Two CAPTCHAs, Two Privacy Models
Bot protection is a basic requirement for any website that accepts form submissions, runs a login page, or processes payments. The two most widely deployed CAPTCHA services - Google reCAPTCHA and hCaptcha - take fundamentally different approaches to user data.
Google reCAPTCHA, particularly version 3, works by continuously analysing user behaviour across the page. It scores visitors based on mouse movements, scroll patterns, browsing history, and device characteristics. hCaptcha, built by Intuition Machines, positions itself as a privacy-first alternative that minimises data retention and avoids cross-site tracking.
Both services set cookies on your visitors' devices. That single fact triggers obligations under Article 5(3) of the ePrivacy Directive and, depending on how the cookies are classified, may require prior consent before the CAPTCHA loads.
What Cookies Does reCAPTCHA Set?
reCAPTCHA v2 and v3 rely on Google's broader cookie infrastructure. When a visitor loads a page with reCAPTCHA, the following cookies typically appear:
| Cookie | Purpose | Duration | Classification |
|---|---|---|---|
_GRECAPTCHA | Risk analysis and bot detection | 6 months | Functional / Non-essential |
NID | Google preference and ad personalisation | 6 months | Non-essential |
SIDCC | Google security cookie | 1 year | Non-essential |
HSID, SID, APISID | Google authentication and fraud prevention | 2 years | Non-essential |
The _GRECAPTCHA cookie itself stores a unique identifier that Google uses to build a behavioural fingerprint. Because reCAPTCHA operates within Google's ecosystem, visitors who are logged into a Google account may have their CAPTCHA interactions linked to their broader browsing profile.
Google's own documentation does not publish a separate privacy policy for reCAPTCHA. This creates a transparency problem: website operators cannot easily tell visitors exactly what data is collected, making it difficult to meet the information obligations under GDPR Article 13.
What Cookies Does hCaptcha Set?
hCaptcha sets fewer cookies and claims they fall within the "strictly necessary" exemption. The primary cookie is:
| Cookie | Purpose | Duration | Classification |
|---|---|---|---|
hc_accessibility | Accessibility settings for users with disabilities | Session | Strictly necessary |
hmt_id | Unique session identifier for challenge delivery | Session / Short-lived | Functional |
hCaptcha states it does not use cookies for advertising or cross-site tracking. The service also claims no long-term retention of personal data.
That said, hCaptcha still collects IP addresses, browser metadata, mouse movements, interaction timing, and gyroscopic data (on mobile devices). This data is processed by Intuition Machines, a US-based company, which means cross-border data transfer rules apply for EU visitors. hCaptcha is certified under the EU-US Data Privacy Framework, which provides a legal mechanism for these transfers since the European Commission's adequacy decision in 2023.
Data Collection: A Side-by-Side Comparison
The scope of data each service processes differs significantly.
| Data Type | reCAPTCHA | hCaptcha |
|---|---|---|
| IP address | Yes | Yes |
| Browser and OS information | Yes | Yes |
| Mouse movements and clicks | Yes | Yes |
| Keystroke patterns | Yes (v3) | No |
| Browsing history / referrer | Yes | No |
| Google account linkage | Yes (if logged in) | No |
| Cross-site tracking | Yes | No (claimed) |
| Advertising profile enrichment | Possible | No |
| Data retention | Not clearly specified | Minimal / session-based |
reCAPTCHA v3 is particularly data-hungry because it runs continuously in the background. Unlike v2 (the "I'm not a robot" checkbox), v3 never presents a visible challenge. It silently monitors behaviour across every page where the script is loaded, collecting data that goes well beyond what is needed to distinguish a bot from a human.
Do CAPTCHAs Require Cookie Consent?
This is where many website operators get it wrong. The assumption that bot protection cookies are "strictly necessary" and therefore exempt from consent does not hold up under scrutiny for reCAPTCHA.
Article 5(3) of the ePrivacy Directive exempts cookies that are "strictly necessary" for a service explicitly requested by the user. A CAPTCHA on a contact form could arguably meet this test - the user is submitting the form, and bot protection supports that action. But reCAPTCHA v3 loads on every page, not just forms. And the cookies it sets serve purposes beyond bot detection, including Google's own advertising and analytics functions.
The CNIL fined Cityscoot EUR 125,000 partly for deploying Google reCAPTCHA without obtaining prior consent. The company had not informed users about the data collection or provided a mechanism to refuse it. NS Cards France received a EUR 105,000 fine for similar violations - using reCAPTCHA without any user information or consent mechanism in place.
hCaptcha's position is stronger. If its cookies genuinely qualify as strictly necessary (session-based, no tracking, no advertising), they may fall within the consent exemption. But "may" is not "definitely." Some data protection authorities take the view that any third-party service setting cookies warrants at least a disclosure, and best practice is to obtain consent before loading any external script.
GDPR Compliance: Where Each Service Stands
Under GDPR, both reCAPTCHA and hCaptcha process personal data (IP addresses, device identifiers, behavioural data). The website operator is the data controller and must identify a lawful basis for processing.
For reCAPTCHA, legitimate interest is the most commonly cited basis. But legitimate interest requires a balancing test (Article 6(1)(f)), and the EDPB has signalled that extensive behavioural tracking for bot detection may not pass that test when less invasive alternatives exist. The fact that hCaptcha achieves comparable bot protection with less data collection weakens the "necessity" argument for reCAPTCHA.
Google's role as a data processor (or potentially joint controller, depending on the configuration) adds complexity. The lack of a dedicated reCAPTCHA privacy policy makes it harder for website operators to complete a Data Protection Impact Assessment, which may be required given the scale of data processing involved.
hCaptcha publishes a detailed privacy policy and a specific GDPR compliance page. It acts as a data processor under GDPR and offers a Data Processing Agreement. Its EU-US Data Privacy Framework certification provides a recognised transfer mechanism.
Practical Impact on Your Website
Choosing between reCAPTCHA and hCaptcha affects more than compliance paperwork. It changes how your cookie banner must work.
If you use reCAPTCHA, you should treat it as a non-essential service and block the script until the visitor grants consent. This means your forms, login pages, and checkout flows are unprotected until consent is given - a genuine security trade-off. You can mitigate this by using server-side rate limiting or honeypot fields as a fallback for visitors who decline cookies.
If you use hCaptcha, you may be able to load it without prior consent if you can demonstrate the cookies are strictly necessary. But you still need to disclose the service in your cookie policy and privacy policy, and document your reasoning for the strictly necessary classification.
Both services require you to list them in your third-party vendor register and ensure a Data Processing Agreement is in place.
reCAPTCHA v3 and Browser Fingerprinting
reCAPTCHA v3's continuous behavioural analysis goes beyond traditional cookies. It collects screen resolution, installed plugins, language settings, and rendering characteristics - data points that constitute browser fingerprinting.
The CNIL has explicitly stated that fingerprinting falls under Article 5(3) of the ePrivacy Directive and requires consent unless strictly necessary. Running reCAPTCHA v3 site-wide, on pages where no user interaction requires bot protection, is difficult to justify as strictly necessary.
Which CAPTCHA Should You Choose?
From a pure privacy standpoint, hCaptcha is the less invasive option. It collects less data, does not feed into an advertising ecosystem, and offers clearer documentation for GDPR compliance. For websites subject to GDPR or the ePrivacy Directive, it presents a simpler compliance path.
reCAPTCHA v3 offers strong bot detection powered by Google's vast data network, but that strength is also its privacy weakness. The volume of data it processes, the opacity of Google's privacy disclosures, and the enforcement actions by the CNIL all point to higher compliance risk.
If you do choose reCAPTCHA, limit it to pages where bot protection is genuinely needed (forms, login, checkout) rather than deploying it site-wide. Use Google Consent Mode v2 to respect visitor choices, and make sure your consent management platform blocks the reCAPTCHA script until consent is granted.
Frequently Asked Questions
Does reCAPTCHA set cookies without user consent?
Yes, reCAPTCHA sets cookies such as _GRECAPTCHA and potentially other Google cookies when the script loads. Under the ePrivacy Directive, these cookies require prior consent unless they qualify as strictly necessary - which is contested for reCAPTCHA given its broader data collection.
Is hCaptcha fully GDPR compliant?
hCaptcha is designed with GDPR compliance in mind and is certified under the EU-US Data Privacy Framework. It processes less personal data than reCAPTCHA and offers a Data Processing Agreement. However, no third-party service is automatically compliant - you must still document your lawful basis and disclose the processing to visitors.
Can I use reCAPTCHA without a cookie banner?
No. reCAPTCHA sets non-essential cookies that require prior consent under the ePrivacy Directive. The CNIL has fined companies for using reCAPTCHA without informing users or obtaining consent. A cookie consent mechanism is required.
What happens to form protection if a visitor rejects cookies?
If reCAPTCHA is blocked until consent is given, visitors who decline cookies will not have CAPTCHA protection on forms. You can use server-side measures such as honeypot fields, rate limiting, or token-based validation as fallback bot protection.
Does hCaptcha transfer data outside the EU?
Yes. hCaptcha is operated by Intuition Machines, a US-based company. Data transfers are covered by the EU-US Data Privacy Framework and Standard Contractual Clauses, providing a lawful transfer mechanism under GDPR Chapter V.
Has any company been fined for using reCAPTCHA?
Yes. The CNIL fined Cityscoot EUR 125,000 and NS Cards France EUR 105,000, in both cases partly for deploying reCAPTCHA without proper consent or user information. These decisions confirm that reCAPTCHA requires consent under EU cookie rules.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - including those set by CAPTCHA services - so your visitors get a clear choice, and you stay on the right side of the law.
