ReCaptcha from Google is the most popular spam prevention tool available, and certainly with good reason as it seems to work and is widely-adopted and therefore easily implemented for most instances. Most contact forms on WordPress come with their own reCaptcha integration, and if not available, many third-parties have developed reCaptcha plugins to adapt to these forms. So far, so good for spam prevention and open-source collaboration.
There is, however, a significant issue overlooked by many, which is the impact on your user’s privacy. Spam prevention might suggest reCaptcha is functional in practice and does not need consent, principles, and guidelines laid out by GDPR and other privacy laws oppose this as reCAPTCHA does not adhere to the data minimization principle in the slightest, as explained in more detail in this article.
A solution by Complianz is to block reCAPTCHA before consent and only initialize when consented and needed. This might cause several issues. Because reCaptcha is adopted widely and implemented directly in other plugins, it will cause dependency issues when blocking reCAPTCHA, as some functionalities might depend on reCAPTCHA loaded at all times. When this is not the case, functionalities might break, and specific integrations are needed for plugins, for example, Contact Form 7, to function correctly. And this is just one contact form plugin, and we’re excluding variables regarding caching and optimization plugins that might defer, combine or minify javascript.
Leaving reCAPTCHA behind. A Simpler solution.
To leave this all behind and conform with GDPR simultaneously, privacy by design is always the best option.
A solid option to have a Captcha without blocking functionality and checking dependencies is Friendly Captcha for WordPress.
For now, it has integrations with;
- WordPress native forms (registration, login etc)
- Contact Form 7
- WP Forms
If you’re missing your contact form plugin, you can create an integration request here; https://github.com/FriendlyCaptcha/friendly-captcha-wordpress
When installed, you can now disable reCaptcha as an integration in the Complianz wizard and keep moving toward a more privacy-friendly set-up. If you’re willing, self-hosting your Google Fonts will remove other requests to Google as well. And when you’re at it, do the same for analytics!
