Protecting your website from bots is important to protect your organization and customer data. To mitigate risk, many companies use a CAPTCHA on their website.
In practice, this means that website visitors have to search for traffic lights, click on crosswalks and buses, or recognize which letters and number combinations are hidden behind a blurred image. In recent years, this is how website users have become used to proving that a real flesh and blood human being was logging in to an account or otherwise accessing online content.
With Google’s reCAPTCHA v3, those days are now over. Let’s look at what has changed, the benefits and limitations of Google reCAPTCHA, and how to comply with the European Union General Data Protection Regulation (GDPR) if your company uses it.
In 2014, Google reCAPTCHA v2 went live and the “I am not a robot” checkbox was born.
What is a CAPTCHA and how does it work?
A CAPTCHA (“Completely Automated Public Turing tests to tell Computers and Humans Apart”) is a security mechanism used to distinguish between real and automated users, such as bots. CAPTCHAs pose tasks that are difficult for computers, but relatively easy for humans to solve.
The most common type of CAPTCHA involves displaying distorted text or images that the user must interpret and enter correctly. Here’s how it typically works:
- When accessing a website or performing actions like logging in or making a purchase, a CAPTCHA is triggered.
- The user sees a distorted image with letters, numbers, or objects that are hard for bots to recognize but easier for humans.
- The user types the characters or identifies the objects in the image.
- If correct, the user is verified as human and allowed to proceed; if incorrect, access is denied or a retry is required.
What is Google reCAPTCHA and how does it work?
Google reCAPTCHA, including invisible reCAPTCHA, is a free service that helps protect websites from spam and abuse by distinguishing between human users and automated bots or programs.
It uses advanced risk analysis techniques powered by artificial intelligence and machine learning to analyze user behavior, device information, IP addresses, and other signals to determine the likelihood that a user is human or a bot.
While not perfect, reCAPTCHA’s advanced techniques are more difficult for bots to bypass, providing an effective way to filter out automated spam and abuse on websites. However, it can be bypassed by advanced bots, machine learning systems trained on solving CAPTCHAs, or CAPTCHA-solving services.
Google reCAPTCHA v2 vs v3
Google offers two main versions of its reCAPTCHA service: reCAPTCHA v2 and reCAPTCHA v3. Here are the key differences between them.
The advantages of reCAPTCHA version 3
The key advantage of reCAPTCHA v3 is that it can provide a seamless and uninterrupted user experience by working invisibly in the background without presenting any visible challenges or interactive elements, like checkboxes, to users.
In addition to more sophisticated bot detection, there’s another benefit to the new version: companies have a lot more control.
While version 3 only means that CAPTCHAs are no longer noticeable from the website user’s point of view, it’s about much more than that for website operators. They now have to define granular risk-scoring thresholds for different parts of a website (login, social, payment, etc.), which can include transaction histories and usage profiles from non-Google data.
These shifts bring a technical change and, more importantly, sweeping industry change. Website owners must now take responsibility for their bot traffic and cannot simply outsource the issue to third parties.
Is Google reCAPTCHA GDPR-compliant?
The short answer is no, Google reCAPTCHA is not inherently GDPR-compliant when used out of the box on websites, or if it’s poorly implemented.
This is because CAPTCHA V3 operates invisibly to the user, which seems convenient but lacks transparency in terms of data processing or protection. User behavior is analyzed behind the scenes, and the user is not informed that the following data, among others, is sent to Google during the analysis:
- ReCIP address
- Referrer URL
- operating system
- cookies
- mouse movements/keyboard strokes
- length of pauses between actions
- device settings (e.g. language or location)
As a result, this lack of transparency in the use of CAPTCHA poses risks for website operators.
To comply with the latest privacy regulations, a website’s privacy policy should transparently describe how CAPTCHA works while simultaneously obtaining the visitors’ consent, for example, via the cookie banner of the Consent Management Platform (CMP). However, even with this, it may not be fully legally compliant, as Google does not make it sufficiently clear which processing and requests are made by the tool.
Our advice: be sure to consult your legal department or data protection officer on this issue.
GDPR-compliant alternatives to Google’s reCAPTCHA
There are several GDPR-compliant alternatives to Google’s reCAPTCHA that can offer a better balance between security and user-friendliness, such as Friendly Captcha, ALTCHA, and Cloudflare Turnstile.
Friendly Captcha is a privacy-friendly CAPTCHA solution that does not use cookies or track users, enabling it to be fully GDPR-compliant. It processes EU user data within the EU, so no sensitive information is transferred to other countries, even those with an adequacy agreement in place.
ALTCHA is an open-source, self-hosted alternative that employs a proof-of-work mechanism and machine learning for spam filtering without using cookies, fingerprinting, or tracking users, adhering to GDPR requirements.
Lastly, Cloudflare Turnstile is another GDPR-compliant option that can be used on any server and incorporates a Data Processing Addendum into its terms of service.
How to ensure GDPR compliance with Google reCAPTCHA
To ensure GDPR compliance when using Google reCAPTCHA, you need to take several key steps.
First, obtain explicit user consent before activating reCAPTCHA. Do this by implementing a cookie banner or consent mechanism. Additionally, update your privacy and cookie policies to include detailed information about reCAPTCHA, its data collection, and usage.
Furthermore, document your compliance efforts and provide users with an opt-out mechanism. Consider using reCAPTCHA v2 instead of v3, as it’s more privacy-conscious and can be deployed only on specific pages.
Finally, consult with a legal professional specializing in data protection to ensure full compliance, as there are ongoing debates about whether reCAPTCHA can be fully GDPR-compliant due to concerns about data transfers and Google’s status under US law.
Google reCAPTCHA setup guide
While it’s important to get legal guidance before implementing reCAPTCHA v3, here are the basics of how you can set it up.
1. Register your website and receive a Secret Key
- Register your website with Google.
- Log in to your Google account and fill in the appropriate form.
- Select reCAPTCHA v3 and enable the “I am not a robot” option in it.
- Save and submit the changes, then you will receive the Site Key and Secret Key from Google. These are needed to configure the form.
2. Integrate reCAPTCHA into your website
To integrate reCAPTCHA into your website, you must include it on both the client and server sides.
reCAPTCHA v3 is invisible to the user. This means that you will not see a CAPTCHA form on your website, and you’ll have to record the CAPTCHA response in your JavaScript code.
After completing all the required actions, you will see the reCAPTCHA icon on your website. This will enable you to get the service running on the client side.
The system will now analyze individual users, then create a token and associate it with a hidden submission item.
3. Server-side integration
Since there is no checkbox-style CAPTCHA, the reCAPTCHA response must be collected and sent to the backend for validation. Use a PHP file to validate the user with data through certain defined constants. The code creates a request, sends it to Google, and returns a score. Depending on the score received, you can perform actions relevant to your applications (1.0 is most likely a good interaction).
Important: This is a very simple example of server-side integration and response scoring. If you apply it to your properties, make sure to use strong client-side and server-side validation, as you would with any form. If you are looking for more complex validation, then it is worth taking a look at the PHP library.
4. reCAPTCHA privacy and cookie policy requirements
Using reCAPTCHA involves collecting and processing personal data from website visitors, so if you have visitors from the EU or elsewhere covered by a data privacy law, you need to comply with data protection laws like the GDPR.
- Update your website’s privacy policy to disclose that you use Google reCAPTCHA and what data it collects (e.g., IP address, browser info, mouse movements, etc.)
- Explain the purpose of using reCAPTCHA (e.g., preventing spam/abuse) and that the data is transferred to Google’s servers.
- Mention that Google’s privacy policy applies to the data collected by reCAPTCHA.
- Create or update your cookie policy, since reCAPTCHA uses cookies like _grecaptcha. Disclose the cookies used and their purposes.
- For EU/EEA visitors, obtain prior consent before using reCAPTCHA by implementing a cookie banner or consent management platform. Provide options to decline, specify granular preferences, or revoke consent.
Google reCAPTCHA enables quality website traffic
Google’s reCAPTCHA v3 offers websites an innovative and user-friendly way to detect bots without intrusive CAPTCHA challenges.
However, its data collection practices demand careful privacy considerations. By being proactive and transparent — updating privacy policies, implementing a consent management platform to easily manage consent preferences, and closely following GDPR guidelines — website operators can leverage v3’s benefits while upholding user privacy.