Human versus bot recognition

CAPTCHAs are commonly found on the Internet. Their purpose is to protect websites from automated spam and malicious bots, effectively making websites more secure. They are often embedded in contact forms, logins, and registration pages, asking website visitors to manually complete a task, such as clicking on images of a specific object or typing letters shown in a blurred image. In some cases, invisible CAPTCHAs can even work completely in the background.

Choosing a CAPTCHA technology for your website isn’t easy. There are several factors to consider, the most obvious being how well the CAPTCHA protects your site from bots. But there is more to it than bot protection. An ideal CAPTCHA should be accessible to everyone (e.g., not discriminate against blind users), provide a seamless user experience, and ensure the protection of your users’ personally identifiable information by complying with privacy standards such as GDPR, CCPA, and HIPAA.

There are several CAPTCHA technologies, such as reCAPTCHA and hCaptcha or Friendly Captcha. For this reason, companies need to decide on a specific CAPTCHA technology and what type of CAPTCHA they will provide to their website visitors to distinguish humans from bots.

To help you find the best CAPTCHA type for bot protection, we will compare the two most common CAPTCHA providers: hCaptcha vs. reCAPTCHA.

Many people are familiar with Google’s reCAPTCHA, which relies on extensive data usage. On the other hand, there are reCAPTCHA alternatives like hCaptcha, which uses image recognition tests that are becoming increasingly difficult to solve as bots get better at solving them through machine learning.

So who will win the battle of hCaptcha vs. reCAPTCHA? With Friendly Captcha, another provider is entering the ring that aims to overcome the known limitations of CAPTCHA technologies and offer a privacy-friendly and accessible user experience.

This article provides a comprehensive comparison that will give you the insight you need to decide which CAPTCHA solution best suits your needs.


Google reCAPTCHA: The Popular Choice to Fight Bots

Google reCAPTCHA is a common CAPTCHA solution that can be found on many websites on the Internet. It’s a service by Google provided for free to small non-enterprise websites and applications. For enterprise customers, there is a paid version called reCAPTCHA Enterprise, which is charged on a per-verification basis. Recently, reCAPTCHA pricing has increased significantly for enterprise users.

To prevent spam or bot actions, Google offers different forms and levels of user interaction, such as Text reCAPTCHA, Image reCAPTCHA, No CAPTCHA reCAPTCHA, and Invisible reCAPTCHA.

Currently, there are two major versions used by website owners. reCAPTCHA lets website visitors solve CAPTCHA challenges to distinguish human behavior from spam or bot activity. reCAPTCHA v2 requires website visitors to solve image recognition challenges, like selecting cars or traffic lights. The latest version, reCAPTCHA v3, typically collects risk data invisibly in the background.

If Google doesn’t have enough data to distinguish between humans and bots, or if a user is considered a risky actor, manual challenges such as image recognition will still need to be performed manually, even in invisible mode.

How does Google’s reCAPTCHA work?

Google reCAPTCHA works by tracking and collecting as much information about user behavior as possible, including a full snapshot of the user’s browser window, browser plug-ins, mouse movements, keystrokes, previously visited websites, IP address, cookies, and more [1].

By combining all this information, reCAPTCHA can make an educated guess about malicious bot activity or human behavior. In cases where reCAPTCHA can’t collect enough information to tell if a user is a bot, it requires the user to manually solve a puzzle.

reCAPTCHA does not disclose in its privacy policy what exactly it does with the data it collects [2]. Accordingly, website operators must carefully assess the risks of implementing reCAPTCHA, its data usage and take appropriate additional security measures.

reCAPTCHA shares cookies with other Google services belonging to the domain. Embedding reCAPTCHA into your website requires you to load the JavaScript code from the domain. As a result, reCAPTCHA can access any cookies previously set by other Google products to potentially follow the user journey across websites that don’t belong to Google [3].

Is Google reCAPTCHA GDPR compliant?

Google reCAPTCHA’s GDPR compliance is critically evaluated by privacy experts. If you are targeting EU users with your website, you are subject to GDPR laws. By embedding reCAPTCHA into your website, you will inevitably be transferring personal data about your European users to servers in the United States. If you are not able to inform your users about how this data is processed and obtain any necessary user consent, you are in breach of GDPR and therefore not allowed to use reCAPTCHA in the EU [4].

The mere fact that cookies are being used by reCAPTCHA, and that data is being transferred to US servers, poses significant data security and data privacy challenges for EU website owners in terms of GDPR compliance. In its EU User Consent Policy and Agreement, Google itself emphasizes to website owners the need to obtain end-user consent for cookies and personal data processing when using reCAPTCHA. The responsibility for obtaining consent when using reCAPTCHA remains with the website owner.

Failure to comply with GDPR rules when using Google’s reCAPTCHA has resulted in lawsuits and fines. For example, in the case of NS Cards, the French data protection commission CNIL fined the website owner more than €100,000 for failing to obtain consent for the use of reCAPTCHA.

For companies based in European countries, as well as international companies targeting EU users, extensive safety measures are essential to comply with GDPR regulations and meet the requirements of data protection authorities.

Benefits of reCAPTCHA

  • Free version for non-enterprise customers: For small, non-enterprise users who only need basic protection, there’s no cost to get an API key. With Google’s request-based pricing, you pay once you reach 10,000 monthly requests across all your accounts and sites.

  • reCAPTCHA v3 is typically invisible: In most cases, reCAPTCHA v3 Enterprise offers an invisible version that does not require the same image recognition tasks as reCAPTCHA v2. reCAPTCHA v3 requires no user interaction, but collects a large amount of user data to perform a risk analysis to calculate an individual risk score for each visitor. It is then up to the site owner to decide which score allows the visitor to pass and when to use image challenges as a fallback.

  • Widely used basic bot protection: Countless companies around the world use reCAPTCHA for bot protection. It is a first step in bot protection. However, compared to more advanced reCAPTCHA alternatives, it only provides basic protection against simple bots.

Weaknesses of Google reCAPTCHA

  • Not accessible to all users: reCAPTCHA v2 requires users to solve a visual puzzle to prove they are human. These challenges can be difficult to solve and can effectively exclude people with visual impairments, such as blind users or the elderly. reCAPTCHA v3 relies more on data collection and is mostly invisible. However, in fallback cases, manual user actions are required for effective protection, leading to accessibility issues. Full WCAG compliance is hardly achievable with reCAPTCHA.

  • Processing of large amounts of user data: Google’s business model is targeted advertising, which relies on user data, cookies, and local storage to track everything a user does. reCAPTCHA Enterprise depends on collecting as much information as possible to guess whether it is a real human user, which raises privacy concerns. Achieving GDPR compliance with Google’s reCAPTCHA is a daunting challenge.

  • Lack of transparency in data processing and storage: Google does not disclose what, why, or how reCAPTCHA collects personal data from end users. reCAPTCHA customers must demonstrate lawful use as required by GDPR. The lack of transparency makes it impossible to provide the required information about data collection, cookies used, data utilization, and third parties involved.

  • Sharing cookies with the Google universe: Google depends on the analysis of user behavior to support its advertising business. The code that website owners need to embed in their site to use reCAPTCHA is served from the domain, which means that any cookies associated with that domain can be accessed by other Google services, such as Google Analytics. In this way, site owners who use reCAPTCHA enable all of Google’s services to track their visitors and contribute to its tracking network.

  • Subject to US privacy regulations as a US provider: As a U.S. company, Google is subject to U.S. national surveillance and privacy regulations. Websites targeting European users will need to comply with GDPR requirements, and will not be allowed to transfer European users’ personal data to U.S. companies without additional safeguards. Using Google’s reCAPTCHA involves a potentially critical international transfer of data to a third country.

  • False positives for privacy-conscious users: Users with privacy concerns that are using tracking blockers, a VPN or are not logged into Google will have to solve reCAPTCHA challenges more often. Without the personal information provided by Google’s cookies and a lack of risk signals because of privacy-conscious behavior, reCAPTCHA has a hard time distinguishing between humans and bots. This results in a high rate of false positives and a lock-out of human users. Website visitors with visual impairments who use accessibility aids such as screen readers are similarly affected.

hCaptcha image recognition task

hCaptcha: The Image Classification Task Based CAPTCHA Solution

hCaptcha is a US-based alternative to reCAPTCHA that targets both small website owners and corporate customers. hCaptcha requires website visitors to label images as part of its business model: hCaptcha’s parent company, Intuition Machines Inc., focuses on machine learning for image recognition and offers image labeling services. The labeled data from the hCaptcha widget is sold to data companies [5].

hCaptcha offers a similar experience to Google’s reCAPTCHA v2. Unlike reCAPTCHA v3, due to its business model, the provider is more focused on manual image recognition challenges. It is a image classification task based CAPTCHA provider employing visual challenges like identifying objects.

Because of these manual CAPTCHA challenges, hCaptcha needs less data than Google to operate its service. In return, it misses out on a good user experience.

Nevertheless, hCaptcha uses cookies to provide its service and paid enterprise features such as its passive CAPTCHA. One of these cookies stores a unique identifier for each user, potentially allowing hCaptcha to track users across websites that use hCaptcha.

How does hCaptcha work?

For regular users, hCaptcha requires each website user to manually solve visual challenges based on a set of images. Even for users without disabilities, hCaptcha challenges can be challenging, especially since the visual labeling challenges of hCaptcha tend to be more complex than those of reCAPTCHA.

Enterprise customers have the option of using an invisible version of the CAPTCHA, called a passive CAPTCHA. This version still requires the user to manually solve an hCaptcha challenge with images if not enough personal data could be collected to guess whether the visitor is a human or a bot.

Is hCaptcha GDPR compliant?

hCaptcha sets cookies in users’ web browsers. These cookies store a unique identifier for each user. The cookies allow hCaptcha to potentially track users across all websites that use hCaptcha. In addition, hCaptcha collects personal information in various ways.

Like Google, hCaptcha is a US company and not an EU CAPTCHA provider. This means that it’s impossible to guarantee that your European users’ data will never leave the EU. By embedding hCaptcha into your website, you are inevitably sending personal data about your EU web visitors to a US provider.

Unlike reCAPTCHA, hCaptcha discloses in its user privacy policy what data is collected, processed, and shared with third parties, including additional US sub-processors.

To comply with GDPR, website owners must obtain prior consent from each user, particularly for the use of cookies and the cross-border transfer of data to third parties. Without this prior consent, the use of hCaptcha may not be possible from a data protection perspective, making the practical integration of hCaptcha complex.

Benefits of hCaptcha

  • Free for small website owners: hCaptcha offers a free version for small websites with limited protection, using always-on image recognition tasks to support its image labeling business. For medium to large enterprise customers, additional features like the passive CAPTCHA option, Pro and Enterprise plans are available.

  • Advanced image recognition tasks: hCaptcha’s core expertise is in image labeling tasks, and it ultimately uses these tasks for bot protection, especially as a fallback. As such, its CAPTCHA challenges become more advanced and difficult to solve to keep up with the development of AI image recognition and the rise of sophisticated bots. For example, with hCaptcha you now need to label laughing dogs instead of traffic lights as with reCAPTCHA.

  • Provides information about used data and minimizes data collection: hCaptcha provides more detailed information about the personal information used for its services, including details about the use of personally identifiable information, cookies, and U.S. sub-processors. hCaptcha tries to minimize the amount of data it collects. They allow end users to opt out of having their data used for machine learning purposes.

Weaknesses of hCaptcha

  • Data collection through cookies: Especially for its passive CAPTCHA feature, hCaptcha uses cookies and various third party services. Therefore, in order to offer the use of hCaptcha and third parties in compliance with GDPR, the user’s prior consent should be obtained.

  • Involvement of US providers and third parties for EU user data: As a US company, hCaptcha transfers personal data to its parent company Intuition Machines and to the servers of its third party US sub-processors. The GDPR applies to all website operators targeting EU users. It’s impossible for EU companies and international companies operating websites in the EU to prove that no user data leaves the EU. Therefore, international data transfers of personally identifiable information and sharing with sub-processors must be critically evaluated with appropriate security measures in mind.

  • Users with insufficient data must solve a hCaptcha challenge: hCaptcha requires hard-to-solve manual image marking tasks from legitimate website users from whom it can’t collect enough risk data. This includes site visitors who use ad blockers, screen readers, have strict privacy requirements, or connect to your site via VPN or other secure networks. For these people, hCaptcha provides an even more difficult manual CAPTCHA challenge that can take the website visitor minutes to complete.

  • Not accessible for all users: hCaptcha’s image recognition challenges can be difficult to solve even for people who are experienced in dealing with the world online. The hCaptcha challenge may be impossible for the elderly and people with disabilities or health problems. As a result, these users are denied barrier-free access and are therefore excluded from important interfaces. hCAPTCHA’s fallback options to deal with website owners’ need for WCAG compliance seem to be more of a workaround than a practical solution.

Cryptographic captcha puzzle

Friendly Captcha: The User Privacy-Focused, Invisible CAPTCHA Solution

Friendly Captcha is a new CAPTCHA alternative to reCAPTCHA and hCaptcha based in the EU with a focus on data privacy, security and accessibility. It is the only sophisticated proof-of-work-based CAPTCHA solution on the market that runs entirely in the background and is truly invisible, while effectively protecting websites and online forms from malicious bots and attacks.

Instead of requiring website visitors to manually solve an image recognition challenge, Friendly Captcha generates an invisible, cryptographic puzzle that is solved by the user’s device in the background. Based on technical signals, the difficulty of the invisible puzzle can be scaled to make it even harder for suspected bots and risky actors to get through.

Unlike hCaptcha and reCAPTCHA, there are no usability conflicts, no privacy concerns, and no accessibility issues.

Friendly Captcha is fully accessible, WCAG compliant, GDPR compliant and does not require prior user consent to operate.

    How does Friendly Captcha work?

    Friendly Captcha offers a completely different technical approach by using a combination of cryptography and risk signals to defend web interactions against automated spam and malicious bots.

    Friendly Captcha presents each user with a unique, invisible cryptographic puzzle that is solved by the user’s device without any manual user interaction. Solving the puzzle typically takes only a few seconds and is done in the background while the user is still interacting with a protected area, such as filling out a registration or login form on a website. The impact on the user experience is minimal. The invisible background task is typically already completed by the time the user is ready to perform the protected web interaction.

    The difficulty of the puzzle, and therefore the time and resources needed to solve it, is intelligently and automatically scaled based on sophisticated risk signals to protect against advanced bots. Friendly Captcha is completely invisible and require no manual user challenge at all.

    This makes Friendly Captcha user-friendly and accessible to all users. It does not interfere with the user experience. At the same time, it effectively protects against unwanted spam submissions, bot traffic and cyber attacks.

      Is Friendly Captcha GDPR compliant?

      Friendly Captcha is fully GDPR compliant. It is transparent about the information it processes and minimizes data collection.

      Friendly Captcha does not use any HTTP cookies nor persistent browser storage (such as LocalStorage or IndexedDB) to track users, and does not store personal data. Therefore, website owners do not need to obtain prior user consent. By informing your users in your privacy policy, you can easily use Friendly Captcha in a GDPR compliant way.

      Friendly Captcha is an EU CAPTCHA provider, built in Germany and adheres to the highest European data protection standards. It does not use third parties outside the EU to process EU users’ data. This means that your EU users’ data is never transferred outside the European Union, while your website and forms are protected from bots and spam.

      For EU website owners and international enterprises targeting EU users, Friendly Captcha offers a dedicated EU endpoint to ensure that the personal data of your European website visitors never leaves the EU. This helps you comply with GDPR requirements.

        Benefits of Friendly Captcha

        • User-friendliness by design: Friendly Captcha technology never requires users to manually solve any visual challenges, audio challenges, or image recognition challenges. As seen with reCAPTCHA and hCaptcha, these challenges detract from the user experience. Friendly Captcha uses a fundamentally new CAPTCHA technology that provides the most user-friendly way to protect against bots. As a truly invisible CAPTCHA, it will never show a human a visual CAPTCHA challenge for bot protection.

        • Accessibility for everyone: Each Friendly Captcha challenge is invisible and solved by the user’s web browser in the background. No one ever has to solve an image classification task or recognize distorted letter combinations to gain authorized access to critical web interfaces. Friendly Captcha is fully compliant with the WCAG guidelines.

        • No cookies, no tracking: Friendly Captcha does not use any HTTP cookies nor persistent browser storage. Its invisible CAPTCHA technology protects against bots without storing any personal data. No personally identifiable information is stored via cookies or persistent storage.

        • Uncompromised GDPR compliance for EU users: European data protection compliance is straightforward with Friendly Captcha. Friendly Captcha is a German company, and with its dedicated EU endpoint, no personal data of EU users leaves the EU. With European hosting providers, European end user data stays within the EU.

        • Globally compliant with privacy laws: Friendly Captcha is trusted by international enterprises and governments around the world. It complies with global privacy standards such as GDPR, CCPA and HIPAA. It collects only necessary data to protect with the highest security standards and is solely focused on its security purpose. It doesn’t use any HTTP cookies nor persistent browser storage such as LocalStorage or IndexedDB. Friendly Captcha’s modern technology is compliant with relevant international data protection and privacy laws.

          Weaknesses of Friendly Captcha

          • Free only for small websites: Compared to reCAPTCHA and hCaptcha, Friendly Captcha only protects smaller websites and applications with a free plan. Since Friendly Captcha is solely focused on bot protection, it is a paid service. Depending on the features needed, it offers several self-service plans, ranging from a Starter Plan to a Growth Plan to an Advanced Plan. Enterprise customers get a customized plan with high-end security, scalability and personal support.

            Secure captcha

            hCaptcha vs. reCAPTCHA vs. Friendly Captcha – Who is the Winner?

            Finally, let’s summarize the key points for comparing reCAPTCHA, hCaptcha and Friendly Captcha.

            Google’s reCAPTCHA is widely used. The main advantage of reCAPTCHA is that it’s been around for a long time and is free for smaller websites. However, it collects excessive data, sends it to third countries, and stores and processes it in an opaque way. At the same time, Google reCAPTCHA is inaccessible to many users with disabilities and raises privacy concerns.

            hCaptcha cheers up the CAPTCHA market with cute or funny picture challenges, but they are getting harder and harder to solve. While humorous, its image recognition challenges are difficult and time-consuming to solve and at the expense of accessibility. While hCaptcha is more transparent from a privacy perspective, it still uses cookies for its risk analysis and sends the collected data to potential high-risk countries from a GDPR perspective.

            In terms of usability and accessibility, reCaptcha and hCAPTCHA are similar in how they work. reCAPTCHA has implemented risk signal collection with v3, while hCaptcha focuses on image labeling tasks and is therefore slightly better in terms of privacy. Both are not very accessible for people with disabilities. In many cases, visitors to a website with hCaptcha have to solve an image puzzle by hand. The same applies to reCAPTCHA v2.

            The passive CAPTCHA from hCaptcha and the invisible CAPTCHA from reCAPTCHA v3 both use cookies to collect and use data as well as to perform risk analyses. With respect to data protection, the use of cookies without prior user consent is considered critical when it comes to compliance with privacy laws, such as GDPR or CCPA. Website operators will need to closely examine the use of cookies and the use of persistent browser storage. Friendly Captcha shows that web security and privacy are now possible without HTTP cookies.

            When discussing hCaptcha vs. reCAPTCHA in the context of GDPR, it is important to keep in mind that both are based in the United States. The requirements for transferring EU user data to third countries such as the US must be met, otherwise the transfer is not legally compliant with GDPR. This applies to all companies based in the EU or targeting EU users.

            Friendly Captcha is a modern player in the market that puts privacy first and is fully GDPR compliant. With its revolutionary invisible CAPTCHA technology, website visitors no longer have to deal with nerve-wracking image recognition challenges, and it is accessible to all users.

            Friendly Captcha is a paid service for businesses, but in return offers the best bot protection with full accessibility and privacy compliance compared to reCAPTCHA and hCaptcha.

            When including Friendly Captcha, the winner of hCaptcha vs. reCAPTCHA is Friendly Captcha.

            If you want to try out Friendly Captcha yourself, you can check out the live demo or create a free trial account. More information about Friendly Captcha can be found here.


            reCAPTCHA and hCaptcha are similar in the way they work. With hCaptcha, especially in the free plan, users are still faced with image marking tasks, which leads to accessibility issues. When it comes to protecting personal information, reCAPTCHA is not transparent about its use of data. As both tools are using cookies and transfer data to the US, they are critical in terms of GDPR compliance and difficult to use for EU companies and websites targeting EU users. Friendly Captcha offers a different technical approach that is more privacy-friendly and accessible. With Friendly Captcha, European users’ data never leaves the EU. If you are looking for a CAPTCHA service that offers a great UX, is fully accessible and offers GDPR compliance out of the box, choose Friendly Captcha.

            A CAPTCHA protects websites against spam and bots. Most people know this essential cybersecurity measure as the “I’m not a robot” test. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. To determine whether a request is coming from a human or a bot, users are typically presented with a task.

            There are several types and providers of CAPTCHAs. While some “I’m not a robot” tests require manual input from the user, such as clicking on cars or traffic lights, others run completely in the background and are therefore invisible. Friendly Captcha is a provider of an invisible CAPTCHA that is fully accessible and user-friendly.

            In the free plan there is not too much difference between reCAPTCHA and hCaptcha. hCaptcha uses image recognition like reCAPTCHA v2. With some of its paid plans, hCaptcha offers a so called passive CAPTCHA and reCAPTCHA v3 offers an invisible CAPTCHA feature.

            However, in order to provide the more or less invisible versions of reCAPTCHA and hCaptcha, website owners have to use cookies for risk analysis. This raises privacy concerns. In addition, both CAPTCHAs are not very accessible for people with disabilities.

            reCAPTCHA has been part of the CAPTCHA market since the beginning and is therefore widely used. However, website owners implementing it pay with their customers’ data. This can create a negative image, a lack of security and privacy issues. A professional alternative to reCAPTCHA is Friendly Captcha, which protects against sophisticated bots without manual tasks and full privacy compliance.

            No, Google doesn’t own hCaptcha. It is a product from the US image labeling company Intuition Machines, Inc. They started to label images for machine learning purposes. As a data vendor, other companies pay hCaptcha to have their images displayed and deciphered by website visitors. This tagged data from the widget is then bought back by the data vendors. The fact that you also get bot protection is more of a nice side effect.