Thanks Tom. My limited understanding is that enrolled agents (as well as CPA, attorneys) are okay to use AI tools like Blue J and only the paid business version of Chat GPT - since these tools won't store customer data and use it to train the software. Is that right ?
This is a really good question. Short answer: no, not by itself.
The "they don't store it or train on it" distinction matters for data security and privacy, and you should absolutely prefer tools with those protections. But that's a separate question from §7216.
Under §7216 and the regs, the disclosure happens when tax return information is made known to any person in any manner. The moment client data leaves your system and hits a third-party server, you've made a disclosure. It doesn't matter whether the provider stores it, deletes it immediately, or uses it for training. The act of transmission is the disclosure.
So whether you're using Blue J, the paid version of ChatGPT, Claude, or anything else, if you're entering tax return information, you need proper taxpayer consent.
The business tiers with better data handling are absolutely the right tools to use. But they solve the security problem, not the consent problem.
Just to have a conversation on this issue — is a tax-specific program like Blue J more likely to be an “auxiliary service” (and meeting an exception) versus generic ChatGPT?
I think this is a big question that we do not have an answer to. I could see it being “more likely” but still requiring disclosure. I think erring on the side of caution is usually good. I am waiting for a callback from the Office of Chief Counsel to see if they can provide guidance. I will be sure to post a reply here as soon as I have more information.
Hi Tom and Josh : Also , those auxilliary tax specific programs (i.e. -Blue J for tax research and Stanford Tax used for intake) all put up front and center that they are 'Soc 2 compliant" , which is a security standard from AICPA. Honestly, I don't know what Soc 2 compliance is exactly, but I trust the AICPA if they put their name on it and say its secure
Thanks Tom. My limited understanding is that enrolled agents (as well as CPA, attorneys) are okay to use AI tools like Blue J and only the paid business version of Chat GPT - since these tools won't store customer data and use it to train the software. Is that right ?
@Josh Youngblood, EA, CRETS - what is your take on this? Is this sufficient to mitigate the §7216 issue?
This is a really good question. Short answer: no, not by itself.
The "they don't store it or train on it" distinction matters for data security and privacy, and you should absolutely prefer tools with those protections. But that's a separate question from §7216.
Under §7216 and the regs, the disclosure happens when tax return information is made known to any person in any manner. The moment client data leaves your system and hits a third-party server, you've made a disclosure. It doesn't matter whether the provider stores it, deletes it immediately, or uses it for training. The act of transmission is the disclosure.
So whether you're using Blue J, the paid version of ChatGPT, Claude, or anything else, if you're entering tax return information, you need proper taxpayer consent.
The business tiers with better data handling are absolutely the right tools to use. But they solve the security problem, not the consent problem.
Just to have a conversation on this issue — is a tax-specific program like Blue J more likely to be an “auxiliary service” (and meeting an exception) versus generic ChatGPT?
I think this is a big question that we do not have an answer to. I could see it being “more likely” but still requiring disclosure. I think erring on the side of caution is usually good. I am waiting for a callback from the Office of Chief Counsel to see if they can provide guidance. I will be sure to post a reply here as soon as I have more information.
Hi Tom and Josh : Also , those auxilliary tax specific programs (i.e. -Blue J for tax research and Stanford Tax used for intake) all put up front and center that they are 'Soc 2 compliant" , which is a security standard from AICPA. Honestly, I don't know what Soc 2 compliance is exactly, but I trust the AICPA if they put their name on it and say its secure
Data security standards are different than whether a disclosure was made under §7216.
For example, if upload a clients tax return by accident to a secure portal, I have still disclosed the data to whomever has access.
Got it. Good point, you make to distinguish the two.