Skip to main content
G
Security Medium complexity

Google reCAPTCHA

por Google

Define cookies
Sim
Envia PII
Não
Rastreamento entre sites
Sim
Consentimento necessário
Functional
Mecanismo de transferência
EU-US Data Privacy Framework
Cookies
_GRECAPTCHANID

Visão Geral

Google reCAPTCHA is a bot detection service that analyses user behaviour to distinguish humans from automated agents. It loads JavaScript from google.com and gstatic.com, sets cookies, and transmits behavioural telemetry to Google's infrastructure. reCAPTCHA v3 operates invisibly, continuously scoring user behaviour without presenting challenges.

Capacidades de Detecção

Signature count
3
Detection methods
network

Impacto no Desempenho

Impacto no Desempenho

Tamanho do script
150 KB
Requisições por página
4

Erros Comuns

  • 1 Claiming strictly-necessary legal basis for reCAPTCHA without conducting a DPIA - the EDPB has established that behavioural analysis tools require assessment even when used for security
  • 2 Loading reCAPTCHA on every page rather than only on forms that need bot protection, increasing unnecessary data transmission to Google
  • 3 Not recognising that reCAPTCHA v3 runs continuously in the background collecting behavioural data (mouse movements, scrolling, typing patterns) even when the user never sees a challenge
  • 4 Failing to disclose reCAPTCHA in the privacy policy and cookie declaration because it is considered a security tool rather than tracking
  • 5 Not considering privacy-preserving alternatives (hCaptcha, Cloudflare Turnstile, server-side rate limiting) that achieve bot protection without transmitting behavioural data to Google

Considerações de Conformidade

reCAPTCHA collects behavioural data including mouse movements, scrolling patterns, typing cadence, and browser fingerprint information. This data is transmitted to Google for analysis.

Strictly-necessary argument: Organisations commonly claim legitimate interest or strictly-necessary legal basis for reCAPTCHA. However, multiple European DPAs have questioned this basis. The French CNIL has stated that bot detection cookies require consent unless strictly necessary for a service explicitly requested by the user. The DPC has flagged reCAPTCHA in cookie sweeps.

DPIA requirement: Per EDPB guidelines, processing that involves systematic monitoring of individuals and large-scale profiling requires a DPIA. reCAPTCHA v3's continuous behavioural analysis meets these criteria.

Alternatives: hCaptcha (privacy-focused, GDPR-compliant by design), Cloudflare Turnstile (no visible challenge, minimal data collection), or server-side rate limiting with progressive challenges.

International transfers: Google is certified under the EU-US Data Privacy Framework. Verify current self-certification status.

CMP configuration: If using consent-based approach, categorise under functional consent. Consider loading reCAPTCHA only on pages with forms that need protection, not site-wide.

Serviços Relacionados

Human Security

Security

High Human Security

Bot detection tag that collects extensive behavioural and device fingerprinting data from every visitor, including mouse movements, keystroke dynamics, and network characteristics. While the security purpose may support a legitimate interest legal basis under GDPR Article 6(1)(f), the depth of data collection rivals that of the most invasive analytics tags. Organisations should document a balancing test and assess whether ePrivacy Directive consent obligations still apply despite the security justification.

5 assinaturas de detecção

Precisa de ajuda para governar Google reCAPTCHA?

Nosso diagnóstico de governança identifica lacunas de conformidade em todo o seu conjunto de tags.

Inicie seu Diagnóstico de Governança

Todos os nomes de produtos, logotipos e marcas comerciais são propriedade de seus respectivos titulares. A sua inclusão aqui é apenas para fins de identificação e não implica endosso pela Obscurity Ltd.