Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cloudflare Turnstile is a free, CAPTCHA-free bot detection service from Cloudflare that verifies users are human through invisible proof-of-work challenges, browser signals, and behavioural analysis — without presenting visible CAPTCHA puzzles. It is designed to be privacy-preserving: no persistent tracking cookies, no advertising data sharing, and minimal personal data processing. Legitimate interest supports its use for security without requiring consent, making it one of the most GDPR-friendly CAPTCHA alternatives available.
Cloudflare Turnstile is the free CAPTCHA replacement launched by Cloudflare in 2022. Instead of asking users to identify traffic lights, Turnstile runs a series of non interactive JavaScript challenges (Private Access Tokens, browser integrity tests, behaviour signals) and returns a token that the publisher backend can verify against challenges.cloudflare.com/turnstile/v0/siteverify. The product is positioned as the privacy first alternative to Google reCAPTCHA: no Google or Cloudflare advertising cookie is set, the JavaScript widget is small, and the verification is local to the visitor browser whenever possible.
In its default invisible mode, Turnstile does not write any cookie on the publisher domain. The widget script (challenges.cloudflare.com/turnstile/v0/api.js) only stores a transient nonce in sessionStorage to detect replay during the same page lifetime. When the visitor must complete a managed or interactive challenge, Cloudflare may set cf_chl_persist on .cloudflare.com (third party, 1 hour) and cf_chl_rc_n on the publisher domain (first party, 1 hour) to remember the successful pass. These cookies are strictly necessary for the security service.
Turnstile relies on the legitimate interest of the publisher in protecting its forms, login and APIs against bots, scraping and credential stuffing (GDPR art. 6(1)(f)). The CNIL recommendation on cookies and the EDPB guidelines 2/2023 on art. 5(3) ePrivacy both recognise an exemption from consent for cookies and storage strictly necessary to provide a security service explicitly requested by the user. Turnstile fits inside that exemption as long as the publisher does not reuse the signals for marketing or analytics. The data minimisation principle (GDPR art. 5(1)(c)) is respected because no persistent visitor identifier is created.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cloudflare Inc. is established in the United States and adheres to the EU US Data Privacy Framework since 1 August 2023. Challenge signals are processed across the global anycast network, which includes the United States, even when the visitor connects to a European point of presence. Customers on Cloudflare Enterprise or Business with Regional Services can pin the data plane to the European Region to keep raw signals within the EU. The Cloudflare data processing addendum incorporates the EU Standard Contractual Clauses (module 2) and is auto signed by the customer when accepting the Cloudflare terms.
Limit Turnstile to genuine anti bot purposes; do not pipe the score into marketing analytics. Document Cloudflare as a processor in the GDPR art. 30 register and in the privacy notice. Activate Regional Services EU only when strict data residency is required. Review the configured action mode (managed, non interactive, invisible) to keep the user friction proportionate. Combine Turnstile with rate limiting and Web Application Firewall rules to reduce the number of challenges issued. Refresh the data processing addendum every year and verify the active DPF certification on dataprivacyframework.gov.
Privacy first alternatives include Friendly Captcha (German, GDPR designed), hCaptcha (with Privacy Pass), Altcha (open source proof of work) and MTCaptcha. Google reCAPTCHA remains the most popular but it sets behavioural cookies on doubleclick.net and is incompatible with the consent exemption for security cookies in most cases.
Websites using Cloudflare Turnstile must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Turnstile because it is a security measure that processes only signals about the browser session. Document the legal basis and the data flow to Cloudflare.
Sample consent text
We use Cloudflare Turnstile, a privacy first CAPTCHA replacement, to detect bots and protect our forms. Turnstile runs a non interactive JavaScript challenge in your browser; no advertising cookie is set and no behavioural profile is built. Signals such as your IP, user agent and challenge timings are processed across the Cloudflare global network, including the United States, under the EU US Data Privacy Framework and the EU Standard Contractual Clauses. Because Turnstile is strictly necessary to protect this site against fraud, it runs without your consent under the security exemption recognised by the CNIL and the EDPB.
Third-party domains contacted
challenges.cloudflare.comchallenges.cloudflare.comcloudflare.comcloudflare.comstatic.cloudflareinsights.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cf_clearance | persistent | 30 minutes | Cloudflare Turnstile clearance cookie confirming successful human verification — no advertising or tracking purpose |
| cf_clearance | First party (Cloudflare, optional) | 30 minutes | Set only when the protected resource also uses Cloudflare Bot Management. Confirms the visitor has passed the bot challenge for the current session. |
| __cf_chl_* | First party (Cloudflare) | Few seconds | Short lived challenge cookie used to coordinate the Turnstile challenge in the browser. Removed immediately after the challenge completes. |
Cloudflare Turnstile is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Generally no. Turnstile is designed for bot prevention under legitimate interest. It does not set persistent tracking cookies, does not profile users for advertising, and collects minimal data. Legitimate interest for security is well-supported without requiring consent.
Yes. Turnstile does not show image puzzles or checkbox challenges to most users. It runs JavaScript challenges and browser attestation invisibly. In cases where automated checks are insufficient, Turnstile may show a simple visual confirmation, but most users experience zero-friction verification.
Turnstile collects: JavaScript challenge results, browser characteristics (user agent, screen resolution), timing signals, and proof-of-work challenge responses. It does not collect persistent identifiers for tracking, does not set advertising cookies, and does not share data with third-party advertising platforms.
Cloudflare operates a global network including EU data centres. For EU-only data processing, Cloudflare offers data localisation options. Standard Turnstile deployment may use Cloudflare's global network. Cloudflare provides a GDPR DPA covering Turnstile. Accept the Cloudflare DPA before using Turnstile on EU-facing websites.
Yes. Cloudflare Turnstile has a free tier with no usage limits for most use cases. There is no cost for the standard Turnstile widget. Enterprise-level features and SLA guarantees are available on Cloudflare's paid plans.
Add the Turnstile script tag to your page, add the Turnstile widget div with your site key, and validate the Turnstile token on your server using Cloudflare's siteverify API. Turnstile provides drop-in compatibility with existing reCAPTCHA implementations via its explicit mode.
Both are privacy-friendly reCAPTCHA alternatives. Key differences: Turnstile is CAPTCHA-free (no visual puzzles for most users) while hCaptcha may show image grids. Turnstile is fully free with no limits; hCaptcha has a free tier but enterprise features are paid. Turnstile is hosted by Cloudflare with EU options; hCaptcha is US-hosted requiring SCCs. For GDPR simplicity, Turnstile's CAPTCHA-free design and minimal data collection are advantages.
State: that forms are protected by Cloudflare Turnstile for bot prevention, that Turnstile uses browser signals and JavaScript challenges to verify humanity, that this is processed under legitimate interest for security, that Cloudflare infrastructure is used, and link to Cloudflare's privacy policy.
None by default. Turnstile is cookieless and uses only short lived browser signals. The cf_clearance cookie may appear if the protected resource is also behind Cloudflare Bot Management, but Turnstile itself does not depend on it.
No. Turnstile is a security technology necessary to provide the requested service (Recital 30 ePrivacy, Recital 49 GDPR). It can be loaded before consent like any anti abuse CAPTCHA. The CNIL and AEPD share this view.
Legitimate interest (Art. 6(1)(f) GDPR) to protect a service from automated abuse, fraud, credential stuffing, scraping and spam. The interest is concrete and proportionate.
Cloudflare, Inc. is established in the United States. Most Turnstile challenges are evaluated at the closest edge node, often in Europe. Any transfer to the US is covered by the EU US Data Privacy Framework and EU SCCs in the Cloudflare DPA.
A DPIA is generally not required because Turnstile is a security measure that processes only browser signals for a short time. Document the lawful basis in your records of processing.
Use it on the forms or actions where bot abuse is a real risk. Document it as a security measure. Sign the Cloudflare DPA. Verify server side. Use explicit or managed render mode to avoid surprising the user.
Privacy first CAPTCHA alternatives include Friendly Captcha (Germany), Anubis (open source), MTCaptcha (Spain), Hcaptcha (Switzerland), Procaptcha (UK), Capy Puzzle Captcha (Japan), Geetest (China). For full Bot Management, consider Datadome (France) and Reblaze.
No mandatory cookie entry because Turnstile is cookieless. Mention Cloudflare Turnstile in the security section of your privacy policy: purpose (bot mitigation), legal basis (legitimate interest in security), processor (Cloudflare), data transfer (EU US Data Privacy Framework + SCCs).