Skip to main content
G
Security Medium complexity

Google reCAPTCHA

le Google

Socraíonn fianáin
Seolann PII
Níl
Rianú trassuímh
Toiliú riachtanach
Functional
Meicníocht aistrithe
EU-US Data Privacy Framework
Fianáin
_GRECAPTCHANID

Forbhreathnú

Google reCAPTCHA is a bot detection service that analyses user behaviour to distinguish humans from automated agents. It loads JavaScript from google.com and gstatic.com, sets cookies, and transmits behavioural telemetry to Google's infrastructure. reCAPTCHA v3 operates invisibly, continuously scoring user behaviour without presenting challenges.

Cumais Braite

Signature count
3
Detection methods
network

Tionchar Feidhmíochta

Tionchar Feidhmíochta

Méid scripte
150 KB
Iarratais in aghaidh an leathanaigh
4

Botúin Choitianta

  • 1 Claiming strictly-necessary legal basis for reCAPTCHA without conducting a DPIA - the EDPB has established that behavioural analysis tools require assessment even when used for security
  • 2 Loading reCAPTCHA on every page rather than only on forms that need bot protection, increasing unnecessary data transmission to Google
  • 3 Not recognising that reCAPTCHA v3 runs continuously in the background collecting behavioural data (mouse movements, scrolling, typing patterns) even when the user never sees a challenge
  • 4 Failing to disclose reCAPTCHA in the privacy policy and cookie declaration because it is considered a security tool rather than tracking
  • 5 Not considering privacy-preserving alternatives (hCaptcha, Cloudflare Turnstile, server-side rate limiting) that achieve bot protection without transmitting behavioural data to Google

Breithnithe Comhlíontachta

reCAPTCHA collects behavioural data including mouse movements, scrolling patterns, typing cadence, and browser fingerprint information. This data is transmitted to Google for analysis.

Strictly-necessary argument: Organisations commonly claim legitimate interest or strictly-necessary legal basis for reCAPTCHA. However, multiple European DPAs have questioned this basis. The French CNIL has stated that bot detection cookies require consent unless strictly necessary for a service explicitly requested by the user. The DPC has flagged reCAPTCHA in cookie sweeps.

DPIA requirement: Per EDPB guidelines, processing that involves systematic monitoring of individuals and large-scale profiling requires a DPIA. reCAPTCHA v3's continuous behavioural analysis meets these criteria.

Alternatives: hCaptcha (privacy-focused, GDPR-compliant by design), Cloudflare Turnstile (no visible challenge, minimal data collection), or server-side rate limiting with progressive challenges.

International transfers: Google is certified under the EU-US Data Privacy Framework. Verify current self-certification status.

CMP configuration: If using consent-based approach, categorise under functional consent. Consider loading reCAPTCHA only on pages with forms that need protection, not site-wide.

Seirbhísí Gaolmhara

Human Security

Security

High Human Security

Bot detection tag that collects extensive behavioural and device fingerprinting data from every visitor, including mouse movements, keystroke dynamics, and network characteristics. While the security purpose may support a legitimate interest legal basis under GDPR Article 6(1)(f), the depth of data collection rivals that of the most invasive analytics tags. Organisations should document a balancing test and assess whether ePrivacy Directive consent obligations still apply despite the security justification.

5 sínithe braite

An bhfuil cúnamh uait chun Google reCAPTCHA a rialú?

Aimsíonn ár ndiagnóisic rialachais bearnaí comhlíontachta trasna d'eastát clibeanna iomlán.

Tosaigh do Dhiagnóisic Rialachais

Is le húinéirí faoi seach na n-ainmneacha táirgí, lógónna agus trádmharcanna go léir. Cuirtear san áireamh anseo iad chun críocha aitheantais amháin agus ní hionann é agus formhuiniú ó Obscurity Ltd.