IRS Facial Recognition Requirement: Tax Filing Demands Biometric Verification

The IRS faced backlash after requiring taxpayers to verify their identity through ID.me, a private company that used facial recognition technology. The requirement meant Americans had to submit biometric selfie data to a private contractor to access their tax information online. Privacy advocates raised alarms about the government mandating facial recognition through a private intermediary, creating a massive biometric database outside direct government control. Concerns included the accuracy of facial recognition across demographics, the data retention practices of ID.me, and the lack of alternative verification methods for individuals unable or unwilling to submit biometric data. ID.me CEO initially denied using one-to-many facial recognition before acknowledging the company did in fact use the technology. The controversy led the IRS to announce it would transition away from facial recognition verification and develop alternative identity proofing methods, though the timeline was slow and ID.me retained data already collected.

The ramifications of this incident extend beyond the immediate data exposure. Privacy regulators in multiple jurisdictions have opened investigations, and affected individuals are organizing collective action to demand accountability and meaningful remediation. The case highlights systemic weaknesses in how organizations handle personal data and the gap between corporate privacy promises and operational reality.

For impacted individuals, immediate action is critical. Filing a data subject access request forces the company to disclose exactly what data they hold about you, providing the foundation for deletion requests, regulatory complaints, and potential legal action. Below, we outline the specific data types at risk and the concrete steps you can take to protect yourself.