Google Recaptcha is a great tool for preventing spam on your website. It’s easy to integrate, effective, and free but it can create problems for you in terms of GDPR compliance.
You probably need consent to use Google ReCaptcha. If bots can choose to deny consent, then what is the point?
Google ReCaptcha offers two free versions of their ReCaptcha captcha product – V2 and V3
ReCaptcha V2 works by giving users a challenge when they complete an action that spammers target, for example submitting a form. The user may be asked to classify an image, for example, pick out the images that contain boats. The task is designed to be difficult for a robot to do. V2 is a more privacy-conscious approach, it could also be deployed only on pages that require a captcha, such as pages with a form. This would minimize the privacy impact on users.
ReCaptcha V3 solution requires the tracking code to be present on all pages of the website to be most effective. V3 offers a more frictionless user experience. It works largely in the background and will only challenge website visitors who it suspects may be robots.
Other users will be able to continue without challenge if their interactions with the site before submitting a form are deemed to be from a human. This experience is much more pleasant for the user but carries heavier privacy implications because of the data required to provide the calculations that determine a genuine user from an automated, robot user.
Google ReCaptcha works by tracking and analyzing your user’s behavior on your website. This includes looking at how the user navigates through the site with their mouse, how they click between content, the time they take to complete tasks like fill in forms, and the device they are using to load the website. From this data, combined with whether the user is logged into a Google account already or not, the tool generates a score of how likely the user is to be a bot.
The data could potentially reveal other personal data about the user, especially if this visit data is combined with data from other websites serving the Google ReCaptcha code. The concept makes sense because the more data you can collect, the better you can analyze whether a user is real or not. But even though it’s effective, and serves a genuine business purpose (e.g. reduces spam), it still presents several issues under GDPR.
Why is it a privacy issue?
The primary issues with ReCaptcha relate to the GDPR proportionality principle and the GDPR requirement for a legal basis to process data (in this case consent or legitimate interest).
The GDPR proportionality principle states that data processors (you as a website owner) must collect and process data that is proportionate to your needs only. Google ReCapctcha’s data collection could be viewed as excessive because while the amount of data it collects makes it effective at preventing spam, you can achieve a similar outcome using other less privacy-intrusive approaches that collect fewer data. It therefore would be hard to argue that the data use is proportional. For this reason, the legitimate interest as the legal ground for data processing is very questionable.
If you must ask for consent before using Google ReCaptcha cookies, and then offer a spam visitor/bot the option to deny these cookies, then there is a question of whether there is any point in using Google ReCaptcha in the first place.
It is also worth mentioning that Google ReCaptcha transfers the personal data to US servers to complete its processing.
The tool has some major issues in regard to GDPR and E-privacy but many online brands are still using the service. It’s one of the most popular anti-spam technologies in the world. There are currently no legal decisions relating to Google ReCaptcha and the GDPR. If you continue to use this tool, we advise you to seek professional legal advice and to make sure that your website visitors are clearly informed about the use of this technology.« Back to articles