Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Yandex SmartCaptcha is an anti bot CAPTCHA service operated by Yandex LLC under the Yandex Cloud brand and hosted in data centres located in the Russian Federation. It distinguishes humans from bots through invisible behavioural analysis, browser fingerprinting and, when needed, interactive challenges. Because Yandex processes data in Russia, a country without a GDPR adequacy decision, embedding SmartCaptcha on a European website triggers Chapter V transfer obligations, requires informed consent and is generally discouraged by EU regulators in favour of EU based alternatives.
Yandex SmartCaptcha is an anti bot service offered by Yandex LLC, a Russian company headquartered in Moscow, as part of the Yandex Cloud product family. It protects forms, login pages and APIs against automated abuse by combining invisible behavioural scoring with adaptive interactive challenges (image grids, sliders) shown only to suspicious sessions. The service is offered under Yandex Cloud terms governed by Russian law and is widely used on consumer websites inside the Russian Federation. Its presence on a European website should be carefully justified.
SmartCaptcha collects the visitor IP address, User Agent, screen and timezone information, mouse and keyboard movement patterns, touch events, browser fingerprinting signals (canvas, WebGL, audio context, installed fonts) and the referring URL. It sets short lived cookies on the smartcaptcha.yandexcloud.net and captcha.yandex.ru domains and stores tokens in local storage to remember validated sessions. The challenge is delivered through a sandboxed iframe loaded from Yandex servers. Each evaluation is sent to Yandex infrastructure in Russia and produces a binary verdict plus a confidence score.
The behavioural signals and cookies fall squarely within Art. 5(3) of the ePrivacy Directive and trigger the consent requirement transposed in Art. 82 of the French Loi Informatique et Libertés, § 25 TDDDG in Germany and Art. 22.2 LSSI in Spain. Some controllers argue that bot protection is strictly necessary, but the EDPB and the CNIL accept that argument only for genuinely first party, non profiling captcha. Yandex collects fingerprinting data and operates outside the EU, so the strictly necessary exemption is unlikely to apply.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The recommended legal basis is explicit consent under Art. 6(1)(a) GDPR combined with Art. 5(3) ePrivacy. The challenge script must be blocked until the visitor accepts the security or bot protection category in the consent banner, and a fallback verification path (email link, simple math question, EU based captcha) must be offered to users who decline. Legitimate interest under Art. 6(1)(f) is fragile here because the necessity test cannot be passed when EU alternatives such as hCaptcha or Cloudflare Turnstile provide equivalent protection without third country transfer.
Russia is not covered by any European Commission adequacy decision. Transfers therefore require an Art. 46 GDPR tool, in practice Standard Contractual Clauses. After Schrems II (CJEU C 311/18) a Transfer Impact Assessment is mandatory and must consider Russian Federal Law 374 FZ (Yarovaya Law), the SORM lawful interception regime and the broad access powers of the FSB. Pseudonymisation and end to end encryption are difficult to apply to a captcha service since the vendor needs raw signals. EU sanctions under Council Regulation 833/2014 may also restrict certain business relationships with Russian providers.
Run a full DPIA, evaluate EU alternatives (hCaptcha in Ireland, Cloudflare Turnstile under SCCs and the EU US Data Privacy Framework, Friendly Captcha in Germany), and check sanctions exposure. If SmartCaptcha is unavoidable, sign the Yandex Cloud SCC addendum, conduct and document the Transfer Impact Assessment, restrict the challenge to high risk endpoints only, gate the script behind a granular consent banner and update the privacy notice and record of processing activities. Monitor decisions from the CNIL, EDPB and national DPAs about Russian processors and plan a migration path.
Websites using Yandex SmartCaptcha must obtain user consent under GDPR regulations.
DPIA considerations
A Data Protection Impact Assessment under Art. 35 GDPR is strongly recommended because Yandex SmartCaptcha combines (i) systematic monitoring of visitors through behavioural and fingerprinting signals, (ii) automated decision making that may block legitimate users, and (iii) transfers to a third country without an adequacy decision. The DPIA must document the necessity test against EU alternatives (hCaptcha, Cloudflare Turnstile, Friendly Captcha), the Transfer Impact Assessment for Russia, the safeguards (SCCs, encryption in transit, contractual restrictions on government access requests) and the residual risk after measures.
Sample consent text
This website uses Yandex SmartCaptcha to detect automated bots on forms and login pages. SmartCaptcha sets cookies and identifiers on your device and transmits browser signals and your IP address to Yandex LLC servers located in the Russian Federation. Russia is not covered by a GDPR adequacy decision and your data is transferred under Standard Contractual Clauses with additional safeguards. Click Accept to enable bot protection or Decline to use an alternative verification flow.
Third-party domains contacted
smartcaptcha.yandexcloud.netcaptcha.yandex.ruyandex.ruyandex.commc.yandex.ruCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| yandexuid | Persistent | 1 year | Long lived Yandex visitor identifier used by SmartCaptcha to recognise the browser across challenges and to feed Yandex anti fraud signals. |
| yp | Persistent | 10 years | Yandex preferences cookie storing language, region and security settings used by SmartCaptcha and other Yandex products. |
| i | Persistent | 1 year | Yandex identifier cookie linked to the visitor profile, used to detect bot patterns and repeat offenders across sessions. |
| smartcaptcha_token | Local Storage | Session | Validation token stored after a successful challenge so the visitor is not prompted again within the same session. |
| yandex_login | Session | Session | Optional session cookie set when the visitor is logged in to a Yandex account, used to lower the friction of the challenge. |
Yandex SmartCaptcha is an essential service, but transparency matters. Manage all your consent with FlowConsent.
SmartCaptcha collects the visitor IP address, User Agent, screen and timezone information, mouse and keyboard movement patterns, touch events, browser fingerprinting signals (canvas, WebGL, audio context, installed fonts) and the referring URL. It sets cookies and stores tokens on smartcaptcha.yandexcloud.net and captcha.yandex.ru to remember validated sessions. All signals are transmitted to Yandex servers in the Russian Federation for evaluation. The result is a confidence score and a binary verdict that the embedding site uses to allow or block the form submission.
Yes. Because SmartCaptcha stores tokens and cookies on the terminal and collects fingerprinting signals, it falls under Art. 5(3) ePrivacy and requires prior, freely given, specific and informed consent. The CNIL, the German DSK and the AEPD do not accept the strictly necessary exemption for a third country CAPTCHA that performs profiling. The challenge script must be blocked until the visitor accepts a security or anti bot consent category, and a fallback verification path must be offered to users who decline.
Consent under Art. 6(1)(a) GDPR combined with Art. 5(3) ePrivacy is the safest basis. Legitimate interest under Art. 6(1)(f) is contested because the necessity test cannot be satisfied when EU based alternatives (hCaptcha, Cloudflare Turnstile, Friendly Captcha) provide equivalent protection without third country transfer. If consent is collected, it must be granular, separated from other purposes, easily withdrawable, and recorded in the consent management platform with proof of acceptance.
Yes. SmartCaptcha processes data in Yandex Cloud data centres located in Moscow and Vladimir. Russia has no European Commission adequacy decision under Art. 45 GDPR, so transfers must rely on Standard Contractual Clauses (Art. 46) together with the supplementary measures recommended by the EDPB after Schrems II. A Transfer Impact Assessment must address Federal Law 374 FZ (Yarovaya Law), the SORM lawful interception regime and FSB access powers, and explain why technical or contractual safeguards mitigate the residual risk.
A Data Protection Impact Assessment under Art. 35 GDPR is strongly recommended. The processing meets several criteria from the EDPB list: systematic monitoring through behavioural signals, automated decisions that may block legitimate users, and transfers to a third country without adequacy. The DPIA should compare SmartCaptcha to EU alternatives, document the Transfer Impact Assessment, list the safeguards (SCC, encryption in transit, contractual restrictions on government requests) and quantify the residual risk for data subjects.
Block the SmartCaptcha script until the visitor consents through the cookie banner using a dedicated security category. Limit the challenge to high risk endpoints (login, registration, payment) instead of every page. Sign the Yandex Cloud Data Processing Agreement and the Standard Contractual Clauses addendum. Document the Transfer Impact Assessment and update the privacy notice, the record of processing activities and the cookie register. Provide an accessible fallback verification path so refusing consent does not lock users out.
EU friendly alternatives include hCaptcha (Intuition Machines, EU servers and SCCs), Cloudflare Turnstile (US under EU US Data Privacy Framework and SCCs), Friendly Captcha (Germany, privacy by design, no fingerprinting), Altcha (open source, self hostable) and Anubis or simple proof of work challenges. For low risk forms, server side measures such as honeypot fields, rate limiting and time on form checks can replace a third party captcha entirely.
List Yandex SmartCaptcha by name in the cookie register under the security or bot protection category. Disclose the controller (Yandex LLC), the data categories (IP, fingerprinting signals, behavioural data), the cookies and tokens set, the retention period, the legal basis (consent), the transfer destination (Russia) and the safeguards (SCC plus Transfer Impact Assessment). Provide a link to Yandex Cloud privacy documentation. Update the policy when you change provider or when the EDPB or your national DPA issues new guidance on Russian processors.