Risk Line For Taxpayer Data Using AI

What makes public chatbots unable to access taxpayer data, what §7216 actually protects, and how to use guardrail technology to ensure compliance while preserving workflow.

TL;DR, The Quick Version

• §7216 is a criminal statute, and most violations occur today unintentionally via the copying and pasting into public AI tools.
• “Tax return information” includes nearly all data related to preparing a return, not just the return itself.
• No public large language models (LLMs) (ChatGPT, Claude, Gemini, Perplexity, etc.) can process taxpayer information without explicit permission.
• “No training” is not enough. Tenant isolation, regional boundaries, logging, deletion controls, and a real data protection agreement (DPA) are necessary.
• AI is permitted in tax workflow, you just need guardrails, consent, and auditable systems.

1. The True Risk Line: AI Isn't the Issue, It's How You Disclose

Most §7216 violations are not a result of bad acts.
They are a result of paste.

A preparer takes the text from a client email,
“Here are my rental expenses and that mess K-1”,
and drops it into ChatGPT to “rewrite this professionally.”

In doing so, they potentially commit a criminal violation of §7216 to provide tax return information to a third party without explicit consent.

The problem isn't AI.
The problem is where the data goes, who determines the destination, and whether you can show compliance.
Additionally, many firms have no idea how easily a member of staff can cross the line.

2. What Does §7216 Really Say? (Plain Language)

26 U.S.C. §7216 states that it is a criminal offense for tax return preparers to:

• Disclose taxpayer information; or
• Use taxpayer information for anything other than preparing or assisting in preparing a tax return

with the consent of the taxpayer, which must be given in writing.

The key point is that the statute is very broad.

What does count as "tax return information"?

Anything:

• Given by the taxpayer (docs, emails, screen shots);
• Given on behalf of the taxpayer;
• Given by the preparer as part of the return (summaries, notes, drafts, questions to clarify);
• Text such as “My child is going to school now, can I still claim the American Opportunity Credit?” could be tax return information;
• Verbal descriptions of rent income could be tax return information;
• Summarized spreadsheets showing receipts could be tax return information.

If it impacts return preparation, then it is included; and if you give it to a third party without consent, then §7216 has been triggered.

3. Why AI Tools Expose Firms to §7216 Risks More Than Other Software Programs

AI systems create three types of risks of disclosures:

• A. Destination Risks
  You have no control over where the data will go.
  Public LLMs send the data through their own systems, multi-tenant endpoints, and log the data where you have no control.

• B. Retention Risks
  You can't verify:
  Where the data was kept;
  How long the data was kept;
  Whether the data was erased;
  Was the data used in the training process;
  Was the foreign system involved in processing the data.
  Because you can't confirm these points, you can't establish compliance under §7216 nor can you respond to requests for production of documents in response to a subpoena.
  This is why "free" or "public" chatbots cannot be utilized for tax return information.

4. The Problem with Publicly Accessible LLMs (Including ChatGPT)

There should be no confusion here:
Public ChatGPT sessions are off-limits for all taxpayer-related data.

• No W-2 data
• No K-1 data
• No summaries of organizers
• No client questions
• No rental data
• No screenshots of data
• No summaries of bank statements

None of the above can include a single taxpayer-related fact.

The issue with data is structural:

• It is not isolated to the tenant.
• The prompts can be recorded outside of your knowledge or control.
• You can't log where the data was sent.
• You will never have any DPA; you will never have any local guarantees; you will never be able to delete the data.
• You do not have the same level of consent as you believe exists with ChatGPT.

Even if the model "does not train" on your taxpayer data, you have still made a disclosure by entering taxpayer data into a publicly accessible system without consent.

5. Real-World Examples: How §7216 Violations Occur Today

• Example 1: Client email rewritten in ChatGPT by a staffer
  “Can you summarize my stock sales from Fidelity?”
  → Copy/Paste in ChatGPT
  → Criminal Disclosure

• Example 2: Upload a PDF to create a summary using AI
  A staffer has dragged a 1098 or a brokerage statement into an AI application to “pull out the highlights.”
  → Disclosure

• Example 3: Troubleshooting a messy depreciation schedule using a chatbot
  Anonymized numbers can still be considered tax return information based on the source of the numbers from a taxpayer’s documents.

• Example 4: Draft a response about the reason a return is late
  If the message includes identifiable elements, tax situation elements, or amounts, then it is covered under §7216.

6. An AI Workflow That Is Compliant Can Be Built, This Is How To Build It

Compliance necessitates guardrails, not prohibition.
Successful deployments of AI are being executed across the country by firms, when the AI resides within a controlled environment.

A compliant workflow looks like this:

A. Collect §7216 Consent Upfront

Consent must be embedded in the following areas of your business:

• Your Organizer
• Your Onboarding Flow
• Your Engagement Letter Renewal
• Your Tax Portal

Consent must meet the following criteria:

• Be Clear,
• Be Specific,
• Be Informed,
• Be Revocable.

B. Choose a Vendor That Provides More Than “No Training”

Your AI vendor needs:

• Tenant isolation
• Regional data boundaries
• SOC 2 or ISO certification
• Encryption in transit, at-rest, and during inference
• Log every prompt
• Retention limits
• A real DPA + confidentiality agreement
• Access controls for staffers

Do not engage with a vendor that cannot provide you with documentation within a week.

C. Create a Prompt Safety Policy (Red / Yellow / Green)

Green Zone, Always Permitted

• Tax Law Summaries
• Drafting Engagement Letters
• Creating Procedures
• Creating Templates
• Describing Concepts (Basis, Depreciation, 199A)
• Marketing Content

Yellow Zone, Permitted With Controls

• Hypothetical Scenarios
• Sanitized Numbers Not Tied to Actual Clients
• Generic Workflows

Red Zone, Never Permitted Without Consent + Controls

• Any Information Derived From Client Documents
• Any Detail That Would Not Exist “But For” Preparing a Return
• Summarizing Tax Facts
• Client Financial Questions
• Any Information That Includes Actual Names, Locations, Or Amounts

This grid should be included in your policy manual.

D. Keep Your AI Inside Your Secure Workflow

The AI must reside in a system you can control, your Document Management System (DMS), your Workflow Tool, CRM, or a Platform Specifically Designed for Safeguards.
If a staffer must open a separate browser window, you have lost logging and auditing.

E. Have a Human in the Review Loop

AI creates drafts.
Humans Apply Judgment, Interpret Facts, and Sign.
§7216 Does Not Change This.

7. Checklist: Before You Approve Any AI for Your Business

Use the below checklist to evaluate vendors and protect your license:

Technical

• Vendor Has Never Trained On Firm Data
• Tenant-Isolated Environment
• Processing By Region
• Encryption in Transit & At-Rest
• Logging Every Prompt
• Export of Prompts for Audits
• Mechanism for Deleting Data
• Documentation for SOC 2 or ISO Certification

Legal

• DPA With Confidentiality Agreement
• Consent Language That Matches System Behavior
• Clearly Defined Retention Policy
• Terms Regarding Incident Reporting

Operational

• Prompt Policy (Red/Yellow/Green)
• Training Staff with Examples
• Integrating AI Into Current Workflow
• Do Not Allow Copy/Paste to Public Tools
• Annual Review of Controls

Print this and attach it to your onboarding packet.

8. FAQ: Frequent Tax Professional Concerns Regarding AI

Does AI comply with IRC §7216?
Yes, provided you get affirmative consent; utilize a "limited purpose processor" and store all prompts in a logged and controllable system.

Can smaller firms afford AI?
Yes. Many vendors charge by person, or by tax return. Most firms begin by spending less than $1000/month for a pilot,
Start with one workflow and expand from there based upon the ROI.

Will AI eventually eliminate tax preparers?
No.
AI performs well at summarizing, extracting, and drafting.
Tax preparers bring context, judgment and sign their name.

What questions should I ask when quickly vetting a new AI vendor?
Ask for:

• SOC 2 or ISO
• Whitepaper outlining how their organization handles data
• Guarantees that they process data in regional areas
• History of uptime
• Logs of prompts (to verify the AI has been asked the same question before)
• Sample flow of how your data moves through their system

If they cannot answer these questions within a week, continue searching for an alternative.

Can my firm simply utilize ChatGPT or another publicly available LLM with custom prompts?
No.
ChatGPT's public interface is trained using 40% of all posts from a fire hose of unreviewed data, and therefore is not suitable for regulated workloads.

You have:

• No Data Protection Agreement (DPA)
• No auditing logs
• No assurance of tenancy separation
• No assurance of data retention limits
• No assurances regarding obtaining consent from your clients

Publicly accessible LLMs are useful for generic writing and not for handling taxpayer information.

9. Conclusion: All Firms Will Use AI, but Only Those That Use It Compliantly Avoid Criminal Liability

All tax firms will eventually implement AI because the benefits are just too substantial to ignore.

However, IRC §7216 gives each firm two options:

• Utilize AI correctly, and avoid exposing the firm to potential criminal liability.
• Implement guardrails, ensure client consent, maintain audit trails, and limit the potential exposure of sensitive taxpayer data to unauthorized entities.

Uncontrolled data flows pose a risk to firms.
Those firms that successfully integrate compliant AI into their practice today will out-perform those that wait.