- What is Captcha and reCAPTCHA
- Why reCAPTCHA can be GDPR conform
- Loaded on ALL pages for ALL users – the main problem
- How we think you can use it correctly and GDPR conform
- WordPress GDPR reCAPTCHA Plugin for Contact 7
- Google’s own description
- It records movement on the website
- What does a GDPR lawyer say?
- Calculated risk
What is Captcha and reCAPTCHA
Captcha is a tool that uses images to screen out bots. They come in many forms and many are free. The problem is that the are easy for bots to overcome while be a pain in the a$$ for real users.
reCAPTCHA is a also free captcha service that is used to protect websites from spam and abuse. It is developed by Google and is used by millions of websites.
It is the best solution to block spam and bots. Whether reCAPTCHA is GDPR compliant is subject to debate.
In this article I want to give an overview and some tips how to make it MUCH more GDPR compliant.
Why reCAPTCHA can be GDPR conform
(I am not a lawyer and this is just my opinion)
As you will read on this post, there are several problems with reCAPTCHA.
- Firstly the tools sends data to Google and
- it saves cookies on the computer
- Google doeesn’t openly say what it uses the data for.
But it helps tremendously to block spam and bots. So there is a legitimate interest in using such tools. But what makes it even problematic in my eyes?
Loaded on ALL pages for ALL users – the main problem
Personally my main issue is that the tool is used on ALL pages, meaning that Google evaluates data from the get-go for EVERY user.
That is in my eyes the MAJOR problem. Why should Google know about ALL our users? How can that be necessary?
If we limit the use to ONLY people who actually ENGAGE and use a form, for example, it is much more in the interest of users.
How we think you can use it correctly and GDPR conform
It is in the interest of users who engage with us that their requests are not lost in hundreds of spam messages that are blocked or overseen in outlook or similar tools.
Meaning there is a legitimate interest also for users who engage with us that spam protection is in place.
Alternatives like honeypots or similar are just not good enough or not cheap.
Therefore we use a function to defer reCAPTCHA. That means, we prevent it from loading on a website until someone signals that he wants to engage with us – one key activity is filling in a form. This means the usage is limited.
People who don’t show any interest in engaging with us or a company are completely safeguarded from reCAPTCHA or Google’s potential tracking.
WordPress GDPR reCAPTCHA Plugin for Contact 7
For the very popular WordPress Plugin Contact 7, we created a free plugin.
The plug-in will check if you have contact 7 installed on your website and when it does, it will hold back loading reCAPTCHA until AFTER a person clicks on the form’s fields.
If you need additional functions to get your reCAPTCHA installation more GDPR compliant, we can create that for you, so WordPress website only loads reCAPTCHA when people engage.
But let’s take a closer look at the background data and why we think you should NOT load it on all pages. And why you should only embed it using consent or by limiting it’s use to engaging users only.
Google’s own description
Google describes their reCAPTCHA like this:
reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.
reCAPTCHA offers more than just spam protection. Every time our CAPTCHAs are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This in turn helps preserve books, improve maps, and solve hard AI problems.
This seems logical but the last part suggests it is using the software for other reasons than plain spam and bot protect.
It records movement on the website
Another great resource from hostinger explaing how reCAPTCHA works writes this:
Users don’t need to solve or recognize anything to pass the checkbox reCAPTCHA test. Simply check a box next to the statement saying “I’m not a robot”.
This test distinguishes humans from bots by following the cursor movement as it approaches the checkbox. Even a human user with the most stable hand will display some randomness in cursor movement, even on a microscopic level. A bot, typically, will not be able to mimic this kind of movement, preferring to act in a straight line.
If the cursor movement indicates that the user is a human, a green check icon will be displayed upon clicking the box.
Other than following the cursor movement, this test also assesses HTTP cookies and history present in the web browser.
Clearly based on the above, data is evaluated and used by Google. We don’t know, if Google uses this data to personalize their products.
What does a GDPR lawyer say?
As a gdpr lawyer in Germany noted down, the service on the surface seems legit and GDPR conform however the fact that we have to agreed that Google can use the data for something else, makes it potentially a problem.
He argues that it is a case of comparing the legitimate interest with the fundamental rights of the user – I quote:
V. Is the use of Google reCAPTCHA justified by a legitimate interest?
A possible legal basis for data processing is legitimate interest pursuant to Art. 6 (1) lit. f DSGVO. Let’s take a look at the wording of this provision:
“Processing is lawful only if the processing is necessary for the purposes of the legitimate interests of the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (…).”
A legitimate interest of the website operator here could certainly be protection against spambots. However, according to Art. 6(1)(f) DSGVO, this interest must be weighed against the interest or fundamental rights of the user.
In any case, it can be said here that the more data Google collects about user behavior and the more intensively it evaluates this data, the more the fundamental rights of the user, namely the general right to privacy, are impaired by the data collection of Google reCAPTCHA. The more Google, for example, even creates a kind of personality profile of the user from the user behavior, the more the fundamental rights of the user prevail over the use of Google reCAPTCHA by the website operator without consent.
Where on this spectrum Google reCAPTCHA is now to be located, however, ultimately remains speculation. So I can only say somewhat cautiously that the use of Google reCAPTCHA without consent is fraught with risk. You should therefore better not use it.
If you use Google reCAPTCHA with consent, for example by including it in the cookie – banner, the problem arises that bots can bypass the tool very easily. All they have to do is reject the cookies. Maybe there is a solution for this problem, but I don’t know it.
The Problem is with Google’s Term of Use.
Calculated risk
From the above data, using reCAPTCHA is possible but it does entail a calculated risk.
However, in my eyes, if you use the method we described or our plugin, the use of reCAPTCHA is pretty much safe in terms of getting a warning from a lawyer. Because the lawyer won’t see the code being loaded.
But also with the set-up we recommend, you can make a case that you did your best to prevent data from being misused. You limited the reach of reCAPTCHA.
If you need additional functions to get your reCAPTCHA installation more GDPR compliant, we can create that for you, so WordPress website only loads reCAPTCHA when people engage.