Democrats have been taking a victory lap as the first advanced monthly Child Tax Credit (CTC) payments begin hitting Americans’ bank accounts. Yet while many Americans stand to benefit from the expanded credit, the advance payment structure could create an unwelcome shock for certain taxpayers come next April.

Eligible taxpayers have been automatically enrolled for monthly CTC payments, with eligibility based on their 2019 or 2020 tax filing information. For most taxpayers, that offers the benefit of not having to fill out any paperwork to receive a tax benefit that could help them make ends meet. But for taxpayers whose eligibility has changed over the last year or two, it means they’re incorrectly receiving payments that the IRS will expect them to pay back when they file their taxes next year.

There are lots of reasons why a taxpayer who was eligible to receive CTC payments in 2019 or 2020 could no longer be in 2021. Divorced parents often alternate years of claiming their child as a dependent, so a taxpayer who claimed their child as a dependent in 2020 may not be able to do so in 2021. Incomes could also fluctuate substantially between years, particularly given how many Americans temporarily lost their jobs in 2020 but have since found employment.

Spreading out the annual CTC to a monthly payment was conceived as a means of helping Americans living paycheck to paycheck to receive steadier assistance. But those Americans who would most benefit from such a system are also those least equipped to pay back a tax bill of up to $3,600 per child should they have to pay back credits they were actually ineligible for.

And unfortunately, the process of opting out of the monthly payment system is complicated and carries risks of its own. Taxpayers seeking to bypass this “feature” are obliged to sift through a maze of bureaucracy and hassle.

To opt-out of monthly CTC payments, taxpayers must go to the IRS website and go through the Child Tax Credit Update Portal. They then have to sign up for an account using a private company the IRS contracts with to prevent fraud called ID.me. Signing up for an ID.me account requires sending pictures of yourself and your photo ID, and can even require a video call with an ID.me employee to verify your identity.

It’s more than just a hassle. The IRS’s $86 million contract with ID.me allows the company to “disclose or share” non-personally identifiable information such as the URL taxpayers visited before or after coming to ID.me’s website, taxpayers’ IP address, occupations, device identifier, approximate location, and type of browser.

While many Americans have expressed concern about data privacy online, most websites are at least optional. Deciding to visit social networking sites or streaming websites is, for the most part, avoidable if privacy is one’s chief concern — moreover, you usually receive free service in return for your data. A website necessary to update your tax filing information with the IRS, on the other hand, is not exactly optional if you want to avoid a “clawback” next Tax Day.

Companies entrusted with taxpayer information should be required to keep it strictly private. After all, the IRS hardly has a great record of protecting taxpayer information even when it is kept in-house. There are plenty of examples of IRS employees stealing personal information to perpetrate identity theft schemes, while it remains possible that the recent leak of taxpayer information published by ProPublica originated from a breach of the IRS.

Thus far, roughly 1 million filers have successfully opted out of the IRS’s automatic CTC payment feature. That may sound like a lot, but considering that the IRS sent out more than 59 million advance CTC payments in July, it’s likely many taxpayers who will have to pay back the credit next year did not.

Advancing CTC payments is an interesting idea in theory, but it could blindside millions of taxpayers with an unexpected bill in April. At a minimum, the IRS can and must do more to ensure that taxpayers can opt-out of this service safely and privately.