reCAPTCHA collects a wide range of data
reCAPTCHA collects large amounts of user data, including IP addresses, browsing behavior, and screenshots of browser windows, in order to determine whether a user is a bot.
reCAPTCHA is not GDPR-compliant
reCAPTCHA processes personal data and uses cookies without explicit user consent. Without additional safeguards and fail-safe consent management, this is considered a violation of the GDPR.
Critical reCAPTCHA transfers data to the US
All data collected by reCAPTCHA is transferred to Googleโs servers in the US. reCAPTCHA relies on EU-US data transfer frameworks that have repeatedly been declared invalid by courts in the past. Therefore, ensuring future-proof GDPR compliance is difficult.
Friendly Captcha is the GDPR-compliant alternative
Unlike Google reCAPTCHA, Friendly Captcha operates without cookies, avoids unnecessary data collection, and ensures that all data remains within the EU. This makes Friendly Captcha a fully GDPR-compliant alternative to reCAPTCHA.
Try out now โบ
Google reCAPTCHA is a service from Google that is designed to protect websites from bot attacks, spam and abusive activities. Almost everyone is familiar with reCAPTCHA and its โSelect all images with traffic lightsโ or โI’m not a robotโ checkboxes. However, many people are unaware of Google’s approach to data privacy, what user data is collected and whether the use of Google reCAPTCHA is GDPR compliant.
We will answer these questions in the following article and take a closer look at the GDPR alternative to reCAPTCHA, Friendly Captcha.
What Is Google reCAPTCHA?
Google reCAPTCHA is a CAPTCHA service that distinguishes between human users and automated bots during web interactions. CAPTCHA is an acronym for โCompletely Automated Public Turing test to tell Computers and Humans Apartโ.
One of the first CAPTCHA services, reCAPTCHA, was acquired by Google in 2009. At that time, website users still had to decipher distorted numbers and letters that computer programs could not decipher. Data privacy and data protection was hardly an issue at the time.
Today, Google reCAPTCHA is used worldwide and is confronted with ever-improving bots and artificial intelligence that can quickly solve these simple CAPTCHA puzzles.
Website owners use Google’s CAPTCHA tool reCAPTCHA to distinguish between real and automated users or bots. This protects websites from automated attacks such as credential stuffing, DDoS attacks or account takeover.
There are different versions of reCAPTCHA:
-
reCAPTCHA v2: Google reCAPTCHA v2 can be used in two different ways. One possibility is to use the so-called No CAPTCHA reCAPTCHA. Here, website users have to click a checkbox to verify that โI’m not a robot,โ while at the same time countless personal customer data are evaluated. Alternatively, there are the well-known image recognition tasks of reCAPTCHA 2: website visitors select from nine tiles those that match a given description. With the user interaction, they identify traffic lights, wheels or buses. In addition to the manual challenges, customer data is collected and evaluated to assess the risk of a bot attack or spam.
-
reCAPTCHA v3: With reCAPTCHA v3, also known as Invisible reCAPTCHA, no user interaction is usually required. For reCAPTCHA v3, Google collects user data such as a full screenshot of the browser window or the IP address and stores cookies in the persistent browser memory. Based on the website visitors’ data, Invisible reCAPTCHA derives a risk score for each individual user. Now it is the website owners’ responsibility to determine from which Invisible reCAPTCHA v3 risk score a user may pass or whether additional CAPTCHA tests are required. For this additional verification, many admins in turn use the image recognition tasks of Google reCAPTCHA v2.
A detailed comparison of the advantages and disadvantages of the current reCAPTCHA versions can be found in the reCAPTCHA comparison v2 vs. v3.
GDPR & Google reCAPTCHA – What data will be processed?
Google reCAPTCHA collects data from users in an intensive manner to detect human users or automated bots. In terms of data protection and the GDPR, excessive data collection practices must be viewed critically.
The following personal data of the user behaviour seems to be collected during Google reCAPTCHA verification, along with other, sometimes unknown, data:
-
IP address of the website visitor
-
URL of the website visited
-
Complete screenshot of the browser window
-
Referrer URL (the website from which the visitor came)
-
Time spent on the website
-
Mouse movements and keyboard inputs
-
Operating system and browser
-
Device settings (such as time, language and location)
-
Installed browser plugins
-
Cookies, including Google cookies
It is difficult for website owners to comply with the information requirements under Art. 13 GDPR because Google does not disclose exactly what, why or how the personal data of end users is collected by reCAPTCHA. In its EU privacy policy, it merely states that data is collected and that website operators must obtain explicit user consent from European users.
The Bavarian State Office for Data Protection Supervision (BayLDA) has addressed this issue in its FAQ. The data protection authority therefore strongly recommends that website operators consider a GDPR compliant alternative to reCAPTCHA.
Website operators should definitely check out the alternatives. However, if Google reCAPTCHA is integrated, the controller must be aware that they must be able to prove lawful use in accordance with Art. 5 (1), (2) GDPR. Those who cannot demonstrate how Google processes personal data cannot transparently inform the user and prove lawful use. Since a connection to Google's servers is established when the tool is activated and this can result in data being transferred to the USA, the requirements for transfers to third countries must also be met (see the FAQ โCan our company transfer personal data to non-EU countries?โ under the search term โInternational data transferโ), including the requirements of the European Court of Justice (ECJ) judgment in the โSchrems IIโ case. In particular, each user must check whether the strict requirements of the Schrems II ruling can be met. If not, the transfer is not permitted.
Friendly Captcha is a reCAPTCHA GDPR alternative that does not store any data in persistent browser memory and never uses data for marketing purposes. Try Friendly Captcha and sign up for a free trial month.
Is Google reCAPTCHA GDPR Compliant?
International data protection experts are rather critical of the question of whether reCAPTCHA is GDPR compliant. The invisible analysis of user behavior and the collection of personal data are criticized when it comes to reCAPTCHA.
Any data collection or processing of personal data for analytics tools or marketing purposes may only take place under specific GDPR requirements. Website operators must always put the privacy of customer data first.
In addition to the intensive data collection practices by Google reCAPTCHA, there are further reasons that speak against GDPR compliance: a lack of transparency regarding user privacy, a lack of a dedicated reCAPTCHA privacy policy, cookie use and data transfer to non-EU countries.
We will take a closer look at these data protection issues below.
reCAPTCHA in the Context of GDPR Transparency
Since May 2018, the European General Data Protection Regulation (GDPR) has provided the legal framework for data protection in the European Union. It ensures the fundamental right to informational self-determination. It provides more transparency and co-determination for European users regarding personal data collected and processed.
The GDPR requires companies to collect and process personal data only with the express consent of the user and to limit data collection to what is essential for the performance of a service.
Transparency in the sense of the GDPR means that when using reCAPTCHA, website operators must provide the following information to their users:
-
What personal data is collected?
-
How is personal data used?
-
How is personal data protected?
-
Which third parties is personal data forwarded to?
However, reCAPTCHA customers cannot find this specific information in the Google data privacy policy. It seems clear, however, that Google reCAPTCHA collects extensive data and often uses the โ_GRECAPTCHAโ cookie.
With the help of cookies, reCAPTCHA creates an individual fingerprint for each user, which Google can use to track user behavior across pages. Information about the advantages and disadvantages of so-called fingerprinting can be found in the Friendly Captcha Wiki.
Failure to comply with these transparency requirements can lead to legal consequences and fines, as shown by the Cityscoot case and the NS Cards France case. In these cases, the French data protection authority ruled that the use of Google reCAPTCHA did not meet the transparency requirements of the GDPR and that cookie consent had not been obtained for the use of Google reCAPTCHA. The company Cityscoot was ordered by the French data protection authority CNIL to pay a fine of โฌ125,000 and NS Cards France was ordered to pay a fine of โฌ105,000.
Detailed information on how reCAPTCHA uses cookies can be found in the blog post on CAPTCHA cookies.
Absent a Legitimate Interest, Google reCAPTCHA Requires Consent
Is there now a legitimate interest for the use of reCAPTCHA and the associated data collection in accordance with Art. 6 para. 1 GDPR?
Some argue that reCAPTCHA protects websites and web forms from spam and bots. This bot protection ensures the availability of the website and thus makes the secure operation of the website possible in the first place.
On the other hand, reCAPTCHA collects and stores a large amount of data, sets cookies and cannot be ruled out for purposes beyond the functional bot protection. In addition, there are now data protection-friendly and GDPR compliant CAPTCHA solutions such as Friendly Captcha. This makes it almost impossible to argue that there is a legitimate interest.
reCAPTCHA uses cookies and collects and stores personal data. According to the GDPR and Section 25, paragraph 1 of the German Telemedia Act (Telemediengesetz, TDDDG), user consent via a cookie banner is required for the use of Google reCAPTCHA cookies that are not necessary for the operation of a website.
To do this, website operators must obtain explicit user consent with so-called consent management platforms that block all Google scripts using reCAPTCHA cookies. These consent management platforms are used to obtain user consent via opt-in for the data collected by Google. Likewise, users must be able to withdraw their consent at any time using an opt-out procedure.
These requirements present many website operators with a dilemma: they must obtain users’ consent in advance using cookie banners in order to use reCAPTCHA in accordance with the GDPR.
Any user who is unwilling or unable to give their consent is therefore excluded from all web interactions protected by reCAPTCHA.
As a consequence, website operators using reCAPTCHA integrate barriers for all users who do not want to or cannot share information with Google. Legitimate users may be repeatedly confronted with CAPTCHA tests or blocked from accessing services. This process leads to a poor user experience and restricts the CAPTCHA accessibility provided by reCAPTCHA.
A political party in Austria has also learned that the use of Google reCAPTCHA cannot be justified on the grounds of legitimate interest. Although the Austrian data protection authority, the Austrian Federal Administrative Court, confirmed that reCAPTCHA is useful for preventing cyberattacks, the cookies used do not contribute to ensuring essential site functionality.
User consent via a cookie banner was not obtained and the use of reCAPTCHA was therefore not permissible from a data protection perspective.
reCAPTCHA Data Transfers to the US Circumvent the GDPR
Another reason that makes it difficult for data protection officers to classify reCAPTCHA as GDPR compliant is the unavoidable data transfer to the US.
As already stated in several decisions by European data protection authorities regarding the use of Google products such as Google Analytics, Google collects and processes data with its tools and transmits it to the USA. The data transfer thus conflicts with the Schrems II ruling of the European Court of Justice.
As a website operator, you must assume that a connection to Google servers is established when you use reCAPTCHA.
Google automatically begins analyzing user data in the background as soon as the website user accesses a website. The personal data is immediately transmitted to the Google servers. Google does not explicitly define which servers are used for this. A cross-border data transfer cannot therefore be ruled out with certainty.
All website operators for whom secure and local data processing is important should therefore use an EU CAPTCHA. European CAPTCHA providers such as Friendly Captcha adhere to stricter data protection standards, have secure data sovereignty and are transparent about their data processing.
The most important reason not to use a US CAPTCHA like Google reCAPTCHA is the possibility of surveillance by the US government. For a US company like Google, different data protection laws apply than in Europe, which make this surveillance possible.
Based on the Foreign Intelligence Surveillance Act and National Security Letters, US security authorities have the right to access personal data from servers located abroad. This is intended to serve national security. Security authorities such as the FBI are thus able to obtain personal information, electronic communications and financial records of European users and websites without prior judicial authorization.
An EU CAPTCHA like Friendly Captcha, on the other hand, protects against unauthorized foreign surveillance and offers transparent data processing with clear GDPR compliance documentation.
Fines โ What Are the Penalties for GDPR Violation?
We have seen that Google reCAPTCHA raises data protection issues. Anyone who does not comply with the above-mentioned obligations regarding transparency, cookie consent and data transfers to the US, or who is unable to comply due to a lack of information, is in breach of the GDPR.
These violations can result in a fine of up to 20 million euros or up to four percent of global annual sales.
In addition to the financial loss, GDPR fines can also have a reputational impact on an organisation. This reputational damage can have a long-term negative impact on customer trust and ongoing business.Therefore, it makes sense to consider a GDPR CAPTCHA alternative to Google reCAPTCHA.
GDPR Compliant Alternative to Google reCAPTCHA
If you want to use a GDPR-compliant CAPTCHA, you should consider a data protection compliant reCAPTCHA alternative.
Friendly Captcha is a secure GDPR compliant reCAPTCHA alternative for protection against bots and spam bots. With Friendly Captcha, website operators can meet the requirements of the GDPR while protecting important web interactions such as logins, registrations and online forms from bot attacks.
As a GDPR CAPTCHA, Friendly Captcha offers the following functions:
-
Friendly Captcha checks the end user’s device with invisible proof-of-work challenges in the background.
-
It uses advanced risk signals to detect and prevent bot activity.
-
Friendly Captcha works without HTTP cookies and does not use persistent browser storage.
-
Friendly Captcha is GDPR compliant and does not collect unnecessary personal data.
In contrast to Google reCAPTCHA, Friendly Captcha does not rely on the extensive collection and analysis of user data, but on the analysis of anonymized risk signals and on advanced, invisible proof-of-work challenges.
The information about data collection and use is transparent and no CAPTCHA cookies are set. User consent via cookie banners is therefore not necessary.
Friendly Captcha is an EU CAPTCHA. The data of EU users thus always remains within the EU. There is no international data transfers.
In summary, Friendly Captcha fully complies with the requirements of the GDPR and international data privacy laws such as CCPA and PIPL.
Would you like to switch to a GDPR-compliant CAPTCHA solution? Test Friendly Captcha for 30 days for free. The Friendly Captcha Enterprise Team will be happy to help you with any questions you may have regarding implementation.
ย
FAQ
Google reCAPTCHAย isย not inherently GDPR compliant and its use presents significant challenges for website operators. To potentially use it in a legally compliant manner, specific technical and organizational measures must be implemented. These include, for example obtain explicit consent, update privacy policy, provide opt-out mechanism, conduct a DPIA, and consult legal counsel.
Many data protection experts and European DPAs recommend considering privacy-friendly alternatives that do not rely on extensive personal data collection or cookies, such as Friendly Captcha, as it can offer a better balance between security and user privacy.
Yes,ย Friendly Captchaย is generally considered to be fully GDPR compliantย by design and default. It was developed in Europe and employs a fundamentally different approach to bot protection compared to solutions like Google reCAPTCHA.
No,ย Google reCAPTCHAย is not illegal in the EU, but using it in a non-compliant manner is a violation of the GDPR and the ePrivacy Directive, which can lead to significant fines and legal action.ย European data protection authorities have not issued an EU-wide ban on the product itself, but they have established clear rulings on how it must be used. sing Google reCAPTCHA puts website operators in a legal “gray area”.
While not outright “illegal” in the EU, it cannot be used “out of the box” without implementing strict compliance measures, primarily obtaining informed, explicit user consent before the script loads. Many experts and DPAs recommend using a privacy-friendly, EU-based alternative like Friendly Captcha that does not require cookies or extensive personal data collection to avoid these legal risks entirely.
Yes, you need explicit, informed user consent (opt-in) to use Google reCAPTCHA under the GDPR and the ePrivacy Directive if your website has visitors from the EU or EEA.
Many data privacy experts recommend using a privacy-friendly alternative like Friendly Captcha, which does not set cookies or track personal data, thereby eliminating the need for consent entirely.
When using Google reCAPTCHA, website operators in the EU (or those with EU visitors) must adhere to strict GDPR requirements for data processing, focusing primarily on obtaining explicit user consent and ensuring transparency.
A much simpler solution to protect your own website from spam and bots without the need for additional security measures is Friendly Captcha.
Theย best GDPR-compliant alternative toย Google reCAPTCHAย for users within the European Union is widely considered to beย Friendly Captcha. Friendly Captcha is a privacy-first, EU-based solution that is fully compliant with the GDPR by design and default for several key reasons. For website operators prioritizing maximum data protection and full compliance without the need for extensive legal review or user consent mechanisms,ย Friendly Captchaย is the recommended choice.
Several CAPTCHA alternatives are considered GDPR compliant because they focus on data minimization and do not rely on extensive user tracking or cookies. The most prominent option is: Friendly Captcha.
Friendly Captcha is generally considered the leading GDPR-compliant option due to its design, which is privacy-first by default.
For most businesses operating within or targeting the EU, Friendly Captcha offers the best balance of robust security, a seamless user experience, and inherent GDPR compliance.
Yes, Google reCAPTCHA sets and uses cookies, along with other forms of browser storage and data collection mechanisms. The primary cookie set is theย _GRECAPTCHAย cookie, which Google describes as a necessary functional cookie for its risk analysis.ย However, when the reCAPTCHA script is loaded, it often interacts with or sets several other cookies associated with the Google domain, especially if the user is logged into a Google account. These cookies can be used for various purposes, including: ย
- NID cookie: Used to remember preferences and customize advertising in Google searches.
- 1P_JARย cookie:ย Gathers website usage statistics and helps measure the effectiveness of ads.
- CONSENT cookie: Stores a user’s consent status for Google services.
ย
Google reCAPTCHA processes a wide range of personal and behavioral data to distinguish human users from automated bots. This data collection is extensive and is a primary reason for the challenges in making reCAPTCHA GDPR compliant.
The information collected by reCAPTCHA, particularly in the invisible v3 version, can include device and browser information, user behavior metrics, contextual information, and cookies. This extensive, often opaque, data collection is the main reason explicit user consent is required under the GDPR before reCAPTCHA can be used. Find in Friendly Captcha a GDPR-compliant CAPTCHA solution without extensive data collection.
English 
German 
French 
Spanish 
Italian 
Portuguese