H&R Block’s 2013 PRIVACY NOTICE FOR H&R BLOCK AT HOME WEB-BASED TAX SERVICES AND SOFTWARE is written to give the impression that it promises a lot more than it does. (In my opinion TurboTax is even worse.)
H&R Block is a tax preparation firm. If you use their software, then typically they get to see all of your tax information, which is more than most people tell their friends. If you file your tax return through them then they are required to store your forms in case the IRS wants to see them again. So their privacy policy is a big deal. What else can they do with your info?
By the way, the full text makes it clear that “web-based tax services and software” doesn’t mean “web-based tax services and web-based software” but “web-based tax services and software tax services”. What an odd way to word the title. Clarity is not what they’re after. (Also see how they call it a “notice” instead of a “policy”. Responsibility is not what they’re after either.)
To make my point I have to quote the entire section about what they can do with your info. I broke it into parts that I talk about separately, but together the parts make up the entire section.
HRB Digital's disclosure of personal information about you is controlled by various laws, regulations and other legal requirements, as well as HRB Digital policies. For example, the personal information we obtain to prepare your tax return is subject to specific legal requirements. We may disclose personal information that we collect, subject to the terms of this privacy notice and consistent with applicable law. The examples contained in this notice are illustrations; they are not intended to be exclusive.
Here they point out that they can only reveal information that they’re allowed to. Laws and government regulations place restrictions. As we read the rest of the section, though, we see that those restrictions are nearly the only ones. H&R Block tries not to restrict itself any further.
What are those laws and regulations? I don’t know, and I doubt most lawyers do either. Since the laws and regulations are apparently what counts, I’d like a pointer. But I can’t blame H&R Block for leaving out the meat of the matter; they didn't create the legal regime. It’s complicated, it’s not their responsibility, and if they tried to explain and made a mistake or didn’t keep up with updates, then they'd be taking a legal risk. And despite that, they do in fact explain some of the restrictions below—particularly the ones that make them look better.
Here’s the best IRS starting point I found: Section 7216 Updated Rules for Tax Preparers (Updated 12/18/2008). It says “tax preparers must obtain the signed consent of the taxpayer on paper or electronically before they can disclose taxpayer return information.” Does the software agreement that you clicked through without reading constitute signed electronic consent?
Where permitted or required by law, we may disclose personal information about you for our normal business purposes. For example, this may include disclosures to the Internal Revenue Service (IRS), and for certain other lawful purposes where this disclosure is permitted by law (such as the processing of your tax return).
And here’s the first use of the great phrase “where permitted by law”. I don’t know what it means to a lawyer, but to me it means nothing. After all, they can’t say they’re going to violate the law, so if they say they’re going to follow it they say nothing. The phrase is intended to look like it restricts them, but it doesn’t. I suspect that in many cases the correct understanding of “where permitted by law” is “to the greatest extent permitted by law.”
Where permitted by applicable law or where we obtain your consent, we may disclose your personal information to service providers who perform business functions on our behalf (for services such as data processing and analysis, contest supervision, and direct mail or e-mail production). We require HRB Digital service providers to have written contracts that specify appropriate use of your personal information, require them to safeguard your personal information, and prohibit them from making unauthorized or unlawful use of your personal information.
In certain situations involving personal information collected for tax return preparation, we are required to have your consent before we disclose this information to affiliates or other nonaffiliated third parties. For example, if you have provided consent, we may disclose personal information about you to companies engaged in offering banking, investment, credit cards or consumer loans, insurance or other non-tax financial services in order to provide you with service enhancements and product opportunities that we believe may interest you.
We do not share your personal information with non-affiliated third parties for marketing purposes except as permitted by applicable law or with your consent. We do not sell or rent your personal information to third party direct marketers.
Here’s the first actual promise on their part: They promise not to deal with third party direct marketers. I take that to mean businesses not affiliated with them (so there’s no ownership or control relationship between the companies) which do direct marketing as their primary line of business. If you’ve read the next paragraph, you know they don’t mean financial companies which do direct marketing as a sideline. So the promise is quite narrow.
Where permitted by law, we may disclose your personal information to financial institutions with which we have joint marketing agreements. We require all joint marketers to have written contracts with us that specify appropriate use of your personal information, require them to safeguard your personal information, and prohibit them from making unauthorized or unlawful use of your personal information. If a state law (or other law) requires us to give you the right to opt-out prior to any disclosure of your personal information for joint marketing, we will not disclose your personal information for such purposes without providing such opt-out or obtaining your consent to such disclosure.
Anyone who has a mailbox knows that financial institutions do tons of direct marketing. How many credit card solicitations have you thrown away this year? What do you think a credit card company wants to know about you before they send one? I think: As much as possible. How much of it do they learn from H&R Block? I can only guess, but my guess is: More than zero.
We may disclose your personal information to affiliates or non-affiliated third parties (including government entities) when we have a good faith belief that such disclosure is required or permitted by law. This may occur, for example, in connection with a court order, legal process, or other judicial, administrative or investigative proceeding, or other situations where the provision of certain information is required or permitted by law.
How many times did they say “permitted by law”? They give examples of situations where they would be required by law to disclose information, but the very first paragraph above points out that examples are illustrations only. What they actually wrote is “required or permitted by law,” which to me means whenever it’s not illegal.
Notice that the most permissive paragraph, the one that admits that they won’t restrict information trading to financial firms that they have marketing contracts with, is the very last paragraph of the section. They’re hoping you’ll have given up by then.
So the bottom line of the entire lengthy policy section is that they promise not to deal with third party direct marketers, end of story. They give examples of practices they follow for privacy and security, but my impression after reading the IRS regulations is that all these practices are required. They promised virtually nothing. The law is your only protection.
This version of H&R Block’s software privacy policy was downloaded 11 May 2013 and is labeled “November 2012”.