Blog

Tax prep companies under scrutiny for use of Meta pixel

Julie Rubash, Chief Privacy Counsel
July 17, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

United States


Tax Prep Companies Under Scrutiny for Use of Meta Pixel

An investigation completed by a group of federal lawmakers revealed that tax prep companies TaxAct, TaxSlayer and H&R Block sent taxpayer information to Meta and Google for years through installation of the Meta pixel and use of Google tools on their respective websites.

According to Senator Warren’s announcement of the investigation, the tax prep companies indicated that they installed the pixels and tools without fully understanding the extent to which they would send taxpayer data to the tech firms, which used the data for advertising purposes.

TAKEAWAY

Although U.S. law does not generally require user consent for use of trackers on a website, consent requirements do apply under certain sectoral laws and regulations.

For example, tax preparers are subject to certain treasury regulations that prohibit the disclosure of tax return information without taxpayer consent, with some limited exceptions. The lawmaker report in this circumstance alleges that the exceptions likely do not apply. 

Betterhelp FTC Order Finalized; GooDRx & Adtech push back on class action

Betterhelp FTC order finalized

The FTC announced a final order with mental health counseling service BetterHelp, based on a proposed settlement announced in March regarding the sharing of health information with social media platforms for advertising purposes.

Under the final order, among other requirements, BetterHelp will pay $7.8 million, and will be prohibited from disclosing information from or about consumers, including persistent identifiers such as cookie IDs or mobile device IDs, with third parties for targeted advertising purposes.

They will also be required to instruct that third parties who have received such information in the past without a consumer’s affirmative express consent delete such information within 90 days.  

GoodRx, Google, Meta and Criteo push back on class actions

GoodRx, Google, Meta and Criteo are reportedly asking a federal judge to dismiss a class action alleging that GoodRx wrongly shared consumer health information with the tech companies for advertising purposes.

GoodRx is reportedly arguing that the company obtained user consent to share the information in exchange for coupons and discounts.

The tech companies each made separate arguments, largely denying any intent or desire to receive sensitive health information from GoodRx.

Meta also reportedly argued that it shouldn’t be responsible for GoodRx’s misuse of a tracking technology. 

TAKEAWAY

The Betterhelp and GoodRx cases (coupled with the tax prep investigation described above) are examples of an increased focus on the use of adtech tracking technologies on websites and apps that may involve sensitive or highly regulated information. 

To learn more, watch our webinar about the crackdown on pixel tracking in the US.

Children’s Privacy Class Action Against Google & YouTube Channel Providers Gets a Green Light

A federal appellate court reportedly confirmed an earlier ruling that the federal Children’s Online Privacy Protection Act (COPPA) does not preclude a class action lawsuit filed against Google and YouTube channel providers (Hasbro, Mattel and others), which alleged certain state privacy allegations based on the tracking of children under 13.

The appellate court reportedly rejected Google’s argument that the “core of each claim” in the class action was based on COPPA, among other arguments, allowing the action to proceed. 

TAKEAWAY

 Although COPPA does not include a private right of action, this ruling confirms that COPPA does not preclude class action lawsuits based on children’s privacy allegations under state torts and common law. 

EUROPE

European Commission Releases EU-US Data Privacy Framework FAQs

Shortly after adopting an adequacy decision for an EU-US Data Privacy Framework, the European Commission published a list of FAQs providing foundational information (e.g., “What Is an adequacy decision”) as well as information specific to US government safeguards. 

TAKEAWAY

One notable takeaway is that, although US companies will be able to certify their participation in the EU-US Data Privacy Framework (as administered by the US Department of Commerce and enforced by the US Federal Trade Commission), self-certification is not the only option for US companies.

The safeguards put in place by the US Government that are the basis of the adequacy decision apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanism used.

Therefore, transfers using other mechanisms, such as standard contractual clauses or binding corporate rules, are also equally facilitated by the safeguards and acceptable means of transferring data. 

AEPD Publishes Updated Cookie Guide

The Spanish Data Protection Authority (the AEPD) published a revised version of its “Guide on the use of cookies“, which now includes updates reflecting Directives 03/2022 on deceptive patterns from the European Committee for Data Protection (CEPD).

Specifically, the updated AEPD cookie guide requires that the actions to accept or reject cookies be presented in a prominent place and format and that both actions be at the same level, without making it more complicated to reject than to accept. The guide includes both visual and descriptive examples of how the actions should appear. 

TAKEAWAY

Spain isn’t the only country to require equally prominent accept and reject actions. Whether through guidance or enforcement, several other countries (including Ireland, Italy, Finland, Denmark, France, Germany and Greece) have indicated similar requirements. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Bicameral, bipartisan discussion draft of federal privacy bill announced

April 15, 2024

If passed, the American Privacy Rights Act, a comprehensive...

CPPA issues an enforcement advisory on data minimization

April 9, 2024

Their first "enforcement advisory", reminds companies of their data...

Kentucky sends comprehensive privacy bill to governor

April 1, 2024

Kentucky's privacy bill mirrors Virginia's, is set for 2026....

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]