When you embed reCAPTCHA v3 on your site, you agree to share behavioral data with Google. This includes mouse movements, keystroke timing, installed plugins, screen resolution, and your user's full browsing history for that session. Google uses this data to train its advertising models.
The GDPR Problem
Under GDPR Article 6, you need a lawful basis for processing personal data. Legitimate interest doesn't cover feeding user behavioral data to a third-party advertising network without explicit consent — especially when that data transfer happens silently, without the user's knowledge.
Several EU data protection authorities (notably the Austrian DSB and the French CNIL) have already ruled that loading Google services without explicit consent violates GDPR. reCAPTCHA is caught in this ruling because it loads the same tracking infrastructure.
What Actually Leaves Your Page
Running a network analysis during reCAPTCHA initialization shows the following data sent to www.google.com/recaptcha/api2:
- -TLS fingerprint of the client browser
- -Canvas and WebGL fingerprint hashes
- -Installed browser plugins list
- -Screen resolution and color depth
- -Mouse movement patterns over the last 90 seconds
- -Keyboard timing data
- -`_ga`, `_gid`, and advertising cookies (if present)
None of this is disclosed in reCAPTCHA's published privacy policy in sufficient detail to satisfy GDPR Article 13's transparency requirements.
SilentAuth's Approach
SilentAuth's risk engine performs all behavioral analysis server-side and never shares raw fingerprint data with third parties. The only data that leaves your infrastructure is:
- -A cryptographic challenge token (ephemeral, no PII)
- -An RSA-signed receipt proving the challenge was completed (contains no behavioral data)
The behavioral signals used for risk scoring are processed in-memory, never stored persistently, and are never transmitted to advertising networks. This architecture is GDPR-compliant by design.
What To Do Instead
If you're currently using reCAPTCHA and need to achieve GDPR compliance:
- -Add a cookie consent banner that explicitly requests consent for Google's fingerprinting — note this will tank your challenge completion rate
- -Switch to a privacy-preserving CAPTCHA solution like SilentAuth or hCaptcha
- -If you need Google reCAPTCHA for other reasons, gate it behind explicit opt-in consent
The right long-term solution is to move to an architecture that doesn't require exporting user behavioral data to third parties at all.