Ruling: reCAPTCHA Uses Data for Purposes Other Than Security, French Privacy Commission Confirms
Google’s reCAPTCHA is the most-used CAPTCHA on the internet—but it’s not the safest, the most effective, or the most privacy compliant. The French privacy commission (CNIL) has determined officially that reCAPTCHA uses excessive personal data for purposes other than security, which affects the privacy of end-users that interact with websites and apps using reCAPTCHA.
Because reCAPTCHA is not automatically GDPR compliant, any company subject to GDPR that is using reCAPTCHA must bridge the gap by providing very clear information to end-users about what data is gathered for what purposes, and where the data is sent and stored.
ReCAPTCHA & GDPR
The foundational idea behind GDPR is that user data across the internet should be private and protected—and not gathered unless for a specific purpose known to the data subject. On top of that, before a user’s data is collected, they should be told exactly what details will be gathered, and they should be given an option to opt out of the data collection.
Since 2020, CNIL has been investigating how reCAPTCHA is using data, and whether or not the businesses using reCAPTCHA on their websites are properly informing users and asking for consent. Google itself does not clearly define the purpose for which reCAPTCHA collects user data (which includes IP address, cookies deposited by Google in the last six months on the device, and a list of plugins), and there has been speculation that the data could be sent to Google Analytics (a marketing platform), among other possible uses.
Google does note that companies need to inform and obtain consent from end-users to process their data, but it does not provide or enforce such notifications.
In essence, companies that use reCAPTCHA are responsible for ensuring that the gathering of user consent is “free, specific, informed, and unambiguous” per GDPR requirements. Obtaining consent is challenging because the purpose of the data collection is not fully defined or understood—so consent cannot be fully informed.
CAPTCHA & Data Collection
The best way to protect your website, mobile app, and/or API is by leveraging a solution that does not gather unnecessary data and, more importantly, only uses the data processed for security purposes. A traditional CAPTCHA, like reCAPTCHA, that uses data for reasons other than security must allow end-users to opt out in order to be GDPR compliant—which bots can use as a loophole to bypass the challenge.
The following qualities are essential in a GDPR-compliant CAPTCHA solution:
- Transparency on data collection, storage, and retention.
- Highest security and encryption standards.
- Exemption from end-user consent and opt-out requirements (thanks to transparency around minimal data collection and use for security purposes only).
Your bot and fraud protection provider should guarantee that they only process data for security purposes, and that they adhere to the highest data processing standards and best practices.
DataDome CAPTCHA: Safeguarding User Privacy
DataDome’s frictionless CAPTCHA solution integrates fully with our powerful bot and fraud protection. The machine-learning-powered detection engine roots out bots in real time, from the first request, and only serves a CAPTCHA challenge to gather more signals if other signals indicate the user is likely a bot.
DataDome only gathers the absolutely necessary data, which is protected with the highest security standards and used solely for detection and security.
Our industry-leading false positive rate of 0.01% ensures that only 1 in 10,000 CAPTCHA challenges might be seen by a human. And on the rare occasion that happens, human users find a CAPTCHA that is quick to load and straightforward to solve—easy for humans, hard for bots.
Our CAPTCHA has already stopped millions of malicious CAPTCHA passing attempts by bots and bad actors, and each attempt only improves the accuracy of our detection engine. We deliver unparalleled accuracy without compromise—preserving your user experience, security, and site performance, all while protecting your customers’ data.
Rather than collecting as much end-user data as possible for unknown purposes, DataDome maintains global compliance with data privacy laws in North America, EMEA, APAC, South America, and Africa. No consent or opt out required.
Conclusion
CNIL has officially declared what many data privacy enthusiasts have long speculated: reCAPTCHA gathers excessive customer data, including PII, and does not disclose exactly why or how it is used. Any business using reCAPTCHA for protection is subject to user privacy concerns and data breaches—all without being adequately protected against malicious bots (which easily bypass the challenges).
The best way to minimize your data privacy risk is to choose a fully privacy-compliant CAPTCHA. See DataDome’s CAPTCHA in action with a free 30-day trial or a live demo.
Related posts
Why Virtual Waiting Rooms Fail: How Malicious Automation Beats Basic Queue Protection
Tell me more
How to Choose the Right Online Queue Management System for Your Business
Tell me more
What is a Virtual Waiting Room? Your Guide to Online Queue Management
Tell me more
10 Questions to Ask a Bot & Agent Trust Management Provider
Tell me more
