Google reCAPTCHA is a service from Google that is designed to protect websites from bot attacks, spam and abusive activities. Almost everyone is familiar with reCAPTCHA and its “Select all images with traffic lights” or “I’m not a robot” checkboxes. However, many people are unaware of Google’s approach to data privacy, what user data is collected and whether the use of Google reCAPTCHA is GDPR compliant.
We will answer these questions in the following article and take a closer look at the GDPR alternative to reCAPTCHA, Friendly Captcha.
What Is Google reCAPTCHA?
Google reCAPTCHA is a CAPTCHA service that distinguishes between human users and automated bots during web interactions. CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”.
One of the first CAPTCHA services, reCAPTCHA, was acquired by Google in 2009. At that time, website users still had to decipher distorted numbers and letters that computer programs could not decipher. Data privacy and data protection was hardly an issue at the time.
Today, Google reCAPTCHA is used worldwide and is confronted with ever-improving bots and artificial intelligence that can quickly solve these simple CAPTCHA puzzles.
Website owners use Google’s CAPTCHA tool reCAPTCHA to distinguish between real and automated users or bots. This protects websites from automated attacks such as credential stuffing, DDoS attacks or account takeover.
There are different versions of reCAPTCHA:
-
reCAPTCHA v2: Google reCAPTCHA v2 can be used in two different ways. One possibility is to use the so-called No CAPTCHA reCAPTCHA. Here, website users have to click a checkbox to verify that “I’m not a robot,” while at the same time countless personal customer data are evaluated. Alternatively, there are the well-known image recognition tasks of reCAPTCHA 2: website visitors select from nine tiles those that match a given description. With the user interaction, they identify traffic lights, wheels or buses. In addition to the manual challenges, customer data is collected and evaluated to assess the risk of a bot attack or spam.
-
reCAPTCHA v3: With reCAPTCHA v3, also known as Invisible reCAPTCHA, no user interaction is usually required. For reCAPTCHA v3, Google collects user data such as a full screenshot of the browser window or the IP address and stores cookies in the persistent browser memory. Based on the website visitors’ data, Invisible reCAPTCHA derives a risk score for each individual user. Now it is the website owners’ responsibility to determine from which Invisible reCAPTCHA v3 risk score a user may pass or whether additional CAPTCHA tests are required. For this additional verification, many admins in turn use the image recognition tasks of Google reCAPTCHA v2.
A detailed comparison of the advantages and disadvantages of the current reCAPTCHA versions can be found in the reCAPTCHA comparison v2 vs. v3.
GDPR & Google reCAPTCHA – What data will be processed?
Google reCAPTCHA collects data from users in an intensive manner to detect human users or automated bots. In terms of data protection and the GDPR, excessive data collection practices must be viewed critically.
The following personal data of the user behaviour seems to be collected during Google reCAPTCHA verification, along with other, sometimes unknown, data:
-
IP address of the website visitor
-
URL of the website visited
-
Complete screenshot of the browser window
-
Referrer URL (the website from which the visitor came)
-
Time spent on the website
-
Mouse movements and keyboard inputs
-
Operating system and browser
-
Device settings (such as time, language and location)
-
Installed browser plugins
-
Cookies, including Google cookies
It is difficult for website owners to comply with the information requirements under Art. 13 GDPR because Google does not disclose exactly what, why or how the personal data of end users is collected by reCAPTCHA. In its EU privacy policy, it merely states that data is collected and that website operators must obtain explicit user consent from European users.
The Bavarian State Office for Data Protection Supervision (BayLDA) has addressed this issue in its FAQ. The data protection authority therefore strongly recommends that website operators consider a GDPR compliant alternative to reCAPTCHA.
Website operators should definitely check out the alternatives. However, if Google reCAPTCHA is integrated, the controller must be aware that they must be able to prove lawful use in accordance with Art. 5 (1), (2) GDPR. Those who cannot demonstrate how Google processes personal data cannot transparently inform the user and prove lawful use. Since a connection to Google's servers is established when the tool is activated and this can result in data being transferred to the USA, the requirements for transfers to third countries must also be met (see the FAQ “Can our company transfer personal data to non-EU countries?” under the search term “International data transfer”), including the requirements of the European Court of Justice (ECJ) judgment in the “Schrems II” case. In particular, each user must check whether the strict requirements of the Schrems II ruling can be met. If not, the transfer is not permitted.
Friendly Captcha is a reCAPTCHA GDPR alternative that does not store any data in persistent browser memory and never uses data for marketing purposes. Try Friendly Captcha and sign up for a free trial month.
Is Google reCAPTCHA GDPR Compliant?
International data protection experts are rather critical of the question of whether reCAPTCHA is GDPR compliant. The invisible analysis of user behavior and the collection of personal data are criticized when it comes to reCAPTCHA.
Any data collection or processing of personal data for analytics tools or marketing purposes may only take place under specific GDPR requirements. Website operators must always put the privacy of customer data first.
In addition to the intensive data collection practices by Google reCAPTCHA, there are further reasons that speak against GDPR compliance: a lack of transparency regarding user privacy, a lack of a dedicated reCAPTCHA privacy policy, cookie use and data transfer to non-EU countries.
We will take a closer look at these data protection issues below.
reCAPTCHA in the Context of GDPR Transparency
Since May 2018, the European General Data Protection Regulation (GDPR) has provided the legal framework for data protection in the European Union. It ensures the fundamental right to informational self-determination. It provides more transparency and co-determination for European users regarding personal data collected and processed.
The GDPR requires companies to collect and process personal data only with the express consent of the user and to limit data collection to what is essential for the performance of a service.
Transparency in the sense of the GDPR means that when using reCAPTCHA, website operators must provide the following information to their users:
-
What personal data is collected?
-
How is personal data used?
-
How is personal data protected?
-
Which third parties is personal data forwarded to?
However, reCAPTCHA customers cannot find this specific information in the Google data privacy policy. It seems clear, however, that Google reCAPTCHA collects extensive data and often uses the “_GRECAPTCHA” cookie.
With the help of cookies, reCAPTCHA creates an individual fingerprint for each user, which Google can use to track user behavior across pages. Information about the advantages and disadvantages of so-called fingerprinting can be found in the Friendly Captcha Wiki.
Failure to comply with these transparency requirements can lead to legal consequences and fines, as shown by the Cityscoot case and the NS Cards France case. In these cases, the French data protection authority ruled that the use of Google reCAPTCHA did not meet the transparency requirements of the GDPR and that cookie consent had not been obtained for the use of Google reCAPTCHA. The company Cityscoot was ordered by the French data protection authority CNIL to pay a fine of €125,000 and NS Cards France was ordered to pay a fine of €105,000.
Detailed information on how reCAPTCHA uses cookies can be found in the blog post on CAPTCHA cookies.
Absent a Legitimate Interest, Google reCAPTCHA Requires Consent
Is there now a legitimate interest for the use of reCAPTCHA and the associated data collection in accordance with Art. 6 para. 1 GDPR?
Some argue that reCAPTCHA protects websites and web forms from spam and bots. This bot protection ensures the availability of the website and thus makes the secure operation of the website possible in the first place.
On the other hand, reCAPTCHA collects and stores a large amount of data, sets cookies and cannot be ruled out for purposes beyond the functional bot protection. In addition, there are now data protection-friendly and GDPR compliant CAPTCHA solutions such as Friendly Captcha. This makes it almost impossible to argue that there is a legitimate interest.
reCAPTCHA uses cookies and collects and stores personal data. According to the GDPR and Section 25, paragraph 1 of the German Telemedia Act (Telemediengesetz, TDDDG), user consent via a cookie banner is required for the use of Google reCAPTCHA cookies that are not necessary for the operation of a website.
To do this, website operators must obtain explicit user consent with so-called consent management platforms that block all Google scripts using reCAPTCHA cookies. These consent management platforms are used to obtain user consent via opt-in for the data collected by Google. Likewise, users must be able to withdraw their consent at any time using an opt-out procedure.
These requirements present many website operators with a dilemma: they must obtain users’ consent in advance using cookie banners in order to use reCAPTCHA in accordance with the GDPR.
Any user who is unwilling or unable to give their consent is therefore excluded from all web interactions protected by reCAPTCHA.
As a consequence, website operators using reCAPTCHA integrate barriers for all users who do not want to or cannot share information with Google. Legitimate users may be repeatedly confronted with CAPTCHA tests or blocked from accessing services. This process leads to a poor user experience and restricts the CAPTCHA accessibility provided by reCAPTCHA.
A political party in Austria has also learned that the use of Google reCAPTCHA cannot be justified on the grounds of legitimate interest. Although the Austrian data protection authority, the Austrian Federal Administrative Court, confirmed that reCAPTCHA is useful for preventing cyberattacks, the cookies used do not contribute to ensuring essential site functionality.
User consent via a cookie banner was not obtained and the use of reCAPTCHA was therefore not permissible from a data protection perspective.
reCAPTCHA Data Transfers to the US Circumvent the GDPR
Another reason that makes it difficult for data protection officers to classify reCAPTCHA as GDPR compliant is the unavoidable data transfer to the US.
As already stated in several decisions by European data protection authorities regarding the use of Google products such as Google Analytics, Google collects and processes data with its tools and transmits it to the USA. The data transfer thus conflicts with the Schrems II ruling of the European Court of Justice.
As a website operator, you must assume that a connection to Google servers is established when you use reCAPTCHA.
Google automatically begins analyzing user data in the background as soon as the website user accesses a website. The personal data is immediately transmitted to the Google servers. Google does not explicitly define which servers are used for this. A cross-border data transfer cannot therefore be ruled out with certainty.
All website operators for whom secure and local data processing is important should therefore use an EU CAPTCHA. European CAPTCHA providers such as Friendly Captcha adhere to stricter data protection standards, have secure data sovereignty and are transparent about their data processing.
The most important reason not to use a US CAPTCHA like Google reCAPTCHA is the possibility of surveillance by the US government. For a US company like Google, different data protection laws apply than in Europe, which make this surveillance possible.
Based on the Foreign Intelligence Surveillance Act and National Security Letters, US security authorities have the right to access personal data from servers located abroad. This is intended to serve national security. Security authorities such as the FBI are thus able to obtain personal information, electronic communications and financial records of European users and websites without prior judicial authorization.
An EU CAPTCHA like Friendly Captcha, on the other hand, protects against unauthorized foreign surveillance and offers transparent data processing with clear GDPR compliance documentation.
Fines – What Are the Penalties for GDPR Violation?
We have seen that Google reCAPTCHA raises data protection issues. Anyone who does not comply with the above-mentioned obligations regarding transparency, cookie consent and data transfers to the US, or who is unable to comply due to a lack of information, is in breach of the GDPR.
These violations can result in a fine of up to 20 million euros or up to four percent of global annual sales.
In addition to the financial loss, GDPR fines can also have a reputational impact on an organisation. This reputational damage can have a long-term negative impact on customer trust and ongoing business.Therefore, it makes sense to consider a GDPR CAPTCHA alternative to Google reCAPTCHA.
GDPR Compliant Alternative to Google reCAPTCHA
If you want to use a GDPR-compliant CAPTCHA, you should consider a data protection compliant reCAPTCHA alternative.
Friendly Captcha is a secure GDPR compliant reCAPTCHA alternative for protection against bots and spam bots. With Friendly Captcha, website operators can meet the requirements of the GDPR while protecting important web interactions such as logins, registrations and online forms from bot attacks.
As a GDPR CAPTCHA, Friendly Captcha offers the following functions:
-
Friendly Captcha checks the end user’s device with invisible proof-of-work challenges in the background.
-
It uses advanced risk signals to detect and prevent bot activity.
-
Friendly Captcha works without HTTP cookies and does not use persistent browser storage.
-
Friendly Captcha is GDPR compliant and does not collect unnecessary personal data.
In contrast to Google reCAPTCHA, Friendly Captcha does not rely on the extensive collection and analysis of user data, but on the analysis of anonymized risk signals and on advanced, invisible proof-of-work challenges.
The information about data collection and use is transparent and no CAPTCHA cookies are set. User consent via cookie banners is therefore not necessary.
Friendly Captcha is an EU CAPTCHA. The data of EU users thus always remains within the EU. There is no international data transfers.
In summary, Friendly Captcha fully complies with the requirements of the GDPR and international data privacy laws such as CCPA and PIPL.
Would you like to switch to a GDPR-compliant CAPTCHA solution? Test Friendly Captcha for 30 days for free. The Friendly Captcha Enterprise Team will be happy to help you with any questions you may have regarding implementation.
FAQ
Google reCAPTCHA is problematic in terms of the GDPR because it uses cookies for its service, collects personal data and often transfers it to the USA. Google reCAPTCHA requires consent because website operators cannot argue with a legitimate interest. Friendly Captcha offers a GDPR compliant CAPTCHA as an alternative to Google reCAPTCHA.
Yes, Friendly Captcha is fully GDPR compliant because it minimizes the collection of personal data, does not set HTTP cookies, does not store personal data in the browser’s permanent memory, and supports data processing limited to the EU.
Google reCAPTCHA is a website security service from Google designed to protect websites from spam and automated attacks. It analyzes user behavior to distinguish real people from bots. To do this, it uses various technologies such as image recognition tasks or invisible behavior analysis and also collects personal user data for analysis.
European data protection authorities are looking critically at the use of reCAPTCHA by website operators. There have been legal decisions regarding Google reCAPTCHA from authorities such as the French CNIL.
The use of reCAPTCHA can be illegal under EU law and several website owners have been found to have done so. If you want to use reCAPTCHA without breaking the law, you may want to seek professional legal assistance.
As it is difficult to use reCAPTCHA legally under EU law, it is worth looking for a GDPR-compliant reCAPTCHA alternative like Friendly Captcha.
Yes, Google reCAPTCHA requires cookie consent because it sets cookies and often transfers personal data to Google servers in the United States. This data can be used to analyze user behavior and linked to other Google services. According to the GDPR, active consent via a cookie consent tool is required before reCAPTCHA is loaded. Without user consent, the integration is not GDPR compliant.
To comply with GDPR when using reCAPTCHA, it’s essential to obtain explicit user consent and limit data collection to what is strictly necessary for the service. The transfer of personal data to countries outside the European Economic Area requires additional safeguards for website operators. A much simpler solution to protect your own website from spam and bots without the need for additional security measures is Friendly Captcha.
A GDPR compliant alternative to Google reCAPTCHA is Friendly Captcha, which does not store or track any personal data. The EU CAPTCHA offers data protection advantages and can be used without user consent or cookie consent.
When looking for GDPR compliant CAPTCHA alternatives that protect websites from bots and spam, website operators come across Friendly Captcha, hCaptcha and honeypots as data protection friendly CAPTCHA alternatives. Compared to hCaptcha or honeypots, only Friendly Captcha is ultimately convincing.
-
Friendly Captcha: Friendly Captcha is the GDPR CAPTCHA that offers its frontend widget open source and is therefore completely transparent. Friendly Captcha checks the end user’s device with invisible Proof of Work challenges in the background. It uses advanced risk signals to detect and prevent bot activity. The EU CAPTCHA Friendly Captcha does not use HTTP cookies and does not use persistent browser storage at all.
-
hCaptcha: hCaptcha’s image-based challenges are comparable to those of reCAPTCHA v2. In terms of GDPR compliance, hCaptcha discloses what personal data is collected. However, hCaptcha uses cookies, which is critical from a GDPR perspective. To use hCaptcha, European users send data to hCaptcha servers in the US. Data transfer and cookies thus make the use of hCaptcha critical from a GDPR perspective.
-
Honeypots: The honeypot method is a simple decoy used in IT security to lure bots into hidden input fields. Simple bots fill in these invisible fields and thus reveal themselves. However, these honeypots quickly reach their limits with more advanced bots and cannot guarantee comprehensive website security.
Yes, Google reCAPTCHA sets cookies to analyze user activity and detect bots. The stored personal user data can also be transferred to Google servers in the US. Website operators must mention the use of reCAPTCHA cookies in their EU user consent policy; consent is required. A cookie-free CAPTCHA alternative is Friendly Captcha.
Google reCAPTCHA collects IP addresses, mouse movements, dwell time and other user signals to distinguish humans from bots. This data can be linked to other Google services and processed in the USA. Therefore, a data protection-compliant integration is almost impossible to implement despite an adapted data protection declaration.
