From 2 April 2026, Google will take on a new GDPR role for reCAPTCHA. Instead of acting as a controller, Google will act as a data processor. For website operators, this means more obligations and a need for action.
What does reCAPTCHA process?
Google reCAPTCHA analyzes user data to detect bots. This includes extensive data points such as IP address, device characteristics, telephone numbers, email addresses and even payment data. Until now, Google acted as independent controller within the meaning of the GDPR. Data protection advocates criticized the lack of transparency, US data transfers and the potential use of the data for AI training and marketing purposes. In future, the GDPR responsibility will lie with you as the website operator.
What does this mean in practice?
- You are responsible for information obligations, legal basis and, potentially, user consent.
- A data processing agreement (DPA) must be concluded with Google.
- The privacy policy must provide information about data processing.
- References to Google’s privacy policy and terms of use must be removed.
Consider alternatives:
Despite the change in GDPR roles, some questions remain about the use of Google reCAPTCHA. It is legally disputed whether consent is required for the use of Google reCAPTCHA. The transfer of personal data to the USA on the basis of the EU-U.S. Data Privacy Framework is at risk in the medium term due to political change and legal challenges. It may be worth considering privacy-friendly CAPTCHA alternatives.