Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Cloudflare Turnstile is a free, CAPTCHA-free bot detection service from Cloudflare that verifies users are human through invisible proof-of-work challenges, browser signals, and behavioural analysis — without presenting visible CAPTCHA puzzles. It is designed to be privacy-preserving: no persistent tracking cookies, no advertising data sharing, and minimal personal data processing. Legitimate interest supports its use for security without requiring consent, making it one of the most GDPR-friendly CAPTCHA alternatives available.
Cloudflare Turnstile is a free, CAPTCHA-free bot detection service launched by Cloudflare in 2022 as a privacy-respecting alternative to Google reCAPTCHA. Instead of making users solve visual puzzles (selecting traffic lights, bridges, bicycles), Turnstile uses non-intrusive JavaScript challenges, browser signal analysis, and proof-of-work techniques to verify humanity invisibly. Most users pass Turnstile verification without any visible interaction.
Turnstile is designed from the ground up to be privacy-preserving. It does not set persistent cookies for tracking purposes. It does not profile users across websites. It does not share signals with advertising platforms. Cloudflare uses Private Access Tokens (PAT) where supported, allowing Apple and Google attestation of device integrity without identifying the specific device. The result is bot detection with minimal personal data exposure.
Turnstile''s minimal data processing and absence of advertising data sharing makes legitimate interest (Art. 6(1)(f)) a well-supported legal basis for its use. Unlike reCAPTCHA, which creates GDPR uncertainty due to Google''s advertising data use, Turnstile''s scope is clearly limited to security. Cloudflare provides a GDPR-compliant DPA covering Turnstile through its standard enterprise terms.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Sign up for Cloudflare Turnstile (free tier available). Add the Turnstile script and widget to your forms. Accept Cloudflare''s DPA covering Turnstile. Document the legitimate interest basis for bot prevention in your RoPA. Disclose Turnstile in your privacy policy: bot prevention, minimal data processing, Cloudflare infrastructure. No consent banner entry needed for Turnstile itself.
Websites using Cloudflare Turnstile must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for Cloudflare Turnstile standard deployments. Its privacy-by-design approach, absence of persistent cookies, and no advertising data sharing make it low-risk.
Sample consent text
This website uses Cloudflare Turnstile to protect forms from bots. Turnstile verifies you are human using privacy-preserving browser signals without cookies or tracking. Minimal technical data is processed under legitimate interest for security purposes.
Third-party domains contacted
challenges.cloudflare.comcloudflare.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cf_clearance | persistent | 30 minutes | Cloudflare Turnstile clearance cookie confirming successful human verification — no advertising or tracking purpose |
Cloudflare Turnstile is an essential service, but transparency matters. Manage all your consent with FlowConsent.
Generally no. Turnstile is designed for bot prevention under legitimate interest. It does not set persistent tracking cookies, does not profile users for advertising, and collects minimal data. Legitimate interest for security is well-supported without requiring consent.
Yes. Turnstile does not show image puzzles or checkbox challenges to most users. It runs JavaScript challenges and browser attestation invisibly. In cases where automated checks are insufficient, Turnstile may show a simple visual confirmation, but most users experience zero-friction verification.
Turnstile collects: JavaScript challenge results, browser characteristics (user agent, screen resolution), timing signals, and proof-of-work challenge responses. It does not collect persistent identifiers for tracking, does not set advertising cookies, and does not share data with third-party advertising platforms.
Cloudflare operates a global network including EU data centres. For EU-only data processing, Cloudflare offers data localisation options. Standard Turnstile deployment may use Cloudflare's global network. Cloudflare provides a GDPR DPA covering Turnstile. Accept the Cloudflare DPA before using Turnstile on EU-facing websites.
Yes. Cloudflare Turnstile has a free tier with no usage limits for most use cases. There is no cost for the standard Turnstile widget. Enterprise-level features and SLA guarantees are available on Cloudflare's paid plans.
Add the Turnstile script tag to your page, add the Turnstile widget div with your site key, and validate the Turnstile token on your server using Cloudflare's siteverify API. Turnstile provides drop-in compatibility with existing reCAPTCHA implementations via its explicit mode.
Both are privacy-friendly reCAPTCHA alternatives. Key differences: Turnstile is CAPTCHA-free (no visual puzzles for most users) while hCaptcha may show image grids. Turnstile is fully free with no limits; hCaptcha has a free tier but enterprise features are paid. Turnstile is hosted by Cloudflare with EU options; hCaptcha is US-hosted requiring SCCs. For GDPR simplicity, Turnstile's CAPTCHA-free design and minimal data collection are advantages.
State: that forms are protected by Cloudflare Turnstile for bot prevention, that Turnstile uses browser signals and JavaScript challenges to verify humanity, that this is processed under legitimate interest for security, that Cloudflare infrastructure is used, and link to Cloudflare's privacy policy.