The reCAPTCHA GDPR Problem: What Developers Need to Know
reCAPTCHA is the world's most popular CAPTCHA, used on more sites than all alternatives combined. It's also the one European data protection authorities keep fining people for using. France's CNIL, Austria's DSB, and Bavaria's BayLDA have all taken action against reCAPTCHA deployments — not because CAPTCHAs are illegal, but because most implementations violate consent requirements.
If you use reCAPTCHA on a site that serves EU users, here's what's actually wrong and what to do about it.
Three Ways Default reCAPTCHA Deployments Violate GDPR
1. It Collects Far More Data Than Needed
reCAPTCHA doesn't just check if you're human. It collects:
- IP address and geolocation
- Browser fingerprint (plugins, screen resolution, fonts, WebGL renderer)
- Mouse movements, scroll patterns, and keystroke timing
- Cookies (including Google advertising cookies if the user is signed into Chrome)
- Referrer URL, page URL, and browsing history signals
This data collection begins the moment the reCAPTCHA JavaScript loads — before the user interacts with your form, before they consent, and on every page where you include the script (v3 recommends loading it site-wide).
v3 is especially problematic: Google recommends loading reCAPTCHA v3 on every page (not just forms) to build behavioral profiles. This means every page view triggers data collection — massively increasing the scope of personal data processing compared to v2, which only loads on form pages.
GDPR's data minimization principle (Article 5(1)(c)) requires you to collect only data that's necessary for the stated purpose. Collecting browsing history and advertising cookies to determine if someone is human is hard to justify as "necessary."
2. It Transfers Data to the US Without Adequate Safeguards
reCAPTCHA sends all collected data to Google's US servers. Under GDPR, transferring EU personal data to the US requires a valid legal mechanism:
- EU-US Data Privacy Framework (DPF): The current mechanism. Google is certified. But the DPF faces potential challenges (informally called "Schrems III") similar to the ones that struck down Safe Harbor and Privacy Shield.
- Standard Contractual Clauses (SCCs): Require a Transfer Impact Assessment documenting that US surveillance laws don't undermine the protections. Given FISA Section 702, this assessment is difficult to pass honestly.
The Austrian DPA ruled in January 2022 that Google Analytics transfers violated GDPR because US surveillance laws provide insufficient protection. The same legal reasoning applies to reCAPTCHA — it uses the same infrastructure, the same data controllers, and the same transfer mechanisms.
3. Cookies Require Prior Consent
reCAPTCHA sets cookies that are not "strictly necessary" for the website to function. The Austrian DPA explicitly ruled this in response to a NOYB complaint. Under the ePrivacy Directive (implemented as TTDSG in Germany, PECR in the UK, and CNIL guidance in France), non-essential cookies require prior consent.
This means: you cannot load the reCAPTCHA JavaScript until the user has actively consented via a cookie banner. Loading it by default and relying on "legitimate interest" as a basis for the cookies is not sufficient.
The April 2026 Change Clarifies (and Increases) Your Liability
On April 2, 2026, Google changed reCAPTCHA's legal structure. Google switched from being a data controller (responsible for how it uses reCAPTCHA data) to a data processor (acting only on your instructions).
This clarifies the legal relationship — Google no longer makes independent decisions about reCAPTCHA data. But it means the compliance burden falls entirely on you:
- Before: Google shared responsibility for reCAPTCHA data processing. Google's privacy policy partially covered usage.
- After: You are the sole data controller. You must determine the lawful basis, handle data subject requests, and justify every category of data reCAPTCHA collects — including data Google collects for its own scoring models.
Action required now:
- Update your privacy policy — remove references to Google as data controller
- Sign Google's reCAPTCHA Data Processing Addendum
- Document your lawful basis for all data reCAPTCHA collects
- Implement consent management that blocks reCAPTCHA until the user opts in
What the Regulators Have Actually Said
| Authority | Ruling/Guidance | Impact |
|---|---|---|
| CNIL (France) | Fined companies for loading reCAPTCHA without prior cookie consent | Consent required before loading the script |
| DSB (Austria) | Ruled reCAPTCHA cookies are not "technically necessary" | Cannot rely on "strictly necessary" exemption |
| BayLDA (Bavaria) | Cautioned against US-based CAPTCHA services for public sector sites | Public bodies should use EU alternatives |
| EDPB (EU-wide) | Late 2024 guidelines raised compliance bar for third-party CAPTCHAs | Higher documentation requirements |
Can You Make reCAPTCHA GDPR-Compliant?
Technically yes, but the compliance burden is significant:
- Implement a Consent Management Platform (CMP) that blocks reCAPTCHA JavaScript until the user explicitly opts in
- Provide an alternative path for users who decline — email verification, honeypot-only validation, or manual review
<?php
// Only load reCAPTCHA after user consents
$hasConsent = isset($_COOKIE['captcha_consent']) && $_COOKIE['captcha_consent'] === 'accepted';
?>
<?php if ($hasConsent): ?>
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_V3_KEY"></script>
<?php else: ?>
<!-- Fall back to honeypot + timing checks -->
<?php endif; ?>- Complete a Legitimate Interest Assessment (LIA) if using legitimate interest as your lawful basis
- Complete a Transfer Impact Assessment (TIA) for the US data transfer
- Sign Google's DPA and maintain records of processing activities (Article 30)
- Handle data subject requests — users can request deletion of their reCAPTCHA data, and you're responsible for fulfilling it
For most PHP developers, this is more work than switching to a compliant alternative.
Alternatives That Avoid the Problem
| Solution | GDPR Status | Why It's Simpler |
|---|---|---|
| ALTCHA (self-hosted) | No personal data leaves your server | No consent needed, no DPA, no TIA |
| Friendly Captcha | EU-hosted (Germany), no cookies | No cross-border transfer, simpler consent |
| Honeypot + rate limiting | No third-party data processing | Fully compliant by default |
| Cloudflare Turnstile | US-based but claims no cookies | Simpler than reCAPTCHA, but still US transfer |
See our GDPR & CAPTCHA compliance guide for implementation details, or our CAPTCHA alternatives comparison for the full breakdown.
Verdict
reCAPTCHA isn't inherently illegal under GDPR. But making it compliant requires consent management, privacy policy updates, DPAs, TIAs, LIAs, and a fallback for users who decline. Most PHP developers using reCAPTCHA have done none of these steps — which means most deployments are technically non-compliant.
The April 2026 controller-to-processor shift makes this worse by putting full liability on site operators. If you're starting a new project, use a GDPR-friendly alternative and skip the compliance headache entirely. If you're stuck with reCAPTCHA, at least implement consent management and update your privacy policy.