Lesson 4: Consent: When and How (§301.7216-3)
← Study Guide home · Lesson 4 of 12
When exceptions don't apply, you need consent
Learning Objectives
After completing this lesson, you will be able to:
- Explain the two types of consent and why they cannot be combined
- Identify the mandatory content requirements for a valid §7216 consent
- Describe the one-year default and the timing requirements
- Distinguish the format requirements for 1040 clients versus business return clients
- Draft a conceptually valid §7216 consent for an AI vendor scenario
The Two Types of Consent
Section 301.7216-3 creates two separately required consent documents for Form 1040 filers:
- Disclosure Consent: Authorizes you to share the client's tax return information with a third party (e.g., an AI vendor).
- Use Consent: Authorizes you to use the client's tax return information for a purpose other than return preparation (e.g., marketing additional services).
⚠️ RISK: These two consents cannot be combined in a single document for individual (Form 1040) clients. Treas. Reg. §301.7216-3(c)(1) explicitly requires that "one written document must authorize uses and another separate written document must authorize disclosures." A combined form is invalid, even if it contains all the required content.
For business returns (1120, 1065, 1120-S, 1041): More flexibility is permitted. Consent for business return clients does not have to be in a standalone document and can be incorporated into an engagement letter, provided the substantive content requirements are met (Treas. Reg. §301.7216-3(a)(3)(iii)).
Mandatory Content Requirements
Under §301.7216-3(a)(3)(i), a valid consent must contain:
| Element | Requirement |
|---|---|
| Preparer identity | The name of the tax return preparer obtaining consent |
| Taxpayer identity | The name of the taxpayer |
| Specific information | What specific tax return information will be disclosed |
| Named recipient | The specific third-party recipient (e.g., the AI vendor by name) |
| Purpose | The specific purpose of the disclosure |
| Duration | How long the consent is effective |
| Signature and date | Signed and dated by the taxpayer |
⚠️ RISK: Vague language fails. "Various AI tools we may use in preparing your return" does not satisfy the "specific recipient" requirement. You must name the vendor. If you add a new AI tool, you need a new consent or an updated consent.
The Mandatory Language from Rev. Proc. 2013-14
For consents signed on or after January 14, 2013, the form must also contain the following verbatim mandatory language from Rev. Proc. 2013-14, §5.04:
Federal law requires this consent form be provided to you. Unless authorized by law, we cannot disclose your tax return information to third parties for purposes other than the preparation and filing of your tax return without your consent. If you consent to the disclosure of your tax return information, Federal law may not protect your tax return information from further use or distribution.
This language must appear verbatim. It cannot be paraphrased. It cannot be combined with other text in a way that obscures it.
For consents involving disclosure outside the US (generally prohibited for 1040 SSNs), the mandatory language is different and more extensive. See §5.05 of Rev. Proc. 2013-14.
The One-Year Default
Under Treas. Reg. §301.7216-3(b)(5):
If a consent does not specify a period of effectiveness, the consent is effective for one year from the date the taxpayer signs the consent.
Practical implications:
- A consent signed January 15, 2026 expires January 15, 2027 unless a specific end date or triggering event is stated.
- If you are using AI tools for a client on a recurring engagement basis, you need to renew consent annually (or specify a multi-year period in the original consent, but that requires specific language).
- An expired consent is no consent.
Timing: Before the Disclosure
The consent must be signed before the disclosure occurs. Treas. Reg. §301.7216-3(b)(1) states the timing rule directly ("A taxpayer must provide written consent before a tax return preparer discloses or uses the taxpayer's tax return information"), and §301.7216-3(a)(1) reinforces it:
"A tax return preparer may not disclose or use a taxpayer's tax return information prior to obtaining a written consent."
There is no retroactive consent. If you used an AI tool with client data before obtaining consent, that prior use was unauthorized. Subsequent consent does not cure the past violation. This has practical implications for practitioners who are reading this guide after having used AI tools without prior analysis: the forward-looking remediation is to get consents in place immediately, while acknowledging that past use may have been in violation.
Format Requirements for Form 1040 Clients
For disclosures of 1040 clients' information, the consent must:
- Be on paper or in an equivalent electronic format
- Use minimum 12-point type for printed consents
- Be a standalone document separate from any other agreement, engagement letter, or disclosure
- Include the TIGTA (Treasury Inspector General for Tax Administration) contact information
- Be signed and dated by the taxpayer
- A copy must be provided to the taxpayer at the time of execution
📌 PRACTICE TIP: Do not bury a §7216 consent at the end of your engagement letter for 1040 clients. Even if you meet all substantive requirements, embedding it in an engagement letter may invalidate it for 1040 clients because it must be a standalone document. For business clients (1120, 1065, 1120-S), an engagement letter embed is permissible.
The SSN/Offshore Restriction
Treas. Reg. §301.7216-3(b)(4) provides that a U.S. preparer generally may not obtain consent to disclose a Form 1040 taxpayer's Social Security number to a tax return preparer located outside the United States. It is not an absolute bar, though: §301.7216-3(b)(4)(ii) permits it only if the SSN is disclosed "through the use of an adequate data protection safeguard" (as defined by the Secretary in Rev. Proc. 2013-14) and the preparer verifies the maintenance of that safeguard in the consent. This means:
You generally cannot consent a 1040 client to disclosure of their SSN to a vendor that processes data outside the US, unless an "adequate data protection safeguard" under Rev. Proc. 2013-14 is in place and verified in the consent.
For most AI vendors with non-US data processing, this restriction effectively eliminates the SSN-disclosure consent path, because few small firms can establish and verify an "adequate data protection safeguard." The safest practice is to keep SSNs out of any offshore-accessible disclosure entirely.
Opt-Out Is Prohibited
Pre-checked boxes, assumed consent, and consent-by-inaction are all prohibited. The consent must be:
- Affirmatively signed by the taxpayer
- Voluntary: conditioning return preparation services on the client's consent makes the consent involuntary and invalid
- Knowingly obtained: the client must understand what they are consenting to
What a Valid §7216 AI Disclosure Consent Would Need to Say
Here is a conceptual description of what a valid disclosure consent for AI vendor use would need to contain for a Form 1040 client:
- Standalone document, 12-point minimum type
- Opening mandatory language verbatim from Rev. Proc. 2013-14 §5.04
- Name of your firm
- Name of the specific taxpayer
- Specific description of the information to be disclosed: "Your federal income tax return information furnished to [Firm Name] in connection with preparation of your [year] Form 1040, including [description of document types: W-2s, 1099s, brokerage statements, supporting documents, and related information]"
- Specific named recipient: "OpenAI, L.L.C. (operating ChatGPT Enterprise), located at [address]", not "various AI tools"
- Purpose of disclosure: "To assist in drafting, analyzing, and reviewing information related to the preparation of your federal income tax return using AI-assisted tools"
- Duration: "This consent is effective for one year from the date signed, or until [specific date], whichever is earlier"
- Taxpayer's signature and date
- TIGTA contact information
⚠️ GUIDANCE GAP: The IRS has not issued guidance on how to describe AI vendor recipients with sufficient specificity. Does "OpenAI's ChatGPT Enterprise service" name a specific enough recipient? Does it matter if OpenAI changes its data processing terms after consent is obtained? These are open questions. Conservative practice is to name the vendor with specificity, include the contract tier (Enterprise vs. consumer), and re-obtain consent if the vendor or tier changes.
Key Takeaways
- For Form 1040 clients, disclosure consent and use consent must be separate standalone documents, combining them on one form invalidates both.
- Every §7216 consent must name the specific AI vendor, describe the specific information to be disclosed, state the purpose, and include the verbatim mandatory language from Rev. Proc. 2013-14 §5.04.
- If no duration is specified, consent expires one year from the date signed.
- Consent must be obtained before the disclosure, retroactive consent is void.
- A Form 1040 SSN generally cannot be consented to non-US disclosure (§301.7216-3(b)(4)), unless an "adequate data protection safeguard" under Rev. Proc. 2013-14 is maintained and verified; safest practice is to keep SSNs out of any offshore-accessible disclosure.
- Opt-out and assumed consent are prohibited; consent must be affirmatively signed.
Quick Review: Identify the Defect
Form Description A: A firm attaches a §7216 consent to the bottom of its 10-point-type engagement letter for a 1040 client, covers "any AI tools we may use," and is signed at the same time as the engagement letter.
Answer: Multiple defects: (1) Not a standalone document, embedded in engagement letter, invalid for 1040 clients. (2) 10-point type is below the 12-point minimum. (3) "Any AI tools we may use" does not name a specific recipient.
Form Description B: A firm obtains a properly formatted standalone consent from a 1040 client, naming ChatGPT Enterprise as the recipient. The consent is obtained the week after the practitioner already used the client's K-1 in a ChatGPT session to draft a memo.
Answer: The consent cannot cure the prior unauthorized disclosure. Consent must precede the disclosure. The past disclosure was a violation.
Form Description C: A firm's 1065 engagement letter includes a consent paragraph authorizing disclosure to "all AI vendors used in preparing this return, including but not limited to OpenAI and Anthropic." The client signs the engagement letter.
Answer: This is valid for a business return client (1065 clients are not subject to the standalone-document requirement). However, the "including but not limited to" language may be too vague under the specific-recipient requirement. Naming specific vendors with more precision is better practice.
Form Description D: A firm obtains a properly formatted consent signed on March 15, 2026. The consent does not specify a duration.
Answer: Valid as of signing, but expires March 15, 2027. The firm must renew before that date for any continuing AI use with that client's data in subsequent years.
Form Description E: A 1040 client's SSN is included in a ChatGPT Enterprise prompt. The firm has a signed disclosure consent in place covering ChatGPT Enterprise for this client. ChatGPT Enterprise has US-based servers but the Microsoft Azure infrastructure has some European redundancy nodes.
Answer: Potential violation. Treas. Reg. §301.7216-3(b)(4) generally prohibits consent to non-US disclosure of a 1040 SSN (absent an "adequate data protection safeguard" under Rev. Proc. 2013-14, which a standard enterprise consent does not establish). If the European redundancy nodes process the data, the SSN restriction applies regardless of the consent. Keep SSNs out of any offshore-accessible prompt.
← Lesson 3: The Exceptions Framework (§301.7216-2) · Study Guide home · Lesson 5: FTC Safeguards Rule & WISP →