FTC warns tax prep companies against using trackers without consent

Julie Rubash, Chief Privacy Counsel
September 25, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


FTC Warns Use of Trackers Without Consent Could Mean Penalties

The Federal Trade Commission sent warning letters to five tax preparation companies warning that the recipients could incur civil penalties up to $50,120 per violation (i.e., per consumer) if they misuse personal data in ways counter to the original purpose for which information was collected, including through use of tracking technologies, without first obtaining consumer express consent.

Among other purposes, the FTC listed using information to advertise, sell or promote products or services as a practice that may be deceptive or unfair under the FTC Act if companies fail to first obtain affirmative express consent from consumers.


 The FTC isn’t the only entity with its eye on data collection from tax prep services.

An investigation completed by a group of federal lawmakers in July 2023 revealed that tax prep companies TaxAct, TaxSlayer and H&R Block sent taxpayer information to Meta and Google for years through installation of the Meta pixel and use of Google tools on their respective websites.

Subsequently, in August 2023, a class action was filed against Google alleging violations of federal and state wiretapping laws based on Google’s collection of sensitive financial information from the same tax filing services through use of Google Analytics and the Google Tag on the companies’ websites.

Read more:

Tax prep companies under scrutiny for use of Meta pixel

Google faces complaints for collecting sensitive information

Court Holds Cal. Age Appropriate Design Code Likely Unconstitutional

A federal judge for the Northern District of California (Case 5:22-cv-08861-BLF) granted a preliminary injunction enjoining enforcement of the California Age Appropriate Design Code (CAADC), pending disposition of a lawsuit challenging the constitutionality of the law, which was scheduled to go into effect July 1, 2024.

In granting the injunction, the judge found that the CAADC “likely violates the First Amendment” and therefore that Netchoice, the plaintiff in the case, is likely to succeed on the merits of the case seeking declaratory and injunctive relief permanently prohibiting enforcement of the CAADCA.

The court’s ruling was based on a finding that Netchoice is likely to succeed in showing that the Act’s prohibitions and mandates: (1) regulate protected speech; and (2) fail commercial speech scrutiny (requiring that the measure directly advance and be drawn to achieve a substantial government interest) and therefore are invalid.

Although the court acknowledged that the Supreme Court has repeatedly recognized a compelling interest in “protecting the physical and psychological well-being of minors”, the Court held that Netchoice in this case will likely succeed in showing that the CAADCA is poorly tailored to the State’s goal of protecting children’s well-being. 


The CAADCA, somewhat modeled after the UK Age Appropriate Design Code, was the first law of its kind introduced and passed by a U.S. state, followed by introduction of multiple “copycat” versions (with various levels of similarity) in other U.S. states.

The Northern District of California ruling in this case is not binding on similar laws in other states, but it may influence pending legislation or challenges in other states.   

Read more: California governor signs children’s privacy bill

Federal “Banning Surveillance Advertising Act” Introduced

Four federal democratic senators introduced legislation titled the “Banning Surveillance Advertising Act” that would prohibit advertisers and advertising facilitators from targeting the dissemination of an advertisement to an individual, connected device, or group of individuals or connected devices based on personal information, or knowingly enabling a third party to do so.

The Act includes exceptions for contextual advertising and targeting based on a “recognized place associated with the individual, connected device, or group of individuals or connected devices”. 

The law includes a private right of action and relief up to $1,000 per violation (i.e., per targeted ad) in the case of negligent violation or up to $5,000 per violation in the case of reckless, knowing, willful or intentional violation.


The law does not provide exceptions for consent or any other user-control mechanism or limit its restrictions to targeted advertising based on any particular type of personal information (e.g., sensitive personal information).

It would therefore be significantly more prohibitive in its application to the digital advertising ecosystem than the GDPR in Europe or any U.S. state or federal privacy law.  


UK-US Data Bridge to Come Into Force 12 October 2023

The UK Secretary of State for Science, Innovation, and Technology and the US Attorney General each took respective actions to extend to UK individuals US protections and redress mechanisms recently made available to EU individuals and to lay US adequacy regulations to enable the transfer of UK personal data to the US, beginning October 12, 2023.


This new transfer mechanism will allow US organizations to certify to the UK Extension to the EU-US DAta Privacy Framework and subsequently receive personal data from the UK without the need for further safeguards.

Notably though, such certification is not the only available mechanism for transfer.

Like in the EU, organizations can still rely on the pre-existing appropriate safeguards (e.g., the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) or the available derogations under Article 49 of the UK GDPR for international data transfers, which may also require a transfer risk assessment. 


Quebec Law 25 Transparency and Consent Requirements Take Effect

 Quebec’s Law 25which was passed in September 2021 and goes into effect in three phases (September 22 of 2022, 2023, and 2024), has reached phase two. This phase includes the bulk of the law’s substantive requirements, including those around transparency and consent. 


While Law 25 borrows several elements from GDPR and other privacy laws, it is not a copycat of any other law and contains several unique elements.

Quebec’s privacy regulator, the Commission d’accès à l’information (CAI) released a checklist of new obligations under businesses to help companies comply. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]