Is Google reCAPTCHA GDPR Compliant?
The French data protection authority, the “CNIL”, recently sanctioned a company for using Google reCAPTCHA, a popular bot detection tool. What does the case mean for the thousands of websites and apps using reCAPTCHA to stop bots?
This article will explain whether using Google reCAPTCHA is GDPR compliant and consider if you can use the tool without violating EU data protection and privacy laws.
Google reCAPTCHA and Privacy
Websites and apps use Google’s reCAPTCHA tool to distinguish bots from genuine users (humans).
Google reCAPTCHA is just one type of CAPTCHA (which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart"). Different CAPTCHAs use different authentication methods.
Early reCAPTCHA versions required website visitors to decipher text or perform other tasks that are easy for humans but difficult for bots. Incidentally, Google has faced criticism for “extract(ing) free digital labour” by using these early reCAPTCHA versions to train its AI models.
But the most recent version of reCAPTCHA works by using third-party cookies. This creates a more frictionless user experience—but also carries heavier privacy implications.
CNIL Case on Google reCAPTCHA
The CNIL’s 16 March decision (in French) was about an e-scooter company called Cityscoot.
The company received a €125,000 penalty, but this was not only due to Cityscoot’s use of reCAPTCHA. The CNIL’s investigation was mainly about how Cityscoot tracked the location of its scooters and the information contained in Cityscoot’s contracts.
But during the investigation, the CNIL noticed that Cityscoot used reCAPTCHA on its website and app.
The CNIL noted that Cityscoot:
- Did not provide any privacy information about reCAPTCHA.
- Did not seek visitors’ consent for using reCAPTCHA.
Because reCAPTCHA works by using cookies, these omissions were a problem for Cityscoot.
Do Cookies Require Consent?
The CNIL investigated Cityscoot’s use of reCAPTCHA under Article 82 of the French Data Protection Law. This part of French law implements the ePrivacy Directive, an EU law that regulates cookies and other trackers.
Under the ePrivacy Directive:
- App and website operators must explain what cookies they use and why they use cookies.
- Most cookies require consent.
However, there are exceptions to the consent rule for:
- Cookies used “for the sole purpose of carrying out the transmission of a communication…”
- Cookies that are “strictly necessary (to provide a) service explicitly requested by the user…”
Many data protection authorities (including the CNIL) also allow privacy-friendly first-party analytics cookies without consent.
Note: We’re using “cookies” as a shorthand for any technologies that can access or store information on a person’s device. This can also include beacons, pixels, scripts, and other technologies.
Is reCAPTCHA ‘Strictly Necessary’?
Cityscoot argued that reCAPTCHA fell under the second exception above and did not require consent.
The company said it was using reCAPTCHA to provide a service “explicitly requested by the user” (logging into Cityscoot) and that reCAPTCHA was “strictly necessary” to provide this service.
This is partly correct. An opinion on cookie consent adopted by EU data protection regulators accepts that some authentication and “user-centric security” cookies can be exempt from cookie consent.
But there’s a caveat in the guidance: “The act of authentication must not be taken as an opportunity to use the cookie for other secondary purposes…”
The CNIL noted that reCAPTCHA works by sending data about device and application data to Google for analysis. Therefore, the tool did not fall under the “strictly necessary” exception to cookie consent.
Google reCAPTCHA and Privacy Information
As noted, websites and apps that use cookies must provide information about:
- What their cookies do.
- What purposes they use cookies for.
- How a website visitor can decline cookies.
Cityscoot said it had provided this information because Google’s reCAPTCHA widget displays a link to Google’s privacy policy and terms of service.
The CNIL did not accept that this met the transparency requirements. The regulator found that Cityscoot should have provided its own cookie information directly.
Questions and Answers About Google reCAPTCHA
We’ve considered the facts of this case. Now let’s consider some lessons about Google reCAPTCHA’s data collection under EU law.
Is Google reCAPTCHA Illegal in the EU?
European data protection authorities do not have the power to issue EU-wide bans on specific products.
However, it is possible to use reCAPTCHA illegally under EU law, and several app and website operators have been found to have done this. If you want to use reCAPTCHA without breaking the law, you may wish to seek professional legal advice.
As we’ll consider below, it might be impossible to use reCAPTCHA legally under EU law, but no data protection authority has said this.
Does Google reCAPTCHA Require Consent?
Yes, according to the French data protection authority, Google reCAPTCHA requires consent. This is because Google reCAPTCHA cookies collect information about a user’s device and browser and transfer that information to Google.
Because this data processing is not “strictly necessary” for providing login authentication, Google reCAPTCHA cookies require consent.
Wouldn’t Requesting Consent Undermine the Effectiveness of reCAPTCHA?
Yes, requesting consent arguably makes reCAPTCHA ineffective.
Under the GDPR, consent must be “freely given”—you cannot deny a person access to your services because they refuse to provide consent.
Google reCAPTCHA is designed to verify whether website users are humans or bots. In theory, spam bots (or humans) could refuse consent for reCAPTCHA and log in without authentication.
Therefore, an authentication method that requires consent—such as Google reCAPTCHA—is arguably ineffective.
Is This the Only reCAPTCHA Decision?
No, there have been other legal decisions relating to Google reCAPTCHA that have confirmed that the tool requires consent.
For example, the French data protection authority also investigated the use of “invisible reCAPTCHA”—a version of reCAPTCHA with no checkbox—in the government’s “StopCovid” app.
As with this most recent decision about Cityscoot, the CNIL found that the government should have provided information and requested consent for reCAPTCHA.
Privacy advocate David Libeau published another non-public decision about reCAPTCHA in which the CNIL drew the same conclusions.
Does Google reCAPTCHA Only Require Consent in France?
So far, the only publicly-available decisions about Google reCAPTCHA privacy appear to have been made by the French data protection authority, the CNIL.
However, the ePrivacy Directive and the GDPR have been implemented in every EU member state (plus the UK, Iceland, Lichtenstein, and Noway).
Also, the CNIL made its most recent reCAPTCHA decision in conjunction with the Spanish and Italian data protection authorities.
Isn’t Google Responsible for reCAPTCHA?
No, Google is not responsible for how website owners use reCAPTCHA.
The CNIL found that the app or website owner using reCAPTCHA is responsible for getting consent and providing information. Google also states that reCAPTCHA users have these responsibilities.
Generally speaking, you cannot outsource your GDPR compliance obligations—you are accountable for any activities of data processors working on your behalf.
Is Google reCAPTCHA GDPR Compliant?
The French cases focus on the ePrivacy Directive (or Article 82 of the French Data Protection Law), which regulates cookies. These decisions have found that reCAPTCHA requires consent, and consent must meet GDPR standards.
However, some other Google-related issues suggest that using reCAPTCHA might not be GDPR compliant even with consent.
We know from the CNIL’s decision that reCAPTCHA transfers personal data to Google, a US company. The regulator did not investigate whether this breached the GDPR’s international data transfer rules, but there are reasons to believe that it could.
But because of the EU’s strict rules on international transfers of personal data—particularly to the US—European companies have been sanctioned for using several other Google products:
- Google Analytics: Decisions and statements from at least eight data protection authorities across Europe since early 2022 suggest that Google Analytics cannot be used legally under the GDPR.
- Google Fonts: A German court ruling last January found that integrating Google Fonts transfers personal data to the US without proper safeguards.
- Google Workspace: A 2021 decision from the Danish data protection authority banned a school district from using Google Workspace and Chromebooks due to data transfer violations.
There’s no reason to believe that reCAPTCHA works any differently.
Because of Google’s status as an “electronic communications service provider” under US law, using any Google product—with or without consent—risks violating the GDPR.
Try Wide Angle Analytics!