Human versus bot recognition

Captchas are commonly found across the internet. They are often used in contact forms, login pages, and signup pages and are used by websites to defend them against spam, crawlers, and other types of automated software.

Every internet user has encountered a Captcha at some point. Whether it was while filling out a contact form or signing up for a new service, Captchas are everywhere. Captchas come in different forms like repeating a set of distorted characters or selecting images based on what they are showing. In certain cases, Captchas can also operate entirely in the background.

Choosing a Captcha for your website isn’t easy. There are various factors to consider when making a choice, the most obvious being how well the Captcha defends your website against bots. But there is more to it than that. A good Captcha should be accessible to everyone (e.g. not discriminating against blind users or too annoying), transparent about how it processes personal data, and treat information about its users with respect.


Google reCAPTCHA

reCAPTCHA is the most commonly used Captcha solution and can be found on countless websites around the internet. It’s a service by Google provided for free to small non-enterprise websites and applications. Enterprise customers pay on a per verification basis.

reCAPTCHA can either appear as a checkbox on the website that the user must click in order to verify that they are a human, or it can operate in the background. In both cases reCAPTCHA requires the user to manually solve an image recognition task if the system considers the user to be suspicious, even if it’s in invisible mode.

How does reCAPTCHA tell if you are a human?

reCAPTCHA works by tracking and collecting as much information as possible about the user and its behavior, such as complete snapshot of the user’s browser window, browser plugins, mouse movements, keystrokes, previously visited websites, IP address, cookies, and more [1].

By combining all of this information, reCAPTCHA can make an educated guess about if the user is a human or not. In cases where reCAPTCHA can’t collect enough information to tell if a user is a bot, it requires the user to manually solve a puzzle.

reCAPTCHA doesn’t disclose in its privacy policy what it is doing exactly with the collected data [2].

One thing that is shared with other Google services are the cookies that belong to the domain. Embedding reCAPTCHA into your website requires you to load the JavaScript code from the domain. reCAPTCHA can therefore access all the cookies that have been previously set by other Google services to potentially track users across websites that don’t belong to Google [3].

Is reCAPTCHA GDPR compliant?

By embedding reCAPTCHA into your website you are unavoidably sending data about your users to servers in the United States. If you are not able to inform your users about how the data is processed, you are violating GDPR and are therefore not allowed to use reCAPTCHA in the EU [4].

  • Pro: Free for non-enterprise customers
  • Pro: Doesn’t require the user to solve a puzzle in most cases
  • Con: Not accessible to all users
  • Con: Processes a large amount of data about the user
  • Con: Not transparent about how the data is processed and stored
  • Con: Shares cookies with all Google services
  • Con: Subject to US surveillance law as a US provider
hCaptcha image recognition task


hCaptcha is a US based alternative to reCAPTCHA which is free of charge for non-enterprise customers. hCaptcha requires website visitors to label images, which is part of their business model: hCaptcha’s parent company is an image labeling service. The labeled data from the Captcha widget is sold to data companies [5].

hCaptcha offers a similar experience to reCAPTCHA’s older version 2. However, due to its business model, the provider is more focused on manual image recognition tasks. Due to these manual tasks, hCaptcha needs less data than Google to operate its service. Nevertheless, hCaptcha uses cookies to provide its service and paid Enterprise functionality such as its passive mode. One of these cookies stores a unique identifier for each user, which potentially allows hCaptcha to track users across websites that are using hCaptcha.

How does hCaptcha tell if you are a human?

For regular customers, hCaptcha requires each website user to manually solve an image labeling task based on a set of pictures. Even for users without disabilities it can be quite a challenge, especially because the labeling tasks of hCaptcha tend to be more complex than the ones of reCAPTCHA.

Enterprise customers have the option to use an invisible version of the Captcha, this version still requires the user to manually solve a puzzle if not enough user data could be collected to guess whether the visitor is human.

Is hCaptcha GDPR compliant?

Like Google, hCaptcha is a US company. This means it’s not possible to guarantee that data about your users will never leave the EU. By embedding hCaptcha into your website you are unavoidably sending data about your users to a US provider. In contrast to reCAPTCHA, hCaptcha discloses in its privacy policy which data is collected, processed and shared with third parties, which includes additional US companies. To comply with the GDPR, you need to obtain prior consent from every user, especially for cookies and third parties. Without this prior consent, the use may not be possible from a data protection perspective, which makes the practical integration of hCaptcha complex.

  • Pro: Free for non-enterprise customers
  • Pro: Informs about data flows and and collects less data
  • Con: Uses cookies and US third parties
  • Con: Users with insufficient data have to solve an image puzzle
  • Con: Not accessible to all users
  • Con: Subject to US surveillance law as a US provider
Cryptographic captcha puzzle

Friendly Captcha

Friendly Captcha is a new Captcha alternative based in the EU with a focus on privacy and accessibility. It is the only sophisticated proof of work based solution on the market which uses a combination of cryptography and advanced fingerprinting with full privacy protection to defend websites and forms from attacks.

Instead of letting the user solve puzzles by hand, Friendly Captcha generates a cryptographic puzzle which is solved by the user’s browser in the background. Based on technical signals the difficulty of the puzzle can be scaled to make it harder for suspected bots to get through. Friendly Captcha is fully GDPR compliant and does not require prior user consent to use.

How does Friendly Captcha tell if you are a human?

Friendly Captcha hands out a unique cryptographic puzzle to each user which can be solved by the user’s browser without any manual interaction. Solving the puzzle usually takes only a few seconds and can happen in the background while the user is still interacting with a different part of the website. The difficulty of the puzzle, and therefore the time it takes to solve the puzzle, is scaled intelligently to defend against spam and malicious users.

Is Friendly Captcha GDPR compliant?

By using the EU endpoint of Friendly Captcha, the data about your users never leaves the EU. Friendly Captcha is transparent about which information is collected and processed and does not use cookies to track users. By informing your users you can use Friendly Captcha in GDPR compliant way.

  • Pro: User-friendly as it doesn’t require the user to solve a puzzle by hand
  • Pro: Accessible to all users
  • Pro: No cookies or tracking
  • Pro: Data never leaves the EU
  • Con: Only free for small websites and applications
Secure captcha


reCaptcha and hCAPTCHA are similar in terms of how they work. While hCaptcha is more focused on image labeling tasks and therefore slightly better in terms of privacy, they both aren’t very accessible to people with disabilities. Especially on the free tier, hCaptcha requires each user to manually solve a puzzle. In addition, as US companies, reCAPTCHA and hCaptcha are not an option for websites in the EU.

Friendly Captcha takes a different technological approach and is the more user-friendly and accessible option. Especially if it is important to you that your users’ data stays protected and does not leave the EU, Friendly Captcha is your best bet.

If you want to try out Friendly Captcha yourself, you can check out the live demo. More information about Friendly Captcha can be found here.