What is ReCAPTCHA and How Does it Work?
ReCAPTCHA helps websites and mobile apps prevent spam and block "bots." The program determines whether the user is a real person or a "bot" to stop "automated software" from weighing down your site.
ReCAPTCHA works by implementing an algorithm to analyze a user's activity by taking a screenshot of the user's browser window. If the activity is deemed as mechanical or a made-up word is used, the activity is flagged by the system.
Activity and user information reCAPTCHA collects and analyzes includes the following:
- Typing patterns of the user
- The amount of mouse clicks a user has done on the site or touches on an app
- What language the user's browser is using
- Google cookies that have been placed on the site
- The answers to question fields on the site
- CSS information
- Plug-ins installed on the browser
The algorithm also recognizes IP addresses that have been previously recognized as humans through cookies.
Versions of reCAPTCHA
There are currently 4 active versions of reCAPTCHA.
ReCAPTCHA v2 ("I'm not a robot" Checkbox) has users click a checkbox to indicate human status. A user may be presented with "challenge" questions to prove they're human and not a bot:
ReCAPTCHA v2 (Android) can be used on Android apps.
ReCAPTCHA v3 doesn't rely on users clicking checkboxes or pictures. Version 3 collects and analyzes the interactions a user has with a site to create a score. The final score indicates whether the activity is suspicious. This version is meant to decrease "user friction" by doing away with questions and create a seamless user experience.
First, reCAPTCHA uses an algorithm to analyze a user's interaction with a site, including collecting personal information.
The GDPR's regulations don't only regulate when companies collect data but extend to when websites use third-parties to collect and process the information, which would apply here to Google's collection of personal information via your site or app that uses reCAPTCHA.
In addition to the general reCAPTHCHA Terms of Service, you must also accept the specific terms of the version you select.
If you select Invisible reCAPTCHA Badge under v2, you must "explicitly inform your visitors" you have integrated reCAPTCHA into your site:
The terms for the newest version goes even farther. In addition to explicitly informing your visitors of the implementation of v3, the terms go on to include the v3 software "may only be used to fight spam and abuse." The service can't be used to look at credit card history or insurability:
Google's EU User Consent Policy
Google includes a specific policy for users who are in the EU. If you use reCAPTCHA and you have users in the European Economic Area, you must follow Google's EU User Consent Policy.
The policy includes these specific rules:
- Obtain users' legally valid consent for cookies and collection and sharing of data
- Retain documentation of consent and provide ways to revoke consent
- Clearly identify each party that collects data and a "prominently and easily accessible" disclosure about the party's use of the data
- Use "commercially reasonable" efforts to make sure a third-party that the data is shared with complies with this policy
Examples of reCAPTCHA Clauses in Privacy Policies
A good idea is to include a clause about how your site collects a user's data directly and indirectly. ReCAPTCHA's algorithm often looks at information that is collected indirectly from a user like searching through the site.
Take a look at how Microsoft notifies its users about the collection of direct and indirect data:
Take a look at how Amazon notifies its users about consent when their data is shared with third-parties:
Include a clause about your sharing of data with third parties. Here's how GitHub discloses that it shares user personal information with some service providers (such as Google):
The clause links to a separate page on subprocessors that goes into specifics, including the name of each subprocessor, where the subprocessor is located and a description of the processing that it does:
Even though this doesn't specifically mention reCAPTCHA, it still informs users that the site collects their data, for what reasons, and that third parties are in use.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Consent to the collection and sharing of information by the websites and third-parties must be given freely, expressly, and unambiguously. The request for consent must be clear and distinguishable to the user.
Another common but less favorable way to obtain consent is by including a statement or disclosure that states taking some action means the user accepts the terms, which would include the use of third-parties like reCAPTCHA.
Here's how Nike does it in its log in form:
Protecting your site from misuse and spamming bots is extremely important. One way of preventing abuse of your site is integrating Google's reCAPTCHA into your site.
Be sure to follow these simple rules to compliantly use reCAPTCHA:
- Disclose that you collect data indirectly
- Disclose the use of third-parties