While developing Complianz Privacy Suite, some interesting questions arise. One of them I encountered today is: are Google ReCAPTCHA and the GDPR reconcilable on your website?
WP Forms is with over 5 million installs the number one contact form plugin on WordPress. I too use it on a lot of sites. It’s simple, free, and works like a charm. If you have been using WP Forms (or any contact form on your site) over the past years, you may have noted that you need to do something about spam.
If you don’t have spam protection in place, you’ll get flooded with annoying spam emails. For years, the most used solution was to add an ugly captcha to the form, with some hard-to-read letters, numbers etc on an image. The user had to type these in an input field. The spambots have a hard time reading these images: problem solved!
But this solution is not very user-friendly: it’s ugly and annoys users so much you might lose conversions. Google ReCAPTCHA to the rescue! It’s integrated in WP Forms, easy to set up, and you (usually) only have to check a checkbox (I’m not a robot). In the latest version (Google Recaptcha v3) you don’t even have to do that: it’s a background process.
Google ReCAPTCHA and personal data
But we all know: there’s no such thing as a free lunch right? So what is the price we pay for this great feature? Right: it’s personal data.
The mix of a fingerprint and first-party cookies is pervasive as Google can give a very high level of entropy when it comes to distinguishing an individual person.
Part of the data which Google collects with ReCAPTCHA is:
- A complete snapshot of the user’s browser window at that moment in time will be captured, pixel by pixel (!)
- Browser plugins
- All cookies placed by Google over the last 6 months,
- Number of mouse clicks/touches you’ve made on that screen
- CSS information for that page,
- The date,
- The browser language
(see also: businessinsider.com, gen.net.uk)
This information can’t be confirmed by us, but if you look at what Google says on this matter when you create a new ReCAPTCHA key set:
You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and app data, and sending it to Google for analysis.
And, says Google:
You agree that if you use the APIs, it is your responsibility to display the necessary notifications and to obtain permission to collect and share this data with Google
You definitely need an opt-in if you want to be GDPR compliant.
How to prevent the placement of cookies
If you just use the WP Forms integrated ReCAPTCHA, it’s usually hard to conditionally enable these scripts. Complianz Privacy Suite has solved this (in both free and premium) by creating a list of third-party scripts which place tracking cookies, and disabling all these scripts until the users accepts. Of course, Google ReCAPTCHA is included in this list, just like Facebook, Youtube, Vimeo, Instagram, and many more.
And this is where we can all see dark clouds forming: if ReCAPTCHA is opt-in (as the GDPR requires) then all a spammer needs to do to bypass Recaptcha, is to not accept cookies, right?
There are implementations possible which bypass this issue of course: if you prevent submitting the form before cookies are accepted, or if ReCAPTCHA is not active, this would work as a solution. This is how the ReCAPTCHA V3 integration in WP Forms works: submitting the form without accepting cookies is not possible.
If accepting the cookies would initialize the ReCAPTCHA this would be a viable solution. As activating the script requires the WP Forms script to wait until the ReCAPTCHA script has fully loaded, this is causing race conditions in the current version. In the beta version, this has been fixed: https://github.com/rlankhorst/complianz-gdpr. This will be released with the next update.
*Edit* This update is now released, making V3 ReCAPTCHA in WP Forms GDPR compliant if you use it in combination with the Complianz plugin.
As of version 2.1.1, Complianz is now compatible with WP Forms with ReCAPTCHA V3. In this implementation, ReCAPTCHA will be blocked until the user consents and the user cannot submit a contact form, then, after consent is given, ReCaptcha is enabled and the contact form can be submitted in a spam-proof way.
This leaves us two methods to use WP Forms (and e.g. Gravity Forms etc):
- With ReCAPTCHA V3, user can submit a form if consent has been given for cookies. Example Integration
- Use the hyperlink:
<a class="cmplz-accept-marketing" href="#">Accept Marketing cookies before sending the Form</a>
as a link, or button, before the conditional load of ReCAPTCHA and/or submit button, so cookies have to be accepted before submitting the form. Or use it below any form, so users know why sending the form without accepting the cookies doesn’t work properly.