Table of Contents
Google Recaptcha is a great tool for preventing spam on your website. It’s easy to integrate, effective, and free, but it can create problems for you in terms of GDPR compliance.
You probably need consent to use Google ReCaptcha. If bots can choose to deny consent, then what is the point?
Google ReCaptcha offers two free versions of their ReCaptcha captcha product – V2 and V3
ReCaptcha V2 works by giving users a challenge when they complete an action that spammers target, for example, submitting a form. The user may be asked to classify an image; for example, pick out the images that contain boats. The task is designed to be difficult for a robot to do. V2 is a more privacy-conscious approach; it could also be deployed only on pages that require a captcha, such as pages with a form. This would minimize the privacy impact on users.
ReCaptcha V3 solution requires the tracking code on all website pages to be most effective. V3 offers a more frictionless user experience. It works largely in the background and will only challenge website visitors who it suspects may be robots.
Other users can continue without challenge if a human deems their interactions with the site before submitting a form. This experience is much more pleasant for the user. Still, it carries heavier privacy implications because of the data required to provide the calculations that determine a genuine user from an automated robot user.
Google ReCaptcha works by tracking and analyzing your user’s behavior on your website. This includes how the user navigates through the site with their mouse, clicks between content, the time they take to complete tasks like filling in forms, and the device they use to load the website. From this data, combined with whether the user is logged into a Google account already or not, the tool generates a score of how likely the user is to be a bot.
The data could potentially reveal other personal data about the user, especially if this visit data is combined with data from other websites serving the Google ReCaptcha code. The concept makes sense because the more data you collect, the better you can analyze whether a user is real. But even though it’s effective and serves a genuine business purpose (e.g., reducing spam), it still presents several issues under GDPR.
Why is it a privacy issue?
The primary issues with ReCaptcha relate to the GDPR proportionality principle and the GDPR requirement for a legal basis to process data (in this case, consent or legitimate interest).
The GDPR proportionality principle states that data processors (you as a website owner) must only collect and process data that is proportionate to your needs. Google ReCapctcha’s data collection could be considered excessive because while the amount of data it collects makes it effective at preventing spam, you can achieve a similar outcome using other less privacy-intrusive approaches that collect fewer data. It, therefore, would be hard to argue that the data use is proportional. For this reason, the legitimate interest as the legal ground for data processing is very questionable.
If you must ask for consent before using Google ReCaptcha cookies, offer a spam visitor/bot the option to deny these cookies. There is a question of whether there is any point in using Google ReCaptcha in the first place.
It is also worth mentioning that Google ReCaptcha transfers the personal data to US servers to complete its processing.
The tool has some major issues regarding GDPR and E-privacy, but many online brands still use the service. It’s one of the most popular anti-spam technologies in the world. There are currently no legal decisions relating to Google ReCaptcha and the GDPR. If you continue to use this tool, we advise you to seek professional legal advice and ensure that your website visitors are clearly informed about this technology.
If you wish to know more about this topic and need a consultation, contact our Specialist Data Privacy Counsel, Andres Ojaver.« Back to articles