Google reCAPTCHA is not GDPR compliant by default. It sets cookies and sends visitor data, including IP addresses, to Google in the US before anyone consents. It becomes compliant only when you gate it behind consent, disclose it, or replace it with a privacy-first alternative.
Is Google reCAPTCHA GDPR Compliant?
Independent privacy authorities say no, reCAPTCHA is not inherently GDPR compliant out of the box. Google's own documentation says yes, reCAPTCHA is GDPR compliant when it operates as a data processor under its Cloud Data Processing Addendum. Both statements are true at once, and the difference is implementation, not contradiction.
Usercentrics states the independent position plainly.
The short answer is no, Google reCAPTCHA is not inherently GDPR-compliant when used out of the box.
Friendly Captcha reaches the same verdict. It notes that reCAPTCHA "processes personal data and uses cookies without explicit user consent," which without safeguards counts as a violation. Germany's Bavarian data protection authority goes further and advises site owners to check privacy-friendlier alternatives. Google's own FAQ answers the same question with "Yes," pointing to its role as a data processor under the Cloud Data Processing Addendum.
The gap between these answers is implementation, not disagreement on the law. reCAPTCHA can run in a way that violates GDPR: loading before consent, with no disclosure. It can also run in a way that satisfies it: consent-gated, disclosed, and backed by a signed DPA. Most sites run the first version by default. That default is what independent authorities call out, and what this page fixes.
What Data Does reCAPTCHA Collect, and Which Cookies Does It Set?
reCAPTCHA collects behavioral and device data well beyond what a simple checkbox implies. Before a visitor even clicks anything, it gathers:
- IP address
- Mouse movements and keystroke timing
- Browser and operating system details, plus installed plugins
- Referrer URL and browsing behavior
- A full screenshot of the browser window (reCAPTCHA v3 only)
This data feeds Google's risk-scoring model, then travels to Google's servers in the United States. Alongside the data collection, reCAPTCHA sets the _GRECAPTCHA cookie for risk analysis. That cookie persists in a visitor's browser for around 180 days. Google's broader advertising cookies, including NID and 1P_JAR, can also load alongside it and support cross-site tracking.
I checked a site running default reCAPTCHA and found the _GRECAPTCHA cookie set on page load, before any banner appeared. That is the core problem. A cookie tied to six months of behavioral risk data lands in the browser before the visitor has said yes.
This scope of collection is why reCAPTCHA counts as a non-essential tracker under GDPR and the ePrivacy Directive, not a strictly necessary one. A login button needs to work. It does not need a screenshot of the browser window to do that.
Why Isn't reCAPTCHA GDPR Compliant by Default?
reCAPTCHA fails the default compliance test for three connected reasons:
- Data processed before consent. Article 5(3) of the ePrivacy Directive allows access to device data without consent only when strictly necessary for a requested service. reCAPTCHA's risk-scoring model does more than confirm a human is present; it builds a behavioral profile. French regulator CNIL reasoned that reCAPTCHA also enables analysis on Google's part, beyond securing the login. The strictly-necessary exception does not apply.
- Cross-border transfer to the US. Every reCAPTCHA request sends collected data to Google's US infrastructure. This raises the same Schrems II and EU-US Data Privacy Framework questions that apply to any US-hosted tool. It compounds the consent problem rather than replacing it.
- Legitimate interest is not a clean substitute for consent. Some sites cite legitimate interest instead of consent as reCAPTCHA's legal basis. That requires a documented assessment weighing bot protection against visitor privacy. It still does not satisfy the ePrivacy Directive's separate consent requirement for non-essential cookies.
I get the operator's bind here. Asking for consent before a spam-blocking tool loads can feel like it defeats the tool's purpose. That tension is a design problem, not a legal loophole. The fix is gating the script, not skipping the consent step.
Loading a tracker before consent is exactly the pattern behind the rise in website tracking lawsuits. Sites get sued for the same before-consent data flow reCAPTCHA defaults to.
Has reCAPTCHA Been Fined Under the GDPR? Real Enforcement Cases
Yes, French regulator CNIL has fined two companies over reCAPTCHA specifically, and in both cases the site owner paid, not Google.
| Case | Regulator and date | Fine | Reason |
|---|---|---|---|
| CITYSCOOT | CNIL, March 2023 | EUR 125,000 | Used reCAPTCHA at account creation and login without informing users or getting consent, among other violations |
| NS Cards France | CNIL, December 2023 | EUR 105,000 | Deployed reCAPTCHA trackers without user consent, affecting several hundred thousand visitors |
CITYSCOOT's penalty covered more than reCAPTCHA. The CNIL also cited excessive geolocation tracking and subcontractor gaps in the same decision. The reCAPTCHA finding still stood on its own: the company never informed users or obtained consent before loading it. NS Cards France's fine centered more directly on reCAPTCHA. The CNIL found the company deployed reCAPTCHA trackers without consent, affecting roughly 700,000 account holders.
Both cases share the same root failure: reCAPTCHA loaded, and collected data, before the visitor agreed to anything. Neither company was small. Both had functioning websites and real legal counsel, and both still got the consent step wrong. The same consent-before-tracking failure drives the Meta Pixel lawsuit wave, where a different tracking tool triggers the same exposure.
US operators are not exempt from parallel exposure either. Wiretapping statutes like CIPA create similar liability for tracking tools that process visitor data without disclosure. The same before-consent pattern carries risk on both sides of the Atlantic.
Is reCAPTCHA v2 or v3 More of a GDPR Problem?
reCAPTCHA v3 carries more GDPR risk than v2, even though it is the less visible option. Neither version is compliant by default, but v3's invisibility makes the compliance gap worse, not better.
reCAPTCHA v2 shows visitors a visible checkbox or image challenge and relies on that interaction plus a lighter cookie footprint. reCAPTCHA v3 runs invisibly in the background, scoring every visitor without any click. It collects more behavioral data through multiple session and marketing cookies, and it gives the visitor no signal that data collection is happening.
That invisibility is the trap. A visitor who never sees a checkbox has no reason to suspect a script is scoring their mouse movements. Less friction for the user becomes less transparency for the regulator to accept. reCAPTCHA Enterprise, the paid tier, ships with Google's signed DPA attached by default. That removes one compliance step but does not remove the consent requirement for either version.
What Changed on April 2, 2026? reCAPTCHA as a Data Processor
On April 2, 2026, Google switched reCAPTCHA from an independent data controller to a data processor. That processor role runs under its Cloud Data Processing Addendum. Site owners now become the sole data controller of the data reCAPTCHA collects on their site.
Practically, this means the site owner, not Google, now determines the purpose and means of processing that data. The site owner must accept the Cloud Data Processing Addendum to keep using the service. Google's own reCAPTCHA badge no longer references Google's consumer privacy policy and terms. The relevant relationship now runs through the site owner's contract with Google, not the visitor's direct relationship with Google.
Here is the misconception this switch invites: some site owners assume becoming the "data controller" on paper solves the compliance problem. It does not. The switch clarifies who is legally responsible for reCAPTCHA's data handling, which is now you.
It does nothing to remove the separate requirement to get visitor consent before the script and its cookies load. Privacy-law analysts note that it remains legally disputed whether consent is required after the switch. That open question shows the change settled the controller role, not the consent obligation.
Treat the April 2026 change as a responsibility handoff, not a compliance fix. You inherited the controller's obligations. The consent-before-load requirement below still applies in full.
Do You Need Cookie Consent Before Loading reCAPTCHA?
Yes. In the EU and UK, you need explicit, informed, opt-in consent before the reCAPTCHA script loads and its cookies are set. reCAPTCHA is a non-essential tracker, not a strictly necessary one.
This creates a real practical bind. Consent-gating a bot-protection tool can feel self-defeating: block the script until consent, and a bot that never consents also never gets blocked. I have seen this play out directly. Enabling cookie consent alongside a WordPress form plugin's reCAPTCHA integration broke form submissions and quietly cost real conversions.
The fix is narrower than it sounds: gate the script, not the whole form. Block reCAPTCHA and its cookies until consent, and reserve the visible challenge only for traffic that actually needs it, like failed submissions or suspicious patterns. That keeps the legal requirement intact without breaking every form on the site.
Sites that reach this point also need a policy naming reCAPTCHA and what it sends to Google. See do I need a cookie policy for what that document must cover by region.
How to Use reCAPTCHA in a GDPR-Compliant Way
Making reCAPTCHA compliant takes four concrete steps, run in this order.
- Block the script and its cookies until consent. The reCAPTCHA JavaScript file must not load until the visitor opts in. Hiding the banner visually while the script still runs does not satisfy this.
- Disclose reCAPTCHA in your privacy and cookie policies. Name reCAPTCHA specifically, list what it collects, and state that the data goes to Google's US servers.
- Sign Google's Cloud Data Processing Addendum, or move to reCAPTCHA Enterprise, which includes the DPA by default. It frames the data use around security, not advertising.
- Replace reCAPTCHA if consent-gating breaks your bot protection. A privacy-first CAPTCHA that needs no consent solves that conflict outright, instead of managing around it.
The reliable fix underneath all four steps is the same: block cookies before consent so the reCAPTCHA script never loads until the visitor opts in.
GDPR-Compliant Alternatives to reCAPTCHA
A handful of CAPTCHA tools are built to avoid the consent problem entirely, rather than manage around it. Friendly Captcha, Cloudflare Turnstile, hCaptcha, ALTCHA, and MTCaptcha each collect little to no personal data. Several need no cookie consent banner at all, since they skip persistent tracking cookies by design.
These tools are not equivalent to each other, and none is ranked here as a product recommendation. The common thread is architectural: they verify a visitor is human through proof-of-work checks or minimal, non-tracking signals. That design choice, not a policy, is what removes most of the GDPR exposure reCAPTCHA carries by default.
How Consently Blocks reCAPTCHA Until Visitors Consent
Consently auto-blocks non-essential third-party scripts and their cookies, reCAPTCHA included, until the visitor gives consent, then records that consent as proof.
Consently is a consent management platform, not a CAPTCHA. It does not replace reCAPTCHA; it controls when reCAPTCHA, or whichever CAPTCHA you keep, is allowed to load. Two features do the actual work.
Cookie and script auto-blocking scans your site, finds the reCAPTCHA script and its cookies, and blocks them until a visitor makes a choice. Google Consent Mode v2 signaling passes that choice to Google's own tags automatically. Analytics and Ads only receive consent-aware signals, with no manual gtag('consent') code required.
Consently also generates the cookie and privacy policy that must name reCAPTCHA and disclose the US data transfer. The disclosure step and the blocking step come from the same setup. Start blocking trackers before consent with a 14-day free trial, no credit card required.
FAQs
Is Google reCAPTCHA GDPR compliant?
Google reCAPTCHA is not GDPR compliant by default. It sends personal data and sets cookies before consent. It becomes compliant only when gated behind consent, disclosed, and backed by a signed Data Processing Addendum.
Does reCAPTCHA use cookies?
Yes. reCAPTCHA sets the _GRECAPTCHA cookie for risk analysis, which persists for around 180 days. Google cookies like NID and 1P_JAR can load alongside it.
Do I need consent to use reCAPTCHA in the EU?
Yes. reCAPTCHA is a non-essential tracker under the ePrivacy Directive, so EU and UK sites need explicit, informed, opt-in consent before it loads.
Is reCAPTCHA illegal in the EU?
Using reCAPTCHA is not itself illegal. Using it without consent or disclosure violates GDPR and the ePrivacy Directive, as CNIL's fines against CITYSCOOT and NS Cards France confirm.
Does the April 2026 data-processor change make reCAPTCHA GDPR compliant?
No. The April 2, 2026 switch makes the site owner the data controller and clarifies legal responsibility. It does not remove the requirement to get visitor consent before reCAPTCHA loads.
Is reCAPTCHA v2 GDPR compliant?
Not by default. reCAPTCHA v2 collects less data and uses fewer cookies than v3, which makes it the lower-risk option, but it still requires consent before loading.
Is reCAPTCHA Enterprise GDPR compliant?
reCAPTCHA Enterprise ships with Google's Cloud Data Processing Addendum by default, which covers the processor relationship. Visitor consent before the script loads is still required separately.
What is the _GRECAPTCHA cookie and how long does it last?
The _GRECAPTCHA cookie stores risk-analysis data reCAPTCHA uses to score visitor behavior. It typically persists in the browser for about 180 days.
Is Friendly Captcha GDPR compliant?
Yes. Friendly Captcha is a German-built, privacy-by-design CAPTCHA that avoids the reCAPTCHA problem. It uses a proof-of-work check, sets no tracking cookies, and processes data in the EU, so most sites need no consent banner for it. You still disclose it in your privacy policy.
Does reCAPTCHA also matter for CCPA or US privacy laws?
Yes. US sites face parallel exposure. reCAPTCHA's data collection can trigger disclosure duties under CCPA and wiretapping-style claims under state laws like CIPA.

