This article discusses the GDPR compliance of Google reCAPTCHA. We explain what reCAPTCHA is, why website operators around the globe rely on it, and what impact the use of Google reCAPTCHA has on a website’s privacy. Specifically, we show how reCAPTCHA should be evaluated against the backdrop of the GDPR.
We also cover what options you have to protect your website using Google reCAPTCHA alternatives without reducing the user experience of your website or violating applicable data protection laws such as the GDPR.
What is reCAPTCHA?
reCAPTCHA is a test that determines whether a website visitor is human or computer. The term CAPTCHA is short for “completely automated public Turing test to tell computers and humans apart”. Captchas are mainly used in forms on websites. This is intended to prevent bots from sending unwanted requests to website operators. Bots are generally referred to as robot programs or machines.
Google reCAPTCHA is not primarily intended to protect data, but to prevent a large number of automated messages from paralyzing the website operator’s IT infrastructure. It also minimizes the risk of viruses or Trojans being sent by a bot.
The aim of Google reCAPTCHA is thus to exclude unwanted access by automated programs. This can help to reduce spam and prevent automated logins. For this reason, reCAPTCHA tests are usually built into contact forms, registrations, orders, surveys and comment functions.
In the course of such a test to distinguish between humans and machines, website users are given a task. In practice, simple arithmetic tasks such as typing a cryptic text or marking certain images have become popular. You will surely have done these tedious tasks many times so that you could send a message or complete a registration.
How does a reCAPTCHA test work?
Four different forms of reCAPTCHA have become commonplace in everyday life. Almost every Internet user has visited a website where they had to confirm that they are not a robot by checking a box. This procedure is known as No CAPTCHA reCAPTCHA. The effort for the user is low here, just as with the Invisible reCAPTCHA test that runs in the background. However, if Google is unable to collect sufficient user data, both methods switch to the so-called Image reCAPTCHA.
The Image reCAPTCHA is much more time-consuming for users, as they have to select images with a specific motif from several images. An example is the selection of all images with a car on it. This test usually takes a long time and sometimes the motifs are not clearly recognizable, so that new images have to be continuously displayed.
With the Text reCAPTCHA the error rate is also increased. Here, a distorted text must be entered into a control field. Here, too, it is not always clear which letter is being searched for.
Especially the No CAPTCHA reCAPTCHA and the Invisible reCAPTCHA can be problematic in terms of data protection due to the collection of personal data.
Google reCAPTCHA & data processing
In order to be able to decide whether the visitor of a website is human or it is a computer, data is collected and processed. What data is involved may differ depending on the provider of the captcha test.
In the course of using Google reCAPTCHA, personal data is collected. Specifically, the following data, among others, are used for the test:
- IP address of the website visitor
- Web page that was visited
- Screen and window resolution
- Mouse movements and keyboard inputs
- Device settings (such as language and location)
- Cookies
- Browser plugins installed
In particular, Google reCAPTCHA processes the IP address and checks which cookies are set. Especially cookies from Google services such as YouTube or Gmail are searched for. In addition, a separate cookie is often set to perform the captcha test.
Is reCAPTCHA GDPR-compliant?
The question of whether the use of a reCAPTCHA is necessary and thus a legitimate interest of the website operator exists is not clearly clarified. While on the one hand it can be argued that it is essential to include a reCAPTCHA test to protect the website from spam, on the other hand it can be countered that there are reCAPTCHA alternatives that are GDPR compliant.
The Google reCAPTCHA privacy issue results from several aspects.
One point of criticism is that by analyzing a user’s surfing behavior, it is possible to draw conclusions about their consumer behavior. Google can use this to display targeted advertising. This has nothing to do with the actual reason for reCAPTCHA.
Whenever personal data is processed, the users of a website must be informed of this and, in the case of use for marketing purposes, prior consent must also be given by the users for data processing. When using reCAPTCHA, the collection of personal data poses a problem in this regard. It requires comprehensive user education about the privacy policy and the use of consent management tools.
For European services, however, the most critical point is that Google is a US provider, which means that user data is transferred via reCAPTCHA to the United States. In terms of the EU GDPR and the Schrems court rulings, such data transfer is highly questionable.
When using Google reCAPTCHA, it is advisable to seek professional help at an early stage, because mistakes in implementing the associated data protection obligations can be costly.
GDPR-compliant reCAPTCHA alternative
The aforementioned data protection problems of Google reCAPTCHA have prompted us to develop a data protection-compliant reCAPTCHA alternative. This way, website operators can continue to effectively protect themselves against spam and bots while ensuring that they protect the privacy of their users. The solution is called Friendly Captcha and is both GDPR compliant and in line with Schrems II.
Friendly Captcha offers the following advantages:
- No cookies are required.
- No personal data is stored.
- Data processing is decentralized.
- The solution is barrier-free and user-friendly, as no tasks have to be solved by the users.
Friendly Captcha reconciles usability with the highest security standards. During development, our top priorities are to be able to provide effective protection, meet all privacy requirements, and give even restricted users full access to your website. With Friendly Captcha, tedious tasks such as marking certain subjects or typing a text are a thing of the past. The captcha test, whether it is a human or a bot, is done in the background. No personal data is stored and all data is processed in the EU, which would lead to the well-known data protection problems of Google reCAPTCHA.
Switch to a privacy-compliant CAPTCHA
With Friendly Captcha, our alternative to Google reCAPTCHA, we make an important contribution to the protection against spam and bots for start-ups, medium-sized companies and large corporations. We offer different service packages based on the needs of the respective company size.
We are happy to provide you with a consultation and explain the benefits of our technology, especially with regard to the critical issue of reCAPTCHA and data protection.
If you want to try out Friendly Captcha yourself, you can check out the live demo. More information about Friendly Captcha can be found here.
