Update May 2024: The German law TTDSG merged into the TDDDG. It regulates access to end devices, which is important for cookies.
Update from 27.07.2023: The Data Privacy Framework (DPF) between the EU and the US is in effect. It allows data transfers to the US if all data recipients are certified under the DPF. It is questionable whether the agreement will stand, as it is based on a shaky Executive Order. Regardless of that, there are further reasons against using Google reCAPTCHA (see article).
Update from 16.05.2023: The Consumer Centre has won a judgment against Telekom. The court says that data transmission to Google in the USA is only allowed under very narrow limits.
Update from 12.04.2022: The French data protection authority CNIL has confirmed, following a complaint, what should have been known for a long time: That Google reCAPTCHA can only be used with consent. Reasoning of CNIL, as far as I understand it: The tool is not intended solely to prevent dangers, but also collects (unnecessarily) data for other purposes.
With Google reCAPTCHA, users and their behavior on the website where reCAPTCHA is embedded are thoroughly analyzed. Specifically, in order to better distinguish a human from a robot program. Since the reCAPTCHA code is loaded from the domain google.com, among other things, the tool automatically gains access to Cookies that have been set for logged-in Google users. One of these cookies is called NID and contains a unique user identification that is also used by Google Signals to recognize users across devices. In this sense, it is almost irrelevant from a data protection perspective whether reCAPTCHA (situatively) sets additional cookies or not.
In addition, reCAPTCHA also accesses the domain gstatic.com. As can be read on Google websites, this domain is also used by other tools. Thus, potentially cookies could be exchanged over this domain.
When calling a single script from reCAPTCHA I show excerptively how many cookies are used by reCAPTCHA:
When calling Google reCAPTCHA, 15 cookies are transmitted.
Result of my test. The actual number can be higher or lower depending on previous internet travel.
Due to the number of cookies transferred, the privacy problem with Google reCAPTCHA is quite well illustrated. As Google itself admits, not all cookies are technically necessary: "In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis." (Source: https://developers.google.com/recaptcha/docs/faq. Update: The sentence has been slightly changed in wording; the meaning remains the same). The standard cookies from Google are those like NID. NID is suitable for tracking users, both for marketing purposes and to create user profiles. This is admitted by Google itself ("Some cookies serve to store a user's settings. For example, there is a cookie named „NID“ in the browsers of most users who use Google services. This cookie contains a unique ID, which stores your preferred settings and other information…", Source: https://policies.google.com/technologies/cookies?hl=de=).
A consent obligation already follows from this:
- In accordance with the Federal Court of Justice's ruling on Planet 49, § 15 Abs. 3 TMG is to be interpreted in conformity with Article 5(3) ePrivacy Directive. The TMG merged into DDG in May 2024.
- Art. 5 (3) of the ePrivacy Directive requires consent if access is made to information stored in the user's device, which is not technically necessary. Access to cookies has been proven. Technically, they are not necessary; alone the sheer number of cookies can prove this. The cookies are used for marketing purposes due to their quantity and value expressions. It should be difficult to prove the opposite.
- The ECJ had found in the Planet49 ruling that it is irrelevant whether the data collected by cookies are personal or not.
- Since December 2021, § 25 TTDSG applies in Germany for cookies
When Google reCAPTCHA is used to secure forms, a legitimate interest already falls out because there are numerous effective alternatives that are clearly more data protection-friendly. The legitimate interest is only the nail in the coffin among the legal bases named by the DSGVO in Art. 6 Abs. 1 DSGVO. At least, when forms secured with data protection-hostile Captchas should also provide a possibility to write an email directly at the form.
Variants
There are several variants of reCAPTCHA: https://developers.google.com/recaptcha/docs/versions:
The previous Version 2 is available in a visual and an invisible form.
Google reCAPTCHA v3 is always invisible or creates a score value for the current user. With this score, the called website can determine whether it's a human visitor or a robot.
Terms of use
To use Google reCAPTCHA, you must accept the terms of service, which among other things state: “You confirm and acknowledge that the functionality of the reCAPTCHA API relies on collecting hardware and software information, such as device and application data, and sending it to Google for analysis purposes.” and “For users in the European Union, you must comply with the EU User Consent Directive and your API clients must conform to this directive.”.
The use of Google reCAPTCHA without consent appears hardly justifiable, and is even prohibited according to Google's Terms of Service, 31 in particular. The terms of service are stated there as follows in several parts:
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
