Google’s ReCAPTCHA v3: What you need to know to be GDPR compliant

Having to search for traffic lights, clicking on crosswalks and buses, or recognizing which letters and number combinations are hidden behind a blurred image. In recent years this is how website users were used to proving that a real flesh and blood human being was accessing online content. With Google’s ReCAPTCHA v3, those days are now over. Let’s look at what has changed and what this means for GDPR compliance.

By the end of 2018, Google’s reCAPTCHA had shifted form a handful of times and was evolving into its third version.

What changed with Google’s reCAPTCHA?

It drastically reduced the number of tasks users must complete to log in to a website, and assigned users an invisible score based on how “human” their behavior was.

But the innovation also had a clear downside. That version monitors a user’s every move on a website in the background to determine whether the user is actually a real person.

With reCAPTCHA v3, Google says it can model a user’s interaction with a website so well that it no longer needs to ask them to check a box or require them to solve a puzzle.

Instead, it assesses each visitor with a risk score ranging from 0.0 (bad) to 1.0 (good) and returns that score to the site owner to decide how to respond. This risk analysis runs in the background and the user behavior is then closely monitored by the system.

Google does not provide an explanation for the score, but humans should achieve a score of 1.0 or close to it in order to proceed without being perceived as a bot and blocked.

What is interesting is that the visitor does not notice any of this. This is because the website visitor logs in as if there were no analysis. Only from the logo is it recognizable that something is still happening in the background.

Here’s how it works. If the user’s score falls below 0.7, the website can block or restrict access to certain parts of pages or require additional verification (e.g. in the form of two-factor authentication) by implementing an “action” tag on the pages.

With this procedure and through restricted access, misuse and spam by bots are reduced to a minimum.

In addition to more sophisticated bot detection, there’s another benefit to the new version behind the scenes: much more control for website owners in fine-tuning the Google API.

While version 3 actually only means that CAPTCHAs are no longer noticeable from the website user’s point of view, it is about much more than that for website operators. They now have to define scoring thresholds for different parts of a website (login, social, payment, etc.), which can include transaction histories and usage profiles from non-Google data.

These shifts bring not only a technical change, but more importantly a cultural one. Website owners must now take responsibility for their bot traffic and cannot simply outsource the issue to third parties.

One thing is certain, website operators are responsible for protecting their users’ data. The GDPR mandates users’ security so that the disclosure of their personal data is kept to a minimum with online activity.

As mentioned above, the use of CAPTCHA v3 runs virtually invisible to the user. As convenient as this may seem at first glance, it is ultimately non-transparent from a data protection perspective. This is because user behavior is analyzed in a concealed manner and the user is not informed that the following data, among others, is forwarded to Google during the system’s analysis:

• ReCIP address
• Referrer URL
• Operating system
• Cookies
• Mouse movements/keyboard strokes
• Length of pauses between actions
• Device settings (e.g. language or location)

As a result, the Bavarian supervisory authority indicates, as one example, that this lack of transparency in the use of CAPTCHA poses risks for website operators.

A strategy to make the tool as compliant as possible with the latest privacy legislation is to describe how CAPTCHA works as transparently as possible in the privacy policy. The key here is to simultaneously obtain the visitors’ consent, for example, via the cookie banner of the Consent Management Platform (CMP). However, even with this, it may not be fully legally compliant, as Google does not make it sufficiently clear which processing and requests are made by the tool.

Our advice: be sure to consult your legal department or data protection officer on this issue.

1. Register your website with Google.
2. Log in to your Google account and fill in the appropriate form.
3. Select reCAPTCHA v3 and enable the “I am not a robot” option in it.
4. Save and submit the changes, then you will receive the Site Key and Secret Key from Google. Remember, these are needed to configure the form.

In order to integrate reCAPTCHA into your website, you will need to include it on both the client side and the server side.

ReCAPTCHA v3 is invisible. This means that you will not see a CAPTCHA form on your website and you will have to record the CAPTCHA response in your JavaScript code.

When you have completed all the required actions, you will see the reCAPTCHA icon on your website. This will enable you to get the service running on the client side.

The system will now analyze individual users, then create a token and associate it with a hidden submission item.

Since there is no checkbox-style CAPTCHA, the reCAPTCHA response must be collected and sent to the backend for validation. Use a PHP file to validate the user with data through certain defined constants. The code creates a request, sends it to Google and returns a score. Depending on the score received, you can perform actions relevant to your applications (1.0 is most likely a good interaction).

Important: This is a very simple example of server-side integration and response scoring. If you apply it to your properties, make sure to use strong client-side and server-side validation, as you would with any form. If you are looking for more complex validation, then it is worth taking a look at the PHP library.

If you want to make sure that all actions on your website are performed by “real” people, not bots, and using an image puzzle query isn’t what you’re looking for, Google’s reCAPTCHA API solution is just the thing.

Also, don’t be surprised if some users miss the old version of puzzling around. Many people are creatures of habit and still trust the “old” version. It may confuse them that no interaction is required now. In the end, however, ReCAPTCHA v3 is a welcome innovation for most website visitors, because the days of puzzle-clicking are now a thing of the past. Where the majority of users will certainly appreciate this in the long run.

DISCLAIMER:

The implementation of a data protection-compliant implementation of a Consent Management Platform is ultimately at the discretion of the respective data protection officer or legal department.

These explanations therefore do not constitute legal advice. They merely serve to support you with information about the current legal situation when implementing a Consent Management Platform solution. If you have any legal questions, you should consult a qualified attorney.