So why should you care about cookies? While cookies are mostly used to make the life of website users easier, they can also be used to track users to provide personalized ads. This works especially well for large companies like Google that operate many different services across subdomains on the same domain (“google.com”). Some of these services are visited directly by the user by opening the domain in the browser, but many of them are used on other websites without the user even noticing. This way companies like Google can track users across websites that they don’t own.
It is therefore important to understand how cookies are used in different Captcha services to prevent unwanted tracking of your users.
reCAPTCHA Cookies
reCAPTCHA is the most common Captcha service which is powered by Google. The reCAPTCHA widget is loaded from the “google.com” domain, which is shared across many Google services. It therefore has access to all the cookies that were previously set by other Google services. While reCAPTCHA itself only sets a cookie called “_GRECAPTCHA” which is used to provide the invisible captcha functionality, it can use the existing Google cookies to track users. By embedding reCAPTCHA from the “google.com” domain, you are potentially expanding the tracking network of Google [1].
hCaptcha Cookies
hCaptcha is a Captcha service based in the United States focused on image recognition tasks. The hCaptcha widget is loaded from the “hcaptcha.com” domain. hCaptcha uses cookies as well to provide its service and functionality like its passive mode. One of these cookies stores a unique identifier for each user, which potentially allows hCaptcha to track users across websites that are using hCaptcha. While hCaptcha’s cookies tend to be less critical, the data protection implications of using them must still be taken into account.
Friendly Captcha Cookies
Friendly Captcha is a Captcha service based in Germany and focused on privacy and accessibility. The Friendly Captcha widget is either loaded from an Open Source CDN such as unpkg.com or can be installed directly using a package manager like NPM and served from your own servers. The widget communicates with the “friendlycaptcha.com” domain to get a puzzle. Friendly Captcha doesn’t set any cookies and the domains are only used to operate the Captcha, which ensures that no data tracking takes place.
Conclusion
While most Captcha providers use cookies that can potentially be used to track users, Friendly Captcha is the only large Captcha provider that does not use cookies and is therefore the clear winner in this race. The only way to ensure that no data tracking with cookies takes place is to have no cookies set.
If you want to try out Friendly Captcha yourself, you can check out the live demo. More information about Friendly Captcha can be found here.
