Google reCaptcha and DSGVO – a contradiction?
Since 2009, the service has been operated by Google LLC. The Captcha service tries to distinguish whether a certain interaction on the Internet is made by a human person or by a computer program or bot.
- Headquarters: Mountain View, California, United States
- Category: Captcha
- Legal Basis: Consent required via Consent Management Platform (CMP)
What is ReCaptcha?
Anyone who fills out a contact form on a website often has to prove that she/he is a human being – and not a robot (bot = possible malware) – by using a so-called captcha. These tests can be found in various forms on websites: For example, in a sequence of letters and numbers that is difficult for robots to read, or in the form of a mosaic image (e.g., crosswalks, bicycles or traffic lights).
This is certainly familiar to you, or you have encountered it umpteen times on the Internet. Such captchas are not occupational therapy or intelligence tests. No, they have the simple and useful function to protect website operators from a flood of spam by bots. It is supposed to prevent registrations, surveys, comment function etc. on websites from being abused e.g. by fake users, click fraud and DDos attacks etc.. The abbreviation CAPTCHA stands for completely automated public Turing test to tell computers and humans apart. These tests should (one assumes) only be able to be solved by humans.
How does reCaptcha invisible analysis work anyway?
When it comes to Google, data protection experts get curious and take another look. reCaptcha was investigated by data protection experts. According to this investigation, one of the methods for determining humanity is to see if you already have a Google cookie installed in your browser. It is the same cookie that allows you to open new tabs in your browser and not have to log in to your Google account every time.
In reCaptcha V3 simulations (the invisible variant), lower risk scores were found with a connected Google account than in browsers without a connected Google account. So if you have a Google account, you are more likely to be human. Moreover, reCaptcha runs with a JavaScript element that examines mouse movements and keyboard strokes, info about the operating system and dwell time, and forwards them to Google.
To make the Google tool even better and faster at detecting human behavior on websites, Google wants the reCaptcha V3 code to be embedded on all website (sub)pages, not just forms or log-in pages. This should help the underlying machine learning algorithm to generate more accurate risk scores.
In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!
Expert knowledge and pro tips on top 😉
Legal foundation for the processing
The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.
The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.
When is there a requirement for consent?
Personal Data
The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:
- Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
- The processing is necessary to protect your legitimate interest (lit. f)
Cookies
According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.
It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.
Thus, all information elements that enable the identification of a person are subject to consent.
The requirements for exemption from consent
To ensure consent-free use, the following conditions would need to be met:
- Conclusion of a processing contract with the processor
- No use of cookies or similar profiling techniques
- Processing of personal data exclusively in Europe
- The processor does not use the obtained data for its own purposes
- The processor does not link or enrich the data across different websites
- Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
- IP anonymization (“Privacy by Default”)
- Automatic opt-out for Do-Not-Track settings in the browser
- Proof of points 1-8 carried out by the website operator
IP address
Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.
Server location
As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.
Company headquarters
In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.
The DSGVO compliant reCaptcha alternatives
1.) hCaptcha
While hCaptcha is comparable to Google’s ReCaptcha in terms of function and technology, there are still a few key differences.
Pro
- Similar feature & function set as ReCaptcha
- Detailed customization possible (also regarding the difficulty of the captcha)
- Personal data may be decoupled from the other data collected by the captcha and deleted
- Machine Learning is applied – in contrast to ReCaptcha – only to the remaining (de-identified) or non-personal data
- In accordance with the principle of data economy, only the data that is actually necessary for the function of the captcha is used
Con
- The company behind hCaptcha (Intuition Machines) is based in the USA. Due to the discontinuation of the Privacy Shield, data transfers to the USA are generally not permitted and can only be legitimized within the framework of specific exceptions for individual applications. One possible exception is user consent through a CMP.
- A control of the data protection compliant benefits on a technical level is not possible, which is why only the information provided by the company can be relied upon at this point.
2.) Friendly Captcha
Friendly Captcha focuses on privacy and usability. A unique “crypto-puzzle” is created for each user, which is processed by the browser in the background (without the user noticing) while the user fills out the form.
Pro
- The core of Friendly Captcha is open source and therefore transparent on a technical level. Furthermore, open source allows the programming of a custom version.
- No cookies are set and no tracking takes place.
- The company behind the commercial version is from Germany.
- The technology is based on the decentralized “Proof of Work” system
- By avoiding complex captchas, Friendly Captcha also ensures accessibility.
- Only information required (PP)
Con
- A control of the data protection compliant benefits on a technical level is not possible, which is why only the information provided by the company can be relied upon at this point.
3.) Honeypot
Honeypot is a technology that adds another field to the form, but invisible to the user. Bots will invariably fill in this field, while users, not seeing the field, will leave it blank. Then, in the background, the logic takes effect that all forms with this field filled in are marked as spam.
Pro
- Similar feature & function set as ReCaptcha
- Detailed customization possible (also regarding the difficulty of the captcha)
- Personal data may be decoupled from the other data collected by the captcha and deleted
- Machine Learning is applied – in contrast to ReCaptcha – only to the remaining (de-identified) or non-personal data
- In accordance with the principle of data economy, only the data that is actually necessary for the function of the captcha is used
Con
- Browser, die ohne Useraufforderung Felder ausfüllen (Bspw. Safari), können zu Problemen führen, wenn dadurch das unsichtbare Feld mitausgefüllt wird. Deshalb sollte das unsichtbare Feld keine personenbezogenen Daten erheben und beispielsweise mit „Notiz“ beschriftet werden.
- Fortgeschrittene Bots können diese Technologie ggfs. umgehen.
4.) Powermail
Powermail in combination with Typo3 extensions (e.g. Spam Shield) provides a captchaless alternative to spam filters. The principle here is that filling out contact forms is associated with some hurdles (running in the background), which in combination should filter spam.
One of these hurdles is the honeypot method mentioned above.
Pro
- Many individual setting options
- Privacy-friendly configurable
- User-friendly
Con
- Some of the spam protection extensions are no longer supported and are accordingly outdated
- The higher the spam protection achieved is supposed to be, the more personal data is necessarily collected by the system.
Cookie Box Recommendation:
Even though any of the above methods or technologies can be considered as a reCaptcha alternative, we recommend Friendly Captcha.
As the best privacy alternative with high user-friendliness, this system is also very likely to work completely CMS-independently.
Conclusion
What does this mean for website operators?
Google is and remains a commercial enterprise that offers its services partly for free, but not “for free” (currency = user data).
Those who use the tool should be aware of the risks and keep them as low as possible. The first step could be to create transparency to reduce the risk. In addition, users should explicitly agree to the use of the tool and thus to the use of their data via a cookie banner. However, this does not make the use 100% legally secure, which is why we recommend opting for one of the privacy-friendly alternatives.
Any questions?
Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics:
