxAct collected this data from approximately 9.3 million users, making it one of the largest unauthorized data-sharing scandals in the tax preparation industry. The settlement represents a significant moment in the conversation about data privacy in financial software. While the monetary recovery is modest on a per-person basis, the legal ruling establishes that even when users voluntarily use a service, companies cannot secretly export their sensitive financial data to third parties for advertising purposes.
Table of Contents
- How Did TaxAct Share Data Without User Knowledge?
- What Personal Information Was Exposed?
- Who Was Eligible to File a Claim in This Settlement?
- What Are Claimants Receiving From the Settlement?
- What Are the Major Limitations of This Settlement?
- How Did This Data Sharing Scandal Come to Light?
- What Does This Mean for Tax Software Privacy Going Forward?
- Conclusion
How Did TaxAct Share Data Without User Knowledge?
TaxAct inserted tracking pixels from Meta and google into its online tax filing platform—specifically on the pages where users submitted their Form 1040 federal tax returns. These pixels are tiny, invisible pieces of code embedded in a website that send data back to the advertising platforms whenever certain actions occur. In TaxAct’s case, the pixels activated when users completed their tax returns, transmitting financial information in real time without any notification to the filer. The mechanism resembles how social media platforms track website visitors across the internet, except in this case the sensitive data being tracked was tax return information. Google’s DoubleClick advertising network also received similar data through comparable tracking methods.
A user filing a return in April 2019, for instance, would have had their income level, filing status, dependent information, and other personal details transmitted to these third-party advertising networks before they even clicked the final “submit” button. This happened across all Form 1040 filings on TaxAct’s platform—affecting self-employed individuals, employees, investors, and retirees alike. The troubling aspect of this practice is that it wasn’t accidental or a minor security breach. TaxAct deliberately implemented these tracking pixels as part of what it claimed was market research or analytics, yet failed to disclose this practice in any meaningful way to its users. The company collected financial data from January 2018 through December 2022—a full four years of undisclosed tracking.
What Personal Information Was Exposed?
The data transmitted included some of the most sensitive personal and financial information individuals possess. User income figures, Social Security numbers, investment holdings, and tax filing details flowed to Meta and Google without consent. This level of data is worth far more to advertisers and data brokers than basic browsing history, as it provides a complete snapshot of someone’s financial situation. The risk of this exposure extends beyond advertising. Once financial data reaches large tech platforms, it can be combined with other data sources to create detailed profiles that may be sold, hacked, or misused.
A person whose investment portfolio details were shared with Google could receive targeted advertisements for speculative investment products. Someone whose income and dependent information was shared with Meta could face targeted scams or become attractive to identity thieves who now know they have valuable financial assets to steal. One significant limitation of the settlement is that it cannot reverse the data transmission that already occurred. Class members cannot know with certainty whether their information was resold, accessed by bad actors, or permanently retained by Meta and Google. The settlement includes no audits or transparency reports showing what these companies did with the data they received, and it includes no provisions requiring deletion of the information already shared.
Who Was Eligible to File a Claim in This Settlement?
The settlement covers all users who filed federal Form 1040 tax returns using TaxAct’s online do-it-yourself product anytime between January 1, 2018, and December 31, 2022. This includes millions of taxpayers across the United States, though the actual number of claims filed fell well below projections. The claims deadline was September 11, 2024, which has now passed as of June 2026, meaning individuals can no longer submit new claims in this particular settlement. To qualify, you needed to be a TaxAct user who used the company’s online do-it-yourself tax preparation tool during the qualifying period.
Business filers using different TaxAct products, individuals who used tax preparation at tax professional offices, and those who filed returns in years outside the 2018-2022 window were not eligible. California residents and those who filed joint returns received slightly higher individual payouts due to factors considered during settlement distribution. An important caveat: if you didn’t submit a claim by the September 11, 2024 deadline, you forfeited your right to compensation from this settlement. No late claims are being accepted, and the settlement administrator is not required to contact eligible claimants proactively. Many eligible taxpayers never learned about the settlement and missed the deadline entirely, leaving compensation unclaimed.
What Are Claimants Receiving From the Settlement?
The $23 million settlement was divided into two parts: $14.95 million is designated as the class pool for eligible claimants who filed valid claims, with the remainder going to plaintiff attorneys’ fees, settlement administration costs, and other expenses. The per-person payout amount is approximately $18.65 for each eligible claimant, though this varies depending on the total number of approved claims and other distribution factors. This payment structure highlights a key limitation of large privacy settlements. While $23 million sounds substantial in headlines, when divided among millions of affected users, the individual compensation is modest—less than the cost of a month’s streaming service for most people.
Some claimants who took the time to research and file claims received payments ranging from $15 to $25, depending on various claim calculation factors. In contrast, TaxAct’s parent company avoided potential liability in the tens of millions or more by settling before trial. As an additional benefit, eligible claimants who filed claims receive complimentary access to TaxAct’s Xpert Assist services if they use the Form 1040 product for their 2024 tax return preparation. This benefit attempts to provide ongoing value, though it’s worth noting that Xpert Assist helps complete the same tax return process during which users’ data was previously shared without consent.
What Are the Major Limitations of This Settlement?
While the settlement represents acknowledgment of wrongdoing, it contains several substantial limitations that reduce its actual protective value. First, settling the case does not require TaxAct or its parent company to admit to wrongdoing. Companies agree to “neither admit nor deny” allegations—a legal phrasing that allows them to claim victory while still paying compensation. Second, the settlement does not include an injunction preventing similar future practices with other tax software companies or in other service categories. Additionally, the settlement lacks transparency mechanisms. There are no requirements that Meta, Google, or TaxAct disclose what happened to the data after it was received, whether it was retained, sold, or how long it was stored.
No audit firm was required to verify deletion or restriction of the information. Users have no way to know if their financial data remains in marketing databases or has been resold multiple times. The settlement essentially trades compensation for silence—class members receive modest payments in exchange for the company’s legal immunity from future liability on this issue. Another critical limitation: the settlement applies only to the specific claim that tracking pixels were improperly used on the Form 1040 pages. If investigation reveals that TaxAct shared data through other methods or with other companies not named in the settlement, those claims cannot be brought against TaxAct in the future because class members who cashed settlement checks gave up their right to sue over this data sharing incident. This is a standard feature of class action settlements, but it’s worth understanding: taking the $18.65 closes your legal options against TaxAct related to this incident.
How Did This Data Sharing Scandal Come to Light?
The data sharing practices came to public attention when lawmakers and privacy researchers began investigating how sensitive financial information was flowing from tax preparation platforms to advertising networks. Congressional investigations and whistleblower reports revealed that multiple tax software companies—not just TaxAct, but also H&R Block and TurboTax—had engaged in similar tracking practices. These revelations prompted regulatory scrutiny and ultimately led to this settlement.
The public disclosure created significant reputational damage to TaxAct and raised broader questions about privacy practices in financial software. Users discovered they had been treated as data sources rather than customers entitled to privacy protections. The incident demonstrated how even carefully controlled financial transactions—tax return preparation—could be monetized through data sharing without user awareness, and it contributed to growing momentum for stronger federal privacy legislation in the United States.
What Does This Mean for Tax Software Privacy Going Forward?
The TaxAct settlement sends a message to the tax software industry that undisclosed data sharing with advertising platforms carries financial consequences. However, it doesn’t mandate industry-wide changes or establish new privacy requirements that wouldn’t already exist under federal law. Future tax software companies remain technically able to implement tracking pixels, provided they disclose the practice clearly to users and obtain genuine consent.
Looking ahead, the real question is whether settlements like this one will accumulate into sufficient pressure for congressional action on comprehensive consumer privacy legislation. Currently, the United States lacks a federal law comparable to Europe’s GDPR that would explicitly restrict how financial data can be shared with third parties. The TaxAct settlement indicates that existing state and federal consumer protection laws can be enforced against tech companies and financial service providers, but the patchwork of legal frameworks leaves substantial room for similar practices to continue unless users actively choose tax software providers with transparent privacy policies.
Conclusion
The TaxAct Privacy Class Action settlement represents a $23 million acknowledgment that sharing tax filers’ personal financial information with Meta and Google without consent violated user privacy rights. Between 2018 and 2022, TaxAct transmitted income, Social Security numbers, and investment data from approximately 9.3 million users to advertising platforms through invisible tracking pixels, and eligible claimants who filed their claims before the September 11, 2024 deadline are receiving modest compensation of approximately $18.65 per person.
However, the settlement contains meaningful limitations: it includes no requirements for TaxAct to admit wrongdoing, no mandates to prevent similar future practices, and no transparency about what happened to the shared data. If you were a TaxAct user during the qualifying period and missed the claims deadline, your opportunity to receive compensation from this settlement has passed. Going forward, the most practical protection is to carefully review privacy policies before using any tax preparation software and to choose providers that clearly disclose and limit data sharing practices with third parties.