Skip to main content
G
Security Medium complexity

Google reCAPTCHA

by Google

Sets cookies
Yes
Sends PII
No
Cross-site tracking
Yes
Consent required
Functional
Transfer mechanism
EU-US Data Privacy Framework
Cookies
_GRECAPTCHANID

Overview

Google reCAPTCHA is a bot detection service that analyses user behaviour to distinguish humans from automated agents. It loads JavaScript from google.com and gstatic.com, sets cookies, and transmits behavioural telemetry to Google's infrastructure. reCAPTCHA v3 operates invisibly, continuously scoring user behaviour without presenting challenges.

Detection Capabilities

Signature count
3
Detection methods
network

Performance Impact

Performance Impact

Script size
150 KB
Requests per page
4

Common Mistakes

  • 1 Claiming strictly-necessary legal basis for reCAPTCHA without conducting a DPIA - the EDPB has established that behavioural analysis tools require assessment even when used for security
  • 2 Loading reCAPTCHA on every page rather than only on forms that need bot protection, increasing unnecessary data transmission to Google
  • 3 Not recognising that reCAPTCHA v3 runs continuously in the background collecting behavioural data (mouse movements, scrolling, typing patterns) even when the user never sees a challenge
  • 4 Failing to disclose reCAPTCHA in the privacy policy and cookie declaration because it is considered a security tool rather than tracking
  • 5 Not considering privacy-preserving alternatives (hCaptcha, Cloudflare Turnstile, server-side rate limiting) that achieve bot protection without transmitting behavioural data to Google

Compliance Considerations

reCAPTCHA collects behavioural data including mouse movements, scrolling patterns, typing cadence, and browser fingerprint information. This data is transmitted to Google for analysis.

Strictly-necessary argument: Organisations commonly claim legitimate interest or strictly-necessary legal basis for reCAPTCHA. However, multiple European DPAs have questioned this basis. The French CNIL has stated that bot detection cookies require consent unless strictly necessary for a service explicitly requested by the user. The DPC has flagged reCAPTCHA in cookie sweeps.

DPIA requirement: Per EDPB guidelines, processing that involves systematic monitoring of individuals and large-scale profiling requires a DPIA. reCAPTCHA v3's continuous behavioural analysis meets these criteria.

Alternatives: hCaptcha (privacy-focused, GDPR-compliant by design), Cloudflare Turnstile (no visible challenge, minimal data collection), or server-side rate limiting with progressive challenges.

International transfers: Google is certified under the EU-US Data Privacy Framework. Verify current self-certification status.

CMP configuration: If using consent-based approach, categorise under functional consent. Consider loading reCAPTCHA only on pages with forms that need protection, not site-wide.

Related Services

Human Security

Security

High Human Security

Bot detection tag that collects extensive behavioural and device fingerprinting data from every visitor, including mouse movements, keystroke dynamics, and network characteristics. While the security purpose may support a legitimate interest legal basis under GDPR Article 6(1)(f), the depth of data collection rivals that of the most invasive analytics tags. Organisations should document a balancing test and assess whether ePrivacy Directive consent obligations still apply despite the security justification.

5 detection signatures

Need help governing Google reCAPTCHA?

Our governance diagnostic identifies compliance gaps across your entire tag estate.

Start your Governance Diagnostic

All product names, logos, and trademarks are the property of their respective owners. Their inclusion here is for identification purposes only and does not imply endorsement by Obscurity Ltd.