If you integrate a CAPTCHA on your site, you absolutely must integrate the Privacy Policy of the same and update the Cookies Policy.
If a site or an app that goes online integrates the reCAPTCHA, the new GDPR 2018 and the same Google expressly request that the user “approve” the use of the data, and therefore that if it is mentioned in the privacy information (Privacy Policy) and more precisely on Cookies Policy.
The GDPR expressly requires that any website or mobile app that can transfer or save personal data (ip, name, email, address, date of birth …) from any EU resident should indicate this on a Privacy Policy page. In this way the user must be able to know what data is collected, for what purpose and must be able to decide whether to accept it or not.
This requirement is mandatory even if your site is not directly saving the data, but a third-party service integrated into it. This is precisely the case with Google reCAPTCHA in both the v2 and invisible variants.
There are many alternatives to Google reCAPTCHA which are more secure and efficient for website security and privacy. One of them is MTCaptcha which can protect you from spammy bot accesses. Being GDPR compliant and privacy conscious is just the start, MTCaptcha commitment and policies mean your data will never be sold or shared with third parties or used for advertisement.
MTCaptcha images are certified colorblind safe, and the widget is not only fully VPAT compliant, its truly optimized and intuitive to use with screen readers.
How Google reCAPTCHA works
reCAPTCHA requires the user to click on the “I’m not a robot” button and Google may need to show him a further test to validate it as a truly human user. The test generally is of the type: “select all the figures that represent the thing X”.
What data does reCAPTCHA collect?
First of all the reCAPTCHA algorithm will check if there is a Google cookie on the computer in use .
Subsequently an additional specific reCAPTCHA cookie will be added to the user’s browser and will be captured – pixel by pixel – a complete snapshot of the user’s browser window at that time.
Some of the browser and user information currently collected includes:
- All cookies set by Google in the last 6 months,
- How many mouse clicks did you make on that screen (or touch if on a touch device),
- The CSS information for that page,
- The exact date,
- The language in which the browser is set,
- Any plug-in installed in the browser,
- All Javascript objects
This is why to be adherent to the new GDPR it is necessary to include this data collection in the Privacy Policy page and even more in that of the Cookies Policy. In the latter case it is necessary to indicate the cookies of the Google service among the Analytics.
Also because, by bringing you to the management panel of your reCAPTCHAs, using technologies provided by Google Analytics , you will be shown the level of spam that has attempted to access your site and a (detailed) summary of successful or unsuccessful access attempts.
Google and the GDPR
To protect itself from the GDPR (or to be in compliance with it) Google requires users of its service to sign a particular consent. You will therefore have to accept it but, above all, follow it strictly.
The requirements are schematically:
- You must use “commercially reasonable” efforts to disclose data collection, sharing and use practices following the use of Google products.
- Consent must be obtained to collect, share and use such data.
- It is also necessary to use “commercially reasonable” efforts to provide end users with “clear and understandable” information on any cookie that accesses and stores.
- You must obtain the consent to access and store these cookies.
In conclusion
You will then have to place the cookie banner, the Privacy page and the Cookie Policy: you will give the user the opportunity to perceive what kind of data you are capturing and for what reason, finally giving him the opportunity to actively accept that you (or Google) do it.