If you've added reCAPTCHA to your website or mobile app, you must include a Privacy Policy.

ReCAPTCHA is a Google service that collects the personal information of users when it is integrated into a website or app to protect against bots. Google, the California Online Privacy Protection Act (CalOPPA), and the General Data Protection Regulation (GDPR) all require a Privacy Policy to be in place to notify users of the system.

Including a Privacy Policy has become even more important as Google launched a new version of reCAPTCHA in 2018 that reduces "user interference" by doing away with "challenge" questions.

Let's first take a look at what reCAPTCHA is before explaining why a Privacy Policy is needed.


What is ReCAPTCHA and How Does it Work?

ReCAPTCHA helps websites and mobile apps prevent spam and block "bots." The program determines whether the user is a real person or a "bot" to stop "automated software" from weighing down your site.

Google reCAPTCHA help: Definition of reCAPTCHA

ReCAPTCHA works by implementing an algorithm to analyze a user's activity by taking a screenshot of the user's browser window. If the activity is deemed as mechanical or a made-up word is used, the activity is flagged by the system.

Activity and user information reCAPTCHA collects and analyzes includes the following:

  • Typing patterns of the user
  • The amount of mouse clicks a user has done on the site or touches on an app
  • What language the user's browser is using
  • Google cookies that have been placed on the site
  • The answers to question fields on the site
  • CSS information
  • Plug-ins installed on the browser

The algorithm also recognizes IP addresses that have been previously recognized as humans through cookies.

Versions of reCAPTCHA

There are currently 4 active versions of reCAPTCHA.

ReCAPTCHA v2 ("I'm not a robot" Checkbox) has users click a checkbox to indicate human status. A user may be presented with "challenge" questions to prove they're human and not a bot:

reCAPTCHA: I'm not a robot checkbox

ReCAPTCHA v2 (Invisible reCAPTCHA badge) has an Invisible reCaptcha badge that doesn't require a user to check a box or answer challenge questions. Instead, verification happens by clicking on an existing button on the site or through a JavaScript. This method only prompts very suspicious traffic to solve a captcha:

reCAPTCHA invisible badge icon

ReCAPTCHA v2 (Android) can be used on Android apps.

ReCAPTCHA v3 doesn't rely on users clicking checkboxes or pictures. Version 3 collects and analyzes the interactions a user has with a site to create a score. The final score indicates whether the activity is suspicious. This version is meant to decrease "user friction" by doing away with questions and create a seamless user experience.

Regardless of what version you use on your site or app, you're going to need to have a Privacy Policy.

Why is a Privacy Policy Required With reCAPTCHA?

Why is a Privacy Policy Required With reCAPTCHA?

First, reCAPTCHA uses an algorithm to analyze a user's interaction with a site, including collecting personal information.

Second, there are laws requiring a Privacy Policy when private information is collected. These laws not only apply to websites directly collecting the data but also when third-parties, such as reCAPTCHA, and cookies are used.

For example, the GDPR protects the personal information of EU residents. It requires the inclusion of a Privacy Policy when an EU company, or a company that does business in the EU or has EU users, collects the personal information of a resident of the EU.

The GDPR's regulations don't only regulate when companies collect data but extend to when websites use third-parties to collect and process the information, which would apply here to Google's collection of personal information via your site or app that uses reCAPTCHA.

CalOPPA requires the inclusion of a Privacy Policy when the personal information of California residents is collected online or on an app. The Privacy Policy must include how, what, and why the information is obtained and stored. Like the GDPR, CalOPPA's reach extends to the third-parties companies share the information with.

A Privacy Policy required by CalOPPA must also specifically include disclosure of how "do not track" signals are handled. The disclosure needs to include how users can control the collection of their data on the website and across the third-party online services.

Third, Google requires a Privacy Policy if a company uses reCAPTCHA on their site.

As both the GDPR and CalOPPA require a Privacy Policy notifying users of the collection of personal data, Google also requires a "necessary notice" when a site uses reCAPTCHA.

Google's reCAPTCHA Terms of Service, which you must accept in order to use the service, requires you to provide notice to the users and obtain consent for the collection of the data by the APIs. Since a Privacy Policy is a notice of terms, it would fall under the "necessary notice" requirement of Google's terms:

Google reCAPTCHA: Accept the reCAPTCHA Terms of Service checkbox

In addition to the general reCAPTHCHA Terms of Service, you must also accept the specific terms of the version you select.

If you select Invisible reCAPTCHA Badge under v2, you must "explicitly inform your visitors" you have integrated reCAPTCHA into your site:

Google reCAPTCHA Invisible Badge: Accept the reCAPTCHA Terms of Service checkbox

The terms for the newest version goes even farther. In addition to explicitly informing your visitors of the implementation of v3, the terms go on to include the v3 software "may only be used to fight spam and abuse." The service can't be used to look at credit card history or insurability:

Google reCAPTCHA v3: Accept the reCAPTCHA Terms of Service checkbox

Google includes a specific policy for users who are in the EU. If you use reCAPTCHA and you have users in the European Economic Area, you must follow Google's EU User Consent Policy.

The policy includes these specific rules:

  • Obtain users' legally valid consent for cookies and collection and sharing of data
  • Retain documentation of consent and provide ways to revoke consent
  • Clearly identify each party that collects data and a "prominently and easily accessible" disclosure about the party's use of the data
  • Use "commercially reasonable" efforts to make sure a third-party that the data is shared with complies with this policy

Examples of reCAPTCHA Clauses in Privacy Policies

Examples of reCAPTCHA Clauses in Privacy Policies

Now that you know why a Privacy Policy is needed when using reCAPTCHA, what clauses should you include in your policy to notify your users?

The Privacy Policy should put the user on notice that your site uses reCAPTCHA, third-party services, or cookies to collect data.

A good idea is to include a clause about how your site collects a user's data directly and indirectly. ReCAPTCHA's algorithm often looks at information that is collected indirectly from a user like searching through the site.

Take a look at how Microsoft notifies its users about the collection of direct and indirect data:

Microsoft Privacy Statement: Personal Data We Collect clause

Another key clause to include in your Privacy Policy is about consent. Consent is required to use reCAPTCHA under Google's Terms of Service, the GDPR, and CalOPPA.

Take a look at how Amazon notifies its users about consent when their data is shared with third-parties:

Amazon Privacy Notice: Does Amazon Share the Information it Receives clause - Consent section

Include a clause about your sharing of data with third parties. Here's how GitHub discloses that it shares user personal information with some service providers (such as Google):

GitHub Privacy Statement: Service Providers - Subprocessors clause

The clause links to a separate page on subprocessors that goes into specifics, including the name of each subprocessor, where the subprocessor is located and a description of the processing that it does:

Github Help: Excerpt of Subprocessors chart

However, you can simply mention that your company uses cookies and partners with third-parties to improve user functionality and protect your site, as Uber does:

Uber Privacy Notice: Cookies and Third-Party Technologies

Even though this doesn't specifically mention reCAPTCHA, it still informs users that the site collects their data, for what reasons, and that third parties are in use.

How to Create a Privacy Policy

FreePrivacyPolicy: Privacy Policy Generator - Steps How to Create Privacy Policy

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.


Consent to the collection and sharing of information by the websites and third-parties must be given freely, expressly, and unambiguously. The request for consent must be clear and distinguishable to the user.

The best way to get consent is to have a user check an unchecked box to accept the terms of your Privacy Policy. These checkbox-based consent requests can be included in pop-ups, banners and sign-up forms and placed strategically on your website.

Here's a good basic example using a checkbox to get acceptance to a Privacy Policy:

Transferwise Agree checkbox

Another common but less favorable way to obtain consent is by including a statement or disclosure that states taking some action means the user accepts the terms, which would include the use of third-parties like reCAPTCHA.

Here's how Nike does it in its log in form:

Nike log in form

Note that in both styles, a link is provided to the Privacy Policy. This lets users quickly and easily check to see exactly what they're consenting to if they wish.

Summary

Protecting your site from misuse and spamming bots is extremely important. One way of preventing abuse of your site is integrating Google's reCAPTCHA into your site.

If your company wishes to use reCAPTCHA, you must include a Privacy Policy on your site. Google itself and global privacy laws such as the GDPR and CalOPPA all require your users to be notified of the use of third-party services and cookies that collect their personal information.

Be sure to follow these simple rules to compliantly use reCAPTCHA:

  • Include a Privacy Policy
  • Disclose that you collect data indirectly
  • Disclose the use of third-parties
  • Obtain clear consent to your Privacy Policy