GDPR & Recaptcha: How to stay compliant with GDPR

Google Recaptcha is a great tool for preventing spam and abuse of your website. It’s easy to integrate, effective and free. What’s not to like?

Well, while this tool is great for preventing spam, it can create another set of problems for you in terms of GDPR compliance. 

In this article we will explore how to stay compliant with GDPR and PECR when using ReCaptcha. We’ll start by exploring how ReCaptcha works and the types of data that it collects. Then we’ll outline some of the most important privacy implications. After this we’ll outline some of the tasks you must complete in order to stay compliant with GDPR when using ReCaptcha. Finally we’ll provide details of some alternative solutions that require less compliance work.

TL;DR – You probably need consent to use Google ReCaptcha, even Google’s on EU User Consent Policy says so. Or you’ll need a team of lawyers to defend your corner and justify your reasoning. If bots can choose to deny consent, and there are other less privacy-intrusive alternatives on that market that still work well, then what is the point of all of the hassle?

How Google Recaptcha Works

To understand why Google ReCaptcha creates legal issues under GDPR it is important to know how it works.

To summarise:

Google Recaptcha works by tracking and analysing your user’s behaviour on your website. This includes looking at how the user navigates through the site with their mouse, how they click between content, the time they take to complete tasks like fill in forms and the device they are using to load the website. From this data, combined with whether the user is logged into a Google account already or not, the tool generates a score of how likely the user is to be a bot.

To provide an example, if a user loaded the homepage of a website first, then clicked through to a page about a product features. And then clicked through to a get a quote form to type in their contact information over a few minutes. This would appear as a fairly genuine use of the website. However, if the user came direct to the page with the get a quote form, filled in the contact details within 1 second and then submitted the form, this would appear suspicious. It’s too fast for a human. Therefore it would be challenged, with a captcha pop up.

The concept makes sense. The more data you can collect, the better you can analyse whether a user is real or not. But even though it’s effective, and serves a genuine business purpose – e.g. reduces spam. It still presents a number of issues under GDPR that we will explore further.

Is reCaptcha GDPR Compliant?

Out of the box, no. Google’s Recaptcha tool deployed solely on a website without adequate notices and consent mechanisms would breach GDPR. 

Sure, Google advises you to display their privacy policy and terms on the pages that you use Google ReCaptcha. But that’s not enough to make things compliant.

The tool works by collecting and processing a lot of personal data about how your users interact with your website. It uses cookies and other tracking technologies to do this and it transfers the personal data to US servers in order to complete it’s processing.

Therefore there are several issues with Google ReCaptcha and GDPR that must be addressed before use can be compliant. The primary issues relate to the GDPR proportionality principle and the GDPR requirement for a legal basis to process data.

Legal Basis to Process Data & the Proportionality Principle

• GDPR states that you must have a legal basis for processing personal data. 
• The six allowed legal basis are: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
• The most appropriate legal basis would likely be consent or legitimate interests. 
• ReCaptcha collects and processes personal data.
• The GDPR proportionality principle states that data processors (this could be you, as a website owner) must collect and process data that is proportionate to your needs only. Google ReCapctcha’s data collection could be viewed as excessive, because while the amount of data it collects makes it effective at preventing spam, you can achieve a similar outcome using other less privacy-intrusive approaches   that collect less data. It therefore would be hard to argue that the data use is proportional.

Other issues relate to international data transfers and the use of cookies – which requires consent under PECR & E-Privacy, a different law that in this situation works in tandem with GDPR.

International Data Transfers

• A transfer of personal data outside the EEA or UK to a restricted country requires additional safeguards.
• Google ReCaptcha sends personal data to the US. So website managers who use this service will be facilitating a restricted transfer.
• Therefore they must put in place appropriate due diligence and safeguards.
• The most appropriate safeguard is likely to be Standard Contractual Clauses or IATD (International data transfer agreement). You can complete these clauses by requesting them from Google. They should be signed and stored. A date should be set to review these agreements.
• You also need to update your privacy policies and other documentation to make sure that users are aware of their data being subject to international transfers.

Cookies & Consent

• Non-essential cookies require consent under PECR. PECR is the “Privacy and Electronic Communications Regulations 2019”, it applies within the UK and more generally across the EU (EEA) under the ePrivacy Directive.
• Consent for cookies must meet GDPR standards.
• Consent therefore must be freely given, specific and informed.
• Google ReCaptcha uses cookies to track the user’s behaviour across your website.
• In practice this means you must display a notice that gives users the chance to accept cookies or not. You cannot load cookies before consent has been given.
• If you ask a spammer whether they want to load cookies or not, they will choose not to load them. 
• If you determine that you must ask for consent before using Google ReCaptcha cookies, and then offer a spam visitor/bot the option to deny these cookies. Then you must ask whether there is any point in using Google ReCaptcha in the first place? Because a bot could easily deny the cookies. It is also worth factoring in that no system is 100% spam-proof, you can still receive spam from real human beings. In this case, is it better to just manage the spam that you receive, by filtering it or deleting it instead of adding the technical and legal complexity of managing Google ReCaptcha?

Can I use Google ReCaptcha under Legitimate Interests?

Legitimate interests allows for you to process persona data where you believe it to be within your legitimate interests as a business – e.g. we have an interest in keeping our website secure and to minimise the administration work required to clean out spam accounts and messages. AND you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

It’s a legal justification relied upon by many online banks and entertainment services in order to use security technologies. Their typical justification is that the prevention of fraud is within consumers interests  – because increased fraud may lead to higher costs for consumers. Many of the technologies that prevent fraud use a similar method of analysis of user behaviour on the site or app as Google Recaptcha. Companies argue that this type of data collection and analysis is proportional and privacy-conscious because the data collected is effectively anonymised. They also argue that users could likely expect this type of processing to take place.

Therefore you may be able to apply a similar reasoning to the use of Google Recaptcha. 

Fraud and abuse of your website is likely to increase your costs of administration, for example the labour cost of the time spent removing spam accounts. Therefore, it is logical to think that you could say that it is within your legitimate business interests to use this technology.

However it’s yet to be tested in law, and so you would be advised to seek extensive legal advice before pursuing this approach. There are also many more implications when using a tool provided by Google – (a company with vast amounts of user data already and jurisdiction in the USA – where the law permits the surveillance of non-domestic citizens) compared to using a more specialised security company’s technology, who does not have access to this kind of data already, or have jurisdiction in the USA.

Our current analysis is that it’s unlikely that regulators taking a strict interpretation of GDPR would tolerate this approach because Google ReCaptcha would likely fail to fulfil the proportionality principle, it also would likely fail to meet a legitimate interests balancing test. A test which requires you to to consider the purpose, necessity and balance of applying legitimate interests. 

To explain:

The tool works by gathering a large amount of personal data, it goes beyond a simple analytics tool that records pageviews and conversions. The tool analyses mouse-clicks, mouse-movements and whether the user is logged into a Google account already. The data could potentially reveal other personal traits about the user, especially if this visit data is combined with data from other websites serving the Google ReCaptcha code. There are solutions that help you minimise spam which rely on far less personal data such as HCaptcha or a combination of spam filters and honeypots. Therefore it would be difficult to to fulfill the proportionality requirements of legitimate interests. It also would be difficult to fulfill the necessity part of a balancing test. To quote the ICO:

“Is the processing proportionate to that purpose, or could it be seen as using a sledgehammer to crack a nut?”

Google ReCaptcha V3 takes a sledgehammer approach. 

Other issues with Google ReCaptcha & Legitimate Interests

• The tool analyses personal data in US Data centres. This means that the data is a restricted transfer. It would be difficult to argue that this data transfer is necessary to protect your website. Why couldn’t the same analysis could occur on local servers in the UK or EEA?
• The tool uses the analysis of this data for purposes other than just providing a security service for free to websites. This data enhances Google’s advertising products, it also helps Google apply machine learning. When you complete a Captcha you are helping train Google’s machine learning algorithms. It would be difficult to argue that this processing is necessary. 
• Another major issue is that ReCaptcha installs a user-specific cookie on your visitors device in order to track their movements throughout your website. Non-essential cookies require consent under PECR and E-Privacy but there are some exemptions for security – however it’s not clear from current guidance whether this would apply to this cookie or not. Remember that this applies regardless of the legal basis for processing determined under GDPR.

For all these reasons relying on Legitimate Interests to use Google ReCaptcha is a risky approach. Instead you may wish to consider a more robust legal basis such as Consent. 

What Google says about using ReCaptcha

When signing up you are asked to tick a number of boxes confirming that you make users aware of your use of Google ReCaptcha and that you advise them that the Google terms of use and privacy policy apply.

In their EU User Agreement, Google go further making it clear that consent should be sought when required:

Text from their agreement as of 10th August 2021:

“For Google products used on any site, app or other property that is under your control, or that of your affiliate or your client, the following duties apply for end users in the European Economic Area along with the UK.

You must obtain end users’ legally valid consent to:

• the use of cookies or other local storage where legally required; and
• the collection, sharing, and use of personal data for personalization of ads.

When seeking consent you must:

• retain records of consent given by end users; and
• provide end users with clear instructions for revocation of consent.

You must clearly identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product. You must also provide end users with prominent and easily accessible information about that party’s use of end users’ personal data.”

Remember, these are Google’s words, not ours and that of the regulators. This is typical of many Google products where the responsibility to protect personal data and apply local laws is the obligation of the user. In this situation you should be aware that even when using tools from large companies who likely have robust knowledge of data privacy laws, you must still complete your own due diligence.

How are different versions of Google ReCaptcha affected?

Google ReCaptcha offers two free versions of their ReCaptcha captcha product  – V2 and V3.

ReCaptcha V2 works by giving users a challenge when they complete an action that spammers target, for example submitting a form. The user may be asked to classify an image, for example pick out the images that contain boats. The task is designed to be difficult for a robot to do.

ReCaptcha V3 offers a more frictionless user experience. It works largely in the background and will only challenge website visitors who it suspects may be robots. Other users will be able to continue without challenge as long as their interactions with the site previous to submitting a form are deemed to be from a human.

This experience is much more pleasant for the user, but carries heavier privacy implications because of the data required to provide the calculations that determine a genuine user from an automated, robot user. 

V2 is a more privacy conscious approach, it could also be deployed only on pages that require a captcha, such as pages with a form. This would minimise the privacy impact on users. Whereas the V3 solution requires the tracking code to be present on all pages of the website in order to be most effective.

What your privacy policy should say if you use Google ReCaptcha

• Your privacy policy should highlight that you use Google’s recaptcha product. It should explain why you use the product, give an overview of how it works and explain your legal basis for processing under GDPR, for example Consent or Legitimate Interests.
• If you rely on consent it should explain how people may withdraw their consent.
• Your privacy policy should identify which 3rd party processors you share the personal data you collect with. It should identify where the data is processed and under what safeguards. Here’s an example from Github:

Cookie notice and cookie consent if you use Google ReCaptcha

Refresh of the rules:

• If you use cookies and tracking technologies on your website AND you make your site available to users in the EEA (EU) or UK, you will need a cookie notice.
• If you use non-necessary cookies you must get consent before you place these cookies on the user’s device.
• Non-necessary cookies are any cookies that are not strictly required to make the website work. Analytics cookies are not necessary for example, because the user does not require them in order to make the content of a website work.
• Popular non-necessary cookies include the Google Analytics tracking cookie, Facebook Pixel and Google Ads Conversion Pixel.
• There are some exemptions for cookies that protect systems – for fraud prevention/security etc.

Google ReCaptcha unlikely to be an essential cookie – at least for use on every single page. Consider your blog posts, or homepage for example? – A user may visit just one page on your website after searching for a related query in a search engine like Google. It is difficult to argue that this single page visit requires tracking cookies or anti-spam cookies like Google ReCaptcha.

If you determine that the cookie is non-essential you must get consent before you load this tracking technology on the user’s device.

For more advice on legal cookie consent notices you can read our previous article highlighting the most common mistakes we see websites make. 

What your cookie policy should say if you use Google ReCaptcha

• You should identify any cookies that are placed by Google ReCaptcha.
• Under the UK’s PECR and EU’s E-Privacy you must say what cookies will be set and explain what the cookies will do.

What can I use instead of Google ReCaptcha?

Simple Honeypots

Honeypots add hidden form fields to your website forms. Humans can’t see those, so they will leave them blank. However, bots will typically fill these in. This is a simple and privacy conscious fix. However it is not as effective in preventing spam as Google ReCaptcha. The software behind spam bots has improved over time, so some bots will not fall for this trick. Still it is worth considering adding this, and used in tandem with a spam filter and/or double opt-in you can reduce your spam to manageable levels without having to gather additional personal information from your website users.

For WordPress & Contact Form 7 users you can try this free plugin.

Spam Filters & Double Opt-in

Another solution would be to change how you manage form submissions on your website. Take your contact form for example, how many spam entries do you receive? – It’s likely you do get a lot of sales messages but how many of these are automated? Is the amount you receive enough to justify the addition of a service like ReCaptcha or would a spam filter, which could match your form submissions against a list of spam accounts, be sufficient?

You could also change your processes to use a double-opt-in, where users must confirm their email address before being able to access their account or get on to your mailing list. This may reduce your total sign-ups but in reality will give you a more accurate picture of real, engaged users, instead of just a number inflated by bots.

HCaptcha 

HCaptcha is a drop-in replacement for ReCaptcha. There are some integrations already available for free. For example their WordPress plugin allows easy integration with your website’s forms and registration pages. One issue with HCaptcha is that while it is privacy friendly since it does not rely on recording and analysing your browsing history it still uses cookies. Using “non-essential” cookies can be considered a breach of the ePrivacy/PECR rules. You will need to evaluate first whether the cookies set by HCaptcha fall within the defined exemptions under PECR/ePrivacy first.

FriendlyCaptcha

FriendlyCaptcha is another ReCaptcha replacement. It works without cookies which means you will not need to worry about the compliance risks of using cookies which could be interpreted as “non-essential”. According to the brands featured on it’s homepage it is also used by the European Commission – which would certainly be a hard to please customer when it comes to data privacy practices.

Cf7ReCaptcha Mine

A captcha solution which relies on no tracking, no cookies, no sessions and no external resources. This service only works for Contact Form 7 forms for now via this free wordpress plugin. What’s interesting about this captcha solution is that it relies on blockchain “mining” technology – it works by asking the user’s device to solve a challenge. The types of computers used by spammers are low power and typically cannot solve such challenges – only if the browser can solve the challenge does it allow the form to be submitted. A very interesting approach!

What’s the outlook if I keep using ReCaptcha?

For now, it’s not clear. The tool has some major issues in regards to GDPR and PECR (E-Privacy). But we still see many online brands using the service. It’s one of the most popular anti-spam technologies in the world.

There are currently no legal decisions relating to Google ReCaptcha and the GDPR that we know about.

If you continue to use this tool we advise you to seek professional legal advice and to make sure that your website visitors are clearly informed about the use of this technology.

Remember that just because a technical alternative may be more time consuming or more costly than free, it does not mean that regulators would permit the use of it. Organisations are required to take appropriate measures to secure the personal data that they hold, whether this comes with a direct expense or not.