While developing Complianz Privacy Suite, some interesting questions arise. One of them I encountered today is: are Google Recaptcha and the GDPR reconcilable on your website?
Contact Form 7 is with over 5 million installs the number one contact form plugin on WordPress. I too use it on a lot of sites. It’s simple, free, and works like a charm. If you have been using Contact Form 7 (or any contact form on your site) over the past years, you may have noted that you need to do something about spam. If you don’t have spam protection in place, you’ll get flooded with annoying spam emails. For years, the most used solution was to add an ugly captcha to the form, with some hard to read letters, numbers etc on an image. The user had to type these in an input field. The spambots have a hard time reading these images: problem solved!
But this solution is not very user-friendly: it’s ugly, and annoys users so much you might lose conversions. Google Recaptcha to the rescue! It’s integrated in Contact Form 7, easy to setup, and you (usually) only have to check a checkbox (I’m not a robot). In the latest version (Google Recaptcha v3) you don’t even have to do that: it’s a background process.
Google Recaptcha and personal data
But we all know: there’s no such thing as a free lunch right? So what is the price we pay for this great feature? Right: it’s personal data.
The mix of a fingerprint and first-party cookies is pervasive as Google can give a very high level of entropy when it comes to distinguishing an individual person.
Part of the data which Google collects with Recaptcha is:
- A complete snapshot of the user’s browser window at that moment in time will be captured, pixel by pixel (!)
- Browser plugins
- All cookies placed by Google over the last 6 months,
- Number of mouse clicks/touches you’ve made on that screen
- CSS information for that page,
- The date,
- The browser language
This information can’t be confirmed by us, but if you look at what Google says on this matter, when you create a new reCaptcha key set:
You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and app data, and sending it to Google for analysis.
And, says Google:
You agree that if you use the APIs, it is your responsibility to display the necessary notifications and to obtain permission to collect and share this data with Google
You definitely need an opt-in if you want to be GDPR compliant.
How to prevent the placement of cookies
If you just use the Contact Form 7 integrated Recaptcha, it’s usually hard to conditionally enable these scripts. Complianz Privacy Suite has solved this (in both free and premium) by creating a list of third-party scripts which place tracking cookies, and disabling all these scripts until the users accepts. Of course, Google Recaptcha is included in this list, just like Facebook, Youtube, Vimeo, Instagram, and many more.
And this is where we can all see dark clouds forming: if Recaptcha is opt-in (as the GDPR requires) then all a spammer needs to do to bypass Recaptcha, is to not accept cookies, right?
There are implementations possible which bypass this issue of course: if you prevent submitting the form before cookies are accepted, or if Recaptcha is not active, this would work as a solution. This is how the Recaptcha V3 integration in Contact Form 7 works: submitting the form without accepting cookies is not possible.
If accepting the cookies would initialize the Recaptcha this would be a viable solution. As activating the script requires the Contact Form 7 script to wait until the Recaptcha script has fully loaded, this is causing race conditions in the current version. In the beta version this has been fixed: https://github.com/rlankhorst/complianz-gdpr. This will be released with the next update.
*Edit* This update is now released, making V3 Recapthca in Contact form 7 GDPR compliant if you use it in combination with the Complianz plugin.
Until this version is released you cannot use Google Recaptcha and be GDPR compliant at the same time. Which means that to prevent spam, you’ll have to use other spam protection methods. Luckily, there’s an add-on for Contact Form 7 which adds a honeypot to your site. A honeypot is a hidden field, which spambots will fill out, but humans won’t (as they don’t see the hidden field).
This solution does not require Recaptcha, and is GDPR compliant. Alternatively, you can download the beta plugin from Github, or wait until the next release.
As of version 2.1.1, Complianz is now compatible with Contact Form 7 with ReCaptcha V3. In this implementation, ReCaptcha will be blocked until the user consents and the user cannot submit a contact form, then, after consent is given, ReCaptcha is enabled and the contact form can be submitted in a spam proof way.
This leaves us two methods to use Contact Form 7 (and e.g. Gravity Forms etc):
- With ReCaptcha V3, user can submit a form if consent has been given for cookies
- With honeypot. User can submit a form even before consent has been given.
- Use the hyperlink:
< a class="cmplz-accept-cookies" href="#">Accept Cookies before sending the Formas a link, or button, before the conditional load of ReCaptcha and/or submit button, so cookies have to be accepted before submitting the form. Or use it below any form, so users know why sending the form without accepting the cookies doesn’t work properly.