Google ReCAPTCHA Privacy Policy: What to Include

Protecting your company’s website from bot attacks is fundamental to securing sensitive data and maintaining availability. Many companies use Google reCAPTCHA for bot protection and to prevent data breaches.

Google’s “invisible” reCAPTCHA collects and analyzes how users navigate your website to  determine whether the activity is suspicious. While it might help mitigate risk arising from less sophisticated bots, it captures personal data that impacts your privacy compliance posture. More importantly, there is some uncertainty when it comes to how Google uses the data it gathers from this tool.

To get and stay compliant, you need to have a reCAPTCHA privacy policy on your website that clearly provides users notice and enables them to opt out. 

What is the reCAPTCHA privacy policy?

Since reCAPTCHA seeks to provide a better end user experience, it collects data that can identify some types of bot activity. From a high level, reCAPTCHA takes a snapshot of what you’re doing on a website, compares that information to what it knows about bot activity, and uses an algorithm to decide whether you’re a real person or not. 

Types of Data ReCAPTCHA Collects:

• IP address
• Resources loaded, including styles or images
• User Google account information
• Behavior, like scrolling on a page, moving the mouse, clicking on links, time spent completing forms, and typing patterns
• Browser history
• CSS information
• Browser plug-ins 
• Cookies

Why is a reCAPTCHA privacy policy necessary?

Over the last five years, more legislative bodies have implemented laws intending to protect data privacy. Although the European Union (EU) General Data Protection Regulation (GDPR) may be the most famous, at least five US states now have comprehensive data privacy laws. 

Some examples of these laws include:

• California Consumer Privacy Act (CCPA), updated and renamed Consumer Privacy Rights Act (CPRA)
• Colorado Privacy Act
• Connecticut Personal Data Privacy and Online Monitoring
• Utah Consumer Privacy Act
• Virginia Consumer Data Privacy Act

Further, privacy laws have been enacted globally, including:

• Brazil Lei Geral de Proteção de Dados Pessoais (LGPD)
• China Personal Information Protection Law (PIPL)
• Australia Privacy Act and the Australian Privacy Principles
• South Africa Protection of Personal Information Act (POPIA)

As countries adopt increasingly stringent privacy laws, companies need to understand their responsibilities to avoid fines and penalties. 

Google’s Privacy Policy Requirements

Recognizing the global move toward enforcing privacy laws, Google offers suggestions for establishing a basic privacy policy. 

According to Google, your privacy policy should include, at minimum, the following:

• What data you collect
• How you use the data
• What data you share
• Who you share data with

The Lack of User Privacy Protection & Compliance with ReCAPTCHA

Google’s suggestions are a bare minimum requirement for what your privacy policy needs to include. Google mentions that you can consider addressing your information security practices, ways people can change or delete personal information, and data retention practices. 

Further, while reCAPTCHA may mitigate some risks, it lacks the ability to protect against sophisticated bot attacks and enables data sharing for marketing or business purposes. This implicates your privacy compliance posture, especially when it comes to the GDPR’s requirements.

EU User Consent Policy

Google recognizes and addresses some of these differences and limitations. For example, it specifies that you need to add an EU user consent policy that incorporates certain disclosures and consent language. 

For any Google products used on your website, including reCAPTCHA, you need to:

• Obtain consent to use cookies or other local storage
• Obtain consent to collect, share, and use personal data to personalize advertising
• Retain records of user consent
• Provide clear instructions for how users can revoke consent
• Identify each party that may collect, receive, or user personal data
• Provide clear and easily accessible information about how those parties use personal data

What Your Google ReCAPTCHA Privacy Policy Should Include

Writing a Google reCAPTCHA privacy policy might feel overwhelming.  To comply with the GDPR, you need to identify that you use Google’s reCAPTCHA and explain what that means to users. However, you can take actionable steps that enable you to achieve your compliance and data privacy goals.

What You Collect

Your policy needs to clearly identify what your reCAPTCHA collects. It’s important to remember that when users are logged into their Google accounts, the reCAPTCHA collects that information as well—and users should be made aware of that. 

Some examples of data that you need to consider include:

• Referrer URL
• IP Address
• Operating system information
• Cookies
• Mouse and keyboard behavior
• Date and language settings
• JavaScript objects
• Screen resolution

Why You Need the Data

Most comprehensive data privacy laws require you to minimize your data collection. Instead of collecting all the data, you need to collect only what you need. For example, the GDPR incorporates a “purpose limitation” requirement. 

Your reCAPTCHA policy should explain your reason for capturing the personal data. In this case, to mitigate data breaches caused by malicious bots. 

How You Collect Data

To give consent, users need to know how you collect data. If you’re using reCAPTCHA, you need to consider all the places on your website where the technology collects user information, including:

• Cookies
• Forms
• Surveys
• Registration pages
• Newsletter signup pages
• Link clicks

How You Retain Data

Since reCAPTCHA sends data to Google, you don’t know exactly where the information is stored. You need to make sure that you explain this, especially if you have to comply with data residency requirements. Additionally, you should also explain that you don’t know how long Google stores the data.

Ways You Communicate Changes

Your website is dynamic, and your privacy policy may change over time. Most importantly, you may choose to change how you use information. 

You need to tell users how you plan to let them know about these changes so they have the option to revoke consent. You may choose to email them or post a privacy policy modification date on your website. 

How Users Can Communicate with You

In case people have questions about your privacy policy, you need to direct them to someone who can provide answers. For example, you may choose to provide a webmaster email address. 

How You Safeguard Personal Data

Cybersecurity and data privacy are interconnected. Privacy requires you to gain user consent and ensure only authorized users access personal data. If malicious actors gain unauthorized access, you have a data security and privacy issue. 

Your privacy policy should outline your information protections, including:

• Computer safeguards
• Physical access controls
• Website and application security controls, like activating SSL 
• Alternative ways to provide confidential data

How Users Can Delete Data

Since reCAPTCHA sends the data to Google, users may need to contact Google Support to have all their data deleted. You can also explain how they can minimize the data the reCAPTCHA sends by suggesting:

• Logging out of their Google accounts
• Deleting history
• Deleting cookies

Examples of ReCAPTCHA Privacy Policies

Remain Complaint & Keep User Data Secure with DataDome

DataDome’s CAPTCHA combines privacy, ease of use, and security for better bot protection. Our CAPTCHA safeguards end user privacy because it does not capture personally identifiable information like name, email address, credentials, phone number, International Mobile Equipment Identity (IMEI) number, or payment details. With significantly reduced load and solve times, our CAPTCHA provides a better end-user experience, enabling more conversions and enabling the customer journey. 

With false positive rates of 0.01%, you ensure security by protecting your organization against bot attacks and online fraud while reducing security team burdens.