Complianz Privacy Suite

Google reCAPTCHA and the GDPR: a possible conflict?

Rogier Lankhorst

Rogier Lankhorst

Categories

Popular articles

Generating an Impressum

From release 4.4 onwards, Complianz Privacy Suite (Premium) offers a new document, the Impressum. The Impressum provides the required information for commercial websites that target

Read More
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

While developing Complianz Privacy Suite, some interesting questions arise. One of them I encountered today is: are Google Recaptcha and the GDPR reconcilable on your website?

Contact Form 7 is with over 5 million installs the number one contact form plugin on WordPress. I too use it on a lot of sites. It’s simple, free, and works like a charm. If you have been using Contact Form 7 (or any contact form on your site over the past years, you may have noted that you need to do something about spam. If you don’t have spam protection in place, you’ll get flooded with annoying spam emails. For years, the most used solution was to add an ugly captcha to the form, with some hard to read letters, numbers etc on an image. The user had to type these in an input field. The spambots have a hard time reading these images: problem solved!

But this solution is not very user-friendly: it’s ugly, and annoys users so much you might lose conversions. Google Recaptcha to the rescue! It’s integrated in Contact Form 7, easy to setup, and you (usually) only have the check a checkbox (I’m not a robot). In the latest version (Google Recaptcha v3) you don’t even have to do that: it’s a background process.

Google Recaptcha and personal data

But we all know: there’s no such thing as a free lunch right? So what is the price we pay for this great feature? Right: it’s personal data.

The mix of a fingerprint and first-party cookies is pervasive as Google can give a very high level of entropy when it comes to distinguishing an individual person.

Ron Perona on businessinsider.com

Part of the data which Google collects with Recaptcha is:

  • A complete snapshot of the user’s browser window at that moment in time will be captured, pixel by pixel (!)
  • Browser plugins
  • All cookies placed by Google over the last 6 months,
  • Number of mouse clicks/touches you’ve made on that screen
  • CSS information for that page,
  • Javascript objects
  • The date,
  • The browser language

(see also: businessinsider.com, gen.net.uk)

This information can’t be confirmed by us, but if you look at what Google says on this matter, when you create a new reCaptcha key set:

You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and app data, and sending it to Google for analysis.

And, says Google:

You agree that if you use the APIs, it is your responsibility to display the necessary notifications and to obtain permission to collect and share this data with Google

You definitely need an opt-in if you want to be GDPR compliant.

How to prevent the placement of cookies

If you just use the Contact Form 7 integrated Recaptcha, it’s usually hard to conditionally enable these scripts. Complianz Privacy Suite has solved this (in both free and premium) by creating a list of third party scripts which place tracking cookies, and disabling all these scripts until the users accepts. Of course, Google Recaptcha is included in this list, just like Facebook, Youtube, Vimeo, Instagram, and many more.

And this is where we can all see dark clouds forming: if Recaptcha is opt-in (as the GDPR requires) then all a spammer needs to do to bypass Recaptcha, is to not accept cookies, right?

Now what?

There are implementations possible which bypass this issue of course: if you prevent submitting the form before cookies are accepted, or if Recaptcha is not active, this would work as a solution. This is how the Recaptcha V3 integration in Contact Form 7 works: submitting the form without accepting cookies is not possible.

If accepting the cookies would initialize the Recaptcha this would be a viable solution. As activating the script requires the Contact Form 7 script to wait until the recaptcha script has fully loaded, this is causing race conditions in the current version. In the beta version this has been fixed: https://github.com/rlankhorst/complianz-gdpr. This will be released with the next update.

*Edit* This update is now released, making V3 Recapthca in Contact form 7 GDPR compliant if you use it in combination with the Complianz plugin. 

Until this version is released you cannot use Google Recaptcha and be GDPR compliant at the same time. Which means that to prevent spam, you’ll have to use other spam protection methods. Luckily, there’s an add-on for Contact Form 7 which adds a honeypot to your site. A honeypot is a hidden field, which spambots will fill out, but humans won’t (as they don’t see the hidden field).

This solution does not require Recaptcha, and is GDPR compliant. Alternatively, you can download the beta plugin from Github, or wait until the next release.

Update

As of version 2.1.1, Complianz is now compatible with Contact Form 7 with ReCaptcha V3. In this implementation, ReCaptcha will be blocked until the user consents and the user cannot submit a contact form, then, after consent is given, ReCaptcha is enabled and the contact form can be submitted in a spam proof way.

This leaves us two methods to use Contact Form 7 (and e.g. Gravity Forms etc):

  • With ReCaptcha V3, user can submit a form if consent has been given for cookies
  • With honeypot. User can submit a form even before consent has been given.
  • Use the hyperlink:< a class="cmplz-accept-cookies" href="#">Accept Cookies before sending the Formas a link, or button,  before the conditional load of ReCaptcha and/or submit button, so cookies have to be accepted before submitting the form. Or use it below any form, so users know why sending the form without accepting the cookies doesn’t work properly.

Example ReCaptcha Form

Related articles

13 Responses

  1. Where can I find anything on your page regarding integration with Contact Form 7? I have activated Contact Form 7 integration but my contact form doesn’t show any GDPR consent checkbox. I have spend hours trying to find anything on the net. Please add a “How to” on your website. This feature is really totally disregarded by you guys. Thanks!

  2. Do you have any source for this claim:

    “A complete snapshot of the user’s browser window at that moment in time will be captured, pixel by pixel ”

    It would seem that this would be a huge privacy violation, given it includes the URL, content of the site and perhaps half of a login, meaning e.g. the email address that one uses to log in or if one enables “show password” (as many sites allow to) even the password.

    Thanks!

    1. Hi Alex, there are several websites online that mention this, one of which is https://www.termsfeed.com/blog/privacy-policy-recaptcha/.
      One thing is certain: Google refers to the general privacy policy for this, which mainly tells us the Google can do what it wants with it, resulting in a requirement to ask consent. Using free Google services is always a privacy issue: user data is their business model.

      1. I don’t think it’s correct and it would be a wild overstepping on their behalf. Something must have gotten lost in translation. What they do is capture a complete fingerprint of your browser, but they don’t screenshot the page. Given that Recaptcha is often used at sign up and login pages, this would result in Google having many usernames, email addresses, real names and password, which cannot be the case. I found no technical information about this and neither does it seem that the amount of data a screenshot requires is being transmitted back to Google when they are active on a page. Especially on mobile this would have a huge performance impact. So I don’t think this is true. And European data protection agencies would be up in arms if this were the case. Some blogs stating as much doesn’t mean anything, imho.

        1. I agree we can’t be sure about this, although this article refers to Google’s own privacy policy as source: https://www.gen.net.uk/blog/how-to-annoy-your-visitors-with-google-recaptcha. When you accept the reCaptcha terms of service, you have to confirm that “You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and app data”.

          This information is enough to be sure that you need consent for such a service (which they also state themeselves: “it is your responsibility to get the required consent”), which is what matters in this case. I think we won’t get any info from Google on this, which is suspicious in itself.

  3. Ok, so you don’t have more than I found and that is that they take a fingerprint of your browser window / session, NOT a snapshot pixel by pixel. It might be you are not familiar with the terms, but that’s a huge difference. Similar to actual text and a hash of that text. They do not capture any content.

    Yes their TOS might allow them to, but that doesn’t mean that they do.

    The AdTruth reverse engineered ReCaptcha and they write what they found. If they had found a screenshot taking place, I am quite sure they would have written that, but they don’t.

    The pixel by pixel fingerprint by BI is also not very accurate language. A fingerprint is the opposite of a detailed one by one copy.

    If what you write were true, believe me, the European Union would forbid ReCaptcha in a heartbeat and they would be sued into oblivion.

    They would, literally, screenshot all username passwords, you cannot believe this to be true.

    1. Either way, the conclusion is that you have to ask consent from your website visitors, which is the point of this article. It’s good to know it’s not illegal 🙂

Leave a Reply

Your email address will not be published.

Subscribe