So why should you care about cookies? While cookies are mostly used to make the life of website users easier, they can also be used to track users to provide personalized ads. This works especially well for large companies like Google that operate many different services across subdomains on the same domain (“google.com”). Some of these services are visited directly by the user by opening the domain in the browser, but many of them are used on other websites without the user even noticing. This way companies like Google can track users across websites that they don’t own.
It is therefore important to understand how cookies are used in different Captcha services to prevent unwanted tracking of your users.
reCAPTCHA is the most common Captcha service which is powered by Google. The reCAPTCHA widget is loaded from the “google.com” domain, which is shared across many Google services. It therefore has access to all the cookies that were previously set by other Google services. While reCAPTCHA itself only sets a cookie called “_GRECAPTCHA” which is used to provide the invisible captcha functionality, it can use the existing Google cookies to track users. By embedding reCAPTCHA from the “google.com” domain, you are potentially expanding the tracking network of Google .
Friendly Captcha is a Captcha service based in Germany and focused on privacy and accessibility. The Friendly Captcha widget is either loaded from an Open Source CDN such as unpkg.com or can be installed directly using a package manager like NPM and served from your own servers. The widget communicates with the “friendlycaptcha.com” domain to get a puzzle. Friendly Captcha doesn’t set any cookies and the domains are only used to operate the Captcha, which ensures that no data tracking takes place.