Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google reCAPTCHA is a free bot and spam protection service from Google that verifies users are human through challenge tests (v2) or invisible behavioural analysis (v3). It sets Google cookies and sends browser fingerprinting data to Google's US servers. European DPAs and courts have questioned reCAPTCHA's GDPR compliance due to its persistent Google cookies and opaque data processing. hCaptcha and Cloudflare Turnstile are privacy-focused alternatives.
Google reCAPTCHA is a free CAPTCHA service from Google that protects websites from bots and spam. reCAPTCHA v2 presents visible challenges (''I am not a robot'' checkbox, image selection). reCAPTCHA v3 operates invisibly in the background, assigning a risk score to every user session without visible interaction. reCAPTCHA Enterprise offers enhanced privacy controls for larger deployments.
reCAPTCHA sets several Google cookies (NID, _GRECAPTCHA) and sends browser fingerprinting data to Google. Under the ePrivacy Directive, setting non-essential cookies on user devices requires consent. The German Landesdatenschutzbeauftragte Baden-Württemberg has specifically raised concerns about reCAPTCHA''s GDPR compliance. The key tension: reCAPTCHA is a security measure (legitimate interest) but sets cookies that may be used for Google advertising purposes (requiring consent).
reCAPTCHA v3 presents particular GDPR challenges: it runs invisibly on every page without user interaction, users cannot opt out or complete an alternative challenge, and the data it sends to Google for scoring is not fully disclosed. The GDPR transparency principle requires clear disclosure of all data processing. If reCAPTCHA v3 is deployed site-wide, users must be informed in the privacy policy.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
hCaptcha is a privacy-focused CAPTCHA alternative that does not use Google''s infrastructure and provides clearer GDPR terms. Cloudflare Turnstile is a CAPTCHA-free challenge that minimises data collection. Both provide bot protection without the Google data-sharing concerns. For non-public forms, honeypot techniques provide bot protection with zero data collection.
Disclose reCAPTCHA in your privacy policy including Google''s data processing and US transfer. Sign Google''s data processing agreement. Consider whether legitimate interest covers the security use case or whether consent is needed. For v3, ensure site-wide disclosure. Consider switching to hCaptcha or Cloudflare Turnstile for simpler GDPR compliance.
Websites using Google reCAPTCHA must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard reCAPTCHA security implementations. However, reCAPTCHA v3 runs on all pages invisibly, constituting broader monitoring that may warrant a risk assessment, particularly if Google uses the data for advertising purposes beyond bot detection.
Sample consent text
This website uses Google reCAPTCHA to protect forms from spam and abuse. reCAPTCHA uses cookies and sends data to Google in the US for security analysis. By using forms on this website you accept Google reCAPTCHA data processing.
Third-party domains contacted
www.google.comwww.gstatic.comrecaptcha.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _GRECAPTCHA | persistent | 6 months | Google reCAPTCHA security token used for bot risk scoring and challenge verification |
Google reCAPTCHA is an essential service, but transparency matters. Manage all your consent with FlowConsent.
The legal basis is contested. reCAPTCHA sets Google cookies (NID, _GRECAPTCHA) on user devices. Under ePrivacy, setting cookies requires consent. However, legitimate interest may support the security use case. German DPAs have raised concerns. The safest approach: use reCAPTCHA only on form pages (not site-wide), disclose in privacy policy, and consider whether consent or legitimate interest is documented.
reCAPTCHA sets _GRECAPTCHA (security token, 6 months) and may read the NID cookie (Google identifier, 6 months) if already present. These are Google cookies stored on the user's device, requiring an ePrivacy legal basis.
reCAPTCHA v2: visible challenge on specific pages (checkbox or image), only fires when user interacts with the form. reCAPTCHA v3: runs invisibly on every page visit without user interaction. v3 raises stronger GDPR concerns due to site-wide monitoring without user awareness.
Yes. All reCAPTCHA processing occurs on Google's US infrastructure. SCCs are required. Accept Google's reCAPTCHA terms which include data processing terms. Disclose the US transfer in your privacy policy.
hCaptcha: privacy-focused CAPTCHA with clearer GDPR terms, no Google data sharing. Cloudflare Turnstile: CAPTCHA-free challenge with minimal data collection, EU option available. Honeypot technique: invisible hidden form field that only bots fill — zero data collection. All three provide bot protection without Google's data sharing concerns.
Yes. reCAPTCHA v3 runs invisibly on every page without user awareness. GDPR's transparency principle requires clear disclosure of all data processing. If deployed site-wide, visitors must be clearly informed in the privacy policy that their browsing behaviour is analysed by Google for security purposes.
reCAPTCHA Enterprise offers enhanced privacy controls including the ability to not send data to Google for advertising purposes and clearer contractual terms. It is more GDPR-compliant than standard reCAPTCHA but still involves US data transfer and Google processing. Consult your DPO.
State: that forms on the website are protected by Google reCAPTCHA, that reCAPTCHA collects hardware and software information and behavioural data and sends it to Google for analysis, that this data is processed in the US under SCCs, and link to Google's Privacy Policy and Terms of Service.