Cookie usage of CAPTCHA services compared

Cookies are a central part of the internet. Cookies are small pieces of data that are stored on the user’s device. They are commonly used to persist information like sessions or shopping carts between page loads and can be found on almost any website. Without cookies a website wouldn’t be able to remember that you have previously visited it.

So why should you care about cookies? While cookies are mostly used to make the life of website users easier, they can also be used to track users to provide personalized ads. This works especially well for large companies like Google that operate many different services across subdomains on the same domain (“google.com”). Some of these services are visited directly by the user by opening the domain in the browser, but many of them are used on other websites without the user even noticing. This way companies like Google can track users across websites that they don’t own.

It is therefore important to understand how cookies are used in different Captcha services to prevent unwanted tracking of your users.

reCAPTCHA

reCAPTCHA is the most common Captcha service which is powered by Google. The reCAPTCHA widget is loaded from the “google.com” domain, which is shared across many Google services. It therefore has access to all the cookies that were previously set by other Google services. While reCAPTCHA itself only sets a cookie called “_GRECAPTCHA” which is used to provide the invisible captcha functionality, it can use the existing Google cookies to track users. By embedding reCAPTCHA from the “google.com” domain, you are potentially expanding the tracking network of Google [1].

hCaptcha

hCaptcha is a Captcha service based in the United States focused on image recognition tasks. The hCaptcha widget is loaded from the “hcaptcha.com” domain. hCaptcha uses cookies as well to provide its service and functionality like its passive mode. One of these cookies stores a unique identifier for each user, which potentially allows hCaptcha to track users across websites that are using hCaptcha. While hCaptcha’s cookies tend to be less critical, the data protection implications of using them must still be taken into account.

Friendly Captcha

Friendly Captcha is a Captcha service based in Germany and focused on privacy and accessibility. The Friendly Captcha widget is either loaded from an Open Source CDN such as unpkg.com or can be installed directly using a package manager like NPM and served from your own servers. The widget communicates with the “friendlycaptcha.com” domain to get a puzzle. Friendly Captcha doesn’t set any cookies and the domains are only used to operate the Captcha, which ensures that no data tracking takes place.

Conclusion

While most Captcha providers use cookies that can potentially be used to track users, Friendly Captcha is the only large Captcha provider that does not use cookies and is therefore the clear winner in this race. The only way to ensure that no data tracking with cookies takes place is to have no cookies set.

If you want to try out Friendly Captcha yourself, you can check out the live demo. More information about Friendly Captcha can be found here.

Ready to get started?

Join thousands of organizations in switching to a privacy-first anti-bot solution. We protect your websites and online services with the highest German quality and data protection standards.

Privacy matters

Learn more about our commitment to protect your users' privacy.

Start your integration

Adding Friendly Captcha takes only minutes and just a few lines of code.