This requirement is mandatory even if your site is not directly saving the data, but a third-party service integrated into it. This is precisely the case with Google reCAPTCHA in both the v2 and invisible variants.
There are many alternatives to Google reCAPTCHA which are more secure and efficient for website security and privacy. One of them is MTCaptcha which can protect you from spammy bot accesses. Being GDPR compliant and privacy conscious is just the start, MTCaptcha commitment and policies mean your data will never be sold or shared with third parties or used for advertisement.
MTCaptcha images are certified colorblind safe, and the widget is not only fully VPAT compliant, its truly optimized and intuitive to use with screen readers.
How Google reCAPTCHA works
reCAPTCHA requires the user to click on the “I’m not a robot” button and Google may need to show him a further test to validate it as a truly human user. The test generally is of the type: “select all the figures that represent the thing X”.
What data does reCAPTCHA collect?
First of all the reCAPTCHA algorithm will check if there is a Google cookie on the computer in use .
Subsequently an additional specific reCAPTCHA cookie will be added to the user’s browser and will be captured – pixel by pixel – a complete snapshot of the user’s browser window at that time.
Some of the browser and user information currently collected includes:
- All cookies set by Google in the last 6 months,
- How many mouse clicks did you make on that screen (or touch if on a touch device),
- The CSS information for that page,
- The exact date,
- The language in which the browser is set,
- Any plug-in installed in the browser,
Also because, by bringing you to the management panel of your reCAPTCHAs, using technologies provided by Google Analytics , you will be shown the level of spam that has attempted to access your site and a (detailed) summary of successful or unsuccessful access attempts.
Google and the GDPR
To protect itself from the GDPR (or to be in compliance with it) Google requires users of its service to sign a particular consent. You will therefore have to accept it but, above all, follow it strictly.
The requirements are schematically:
- You must use “commercially reasonable” efforts to disclose data collection, sharing and use practices following the use of Google products.
- Consent must be obtained to collect, share and use such data.
- It is also necessary to use “commercially reasonable” efforts to provide end users with “clear and understandable” information on any cookie that accesses and stores.
- You must obtain the consent to access and store these cookies.