If you've added reCAPTCHA to your website or mobile app, you must include a Privacy Policy.
ReCAPTCHA is a Google service that collects the personal information of users when it is integrated into a website or app to protect against bots. Google, the California Online Privacy Protection Act (CalOPPA), and the General Data Protection Regulation (GDPR) all require a Privacy Policy to be in place to notify users of the system.
Including a Privacy Policy has become even more important as Google launched a new version of reCAPTCHA in 2018 that reduces "user interference" by doing away with "challenge" questions.
Let's first take a look at what reCAPTCHA is before explaining why a Privacy Policy is needed.
What is ReCAPTCHA and How Does it Work?
ReCAPTCHA helps websites and mobile apps prevent spam and block "bots." The program determines whether the user is a real person or a "bot" to stop "automated software" from weighing down your site.
ReCAPTCHA works by implementing an algorithm to analyze a user's activity by taking a screenshot of the user's browser window. If the activity is deemed as mechanical or a made-up word is used, the activity is flagged by the system.
Activity and user information reCAPTCHA collects and analyzes includes the following:
- Typing patterns of the user
- The amount of mouse clicks a user has done on the site or touches on an app
- What language the user's browser is using
- Google cookies that have been placed on the site
- The answers to question fields on the site
- CSS information
- Plug-ins installed on the browser
The algorithm also recognizes IP addresses that have been previously recognized as humans through cookies.
Versions of reCAPTCHA
There are currently 4 active versions of reCAPTCHA.
ReCAPTCHA v2 ("I'm not a robot" Checkbox) has users click a checkbox to indicate human status. A user may be presented with "challenge" questions to prove they're human and not a bot:
ReCAPTCHA v2 (Invisible reCAPTCHA badge) has an Invisible reCaptcha badge that doesn't require a user to check a box or answer challenge questions. Instead, verification happens by clicking on an existing button on the site or through a JavaScript. This method only prompts very suspicious traffic to solve a captcha:
ReCAPTCHA v2 (Android) can be used on Android apps.
ReCAPTCHA v3 doesn't rely on users clicking checkboxes or pictures. Version 3 collects and analyzes the interactions a user has with a site to create a score. The final score indicates whether the activity is suspicious. This version is meant to decrease "user friction" by doing away with questions and create a seamless user experience.
Regardless of what version you use on your site or app, you're going to need to have a Privacy Policy.
Why is a Privacy Policy Required With reCAPTCHA?
First, reCAPTCHA uses an algorithm to analyze a user's interaction with a site, including collecting personal information.
Second, there are laws requiring a Privacy Policy when private information is collected. These laws not only apply to websites directly collecting the data but also when third-parties, such as reCAPTCHA, and cookies are used.
For example, the GDPR protects the personal information of EU residents. It requires the inclusion of a Privacy Policy when an EU company, or a company that does business in the EU or has EU users, collects the personal information of a resident of the EU.
The GDPR's regulations don't only regulate when companies collect data but extend to when websites use third-parties to collect and process the information, which would apply here to Google's collection of personal information via your site or app that uses reCAPTCHA.
CalOPPA requires the inclusion of a Privacy Policy when the personal information of California residents is collected online or on an app. The Privacy Policy must include how, what, and why the information is obtained and stored. Like the GDPR, CalOPPA's reach extends to the third-parties companies share the information with.
A Privacy Policy required by CalOPPA must also specifically include disclosure of how "do not track" signals are handled. The disclosure needs to include how users can control the collection of their data on the website and across the third-party online services.
Third, Google requires a Privacy Policy if a company uses reCAPTCHA on their site.
As both the GDPR and CalOPPA require a Privacy Policy notifying users of the collection of personal data, Google also requires a "necessary notice" when a site uses reCAPTCHA.
Google's reCAPTCHA Terms of Service, which you must accept in order to use the service, requires you to provide notice to the users and obtain consent for the collection of the data by the APIs. Since a Privacy Policy is a notice of terms, it would fall under the "necessary notice" requirement of Google's terms:
In addition to the general reCAPTHCHA Terms of Service, you must also accept the specific terms of the version you select.
If you select Invisible reCAPTCHA Badge under v2, you must "explicitly inform your visitors" you have integrated reCAPTCHA into your site:
The terms for the newest version goes even farther. In addition to explicitly informing your visitors of the implementation of v3, the terms go on to include the v3 software "may only be used to fight spam and abuse." The service can't be used to look at credit card history or insurability:
Google's EU User Consent Policy
Google includes a specific policy for users who are in the EU. If you use reCAPTCHA and you have users in the European Economic Area, you must follow Google's EU User Consent Policy.
The policy includes these specific rules:
- Obtain users' legally valid consent for cookies and collection and sharing of data
- Retain documentation of consent and provide ways to revoke consent
- Clearly identify each party that collects data and a "prominently and easily accessible" disclosure about the party's use of the data
- Use "commercially reasonable" efforts to make sure a third-party that the data is shared with complies with this policy
Examples of reCAPTCHA Clauses in Privacy Policies
Now that you know why a Privacy Policy is needed when using reCAPTCHA, what clauses should you include in your policy to notify your users?
The Privacy Policy should put the user on notice that your site uses reCAPTCHA, third-party services, or cookies to collect data.
A good idea is to include a clause about how your site collects a user's data directly and indirectly. ReCAPTCHA's algorithm often looks at information that is collected indirectly from a user like searching through the site.
Take a look at how Microsoft notifies its users about the collection of direct and indirect data:
Another key clause to include in your Privacy Policy is about consent. Consent is required to use reCAPTCHA under Google's Terms of Service, the GDPR, and CalOPPA.
Take a look at how Amazon notifies its users about consent when their data is shared with third-parties:
Include a clause about your sharing of data with third parties. Here's how GitHub discloses that it shares user personal information with some service providers (such as Google):
The clause links to a separate page on subprocessors that goes into specifics, including the name of each subprocessor, where the subprocessor is located and a description of the processing that it does:
However, you can simply mention that your company uses cookies and partners with third-parties to improve user functionality and protect your site, as Uber does:
Even though this doesn't specifically mention reCAPTCHA, it still informs users that the site collects their data, for what reasons, and that third parties are in use.
How to Create a Privacy Policy
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
Obtaining Consent
Consent to the collection and sharing of information by the websites and third-parties must be given freely, expressly, and unambiguously. The request for consent must be clear and distinguishable to the user.
The best way to get consent is to have a user check an unchecked box to accept the terms of your Privacy Policy. These checkbox-based consent requests can be included in pop-ups, banners and sign-up forms and placed strategically on your website.
Here's a good basic example using a checkbox to get acceptance to a Privacy Policy:
Another common but less favorable way to obtain consent is by including a statement or disclosure that states taking some action means the user accepts the terms, which would include the use of third-parties like reCAPTCHA.
Here's how Nike does it in its log in form:
Note that in both styles, a link is provided to the Privacy Policy. This lets users quickly and easily check to see exactly what they're consenting to if they wish.
Summary
Protecting your site from misuse and spamming bots is extremely important. One way of preventing abuse of your site is integrating Google's reCAPTCHA into your site.
If your company wishes to use reCAPTCHA, you must include a Privacy Policy on your site. Google itself and global privacy laws such as the GDPR and CalOPPA all require your users to be notified of the use of third-party services and cookies that collect their personal information.
Be sure to follow these simple rules to compliantly use reCAPTCHA:
- Include a Privacy Policy
- Disclose that you collect data indirectly
- Disclose the use of third-parties
- Obtain clear consent to your Privacy Policy