pl ua

03.03.2026

reCAPTCHA or Risk? Free Protection, Real Accountability.

Google reCAPTCHA is one of the most commonly used tools for protecting online forms against spam and bots. It’s quick to deploy, technically efficient — and very often implemented by default, without much legal reflection.

For a long time, however, the free version of reCAPTCHA raised serious GDPR concerns: no data processing agreement, an unclear scope of data collection, and extensive behavioural analysis taking place in the background.

As of 2 April, the legal model is changing.

Does that mean the compliance issue disappears?
Not quite.

1. The previous model: a service paid for with data

Under the free model, website owners did not pay with money.
They paid with user data.

reCAPTCHA processes, among other things:

  • IP addresses,

  • browser and device identifiers,

  • behavioural interaction data,

  • cookies and related tracking information.

Until recently, the free version was not covered by the Google Cloud Data Processing Addendum (DPA). Google acted as an independent controller rather than a processor within the meaning of Article 28 GDPR.

In practice, this meant:

  • no formal data processing agreement,

  • data potentially processed for Google’s own purposes,

  • limited ability for the website owner to meaningfully control the scope of processing.

It was, in effect, a “free” service operating within a data-driven model.

2. From 2 April: Google as a processor

Google has announced that, from 2 April, the free version of reCAPTCHA will be covered by the Cloud Data Processing Addendum.

This is a significant development.

Under the updated framework, Google is expected to act as a processor on behalf of its customers. At a general level, the DPA contains the elements required under Article 28 GDPR.

From a formal perspective, this is clearly a step in the right direction:

  • the controller–processor relationship is contractually structured,

  • a data processing agreement is in place,

  • the legal framework becomes more predictable.

For European customers, the contracting entity will be Google Cloud EMEA Limited (Ireland), meaning the processor is an EU-based Google entity.

But a DPA alone does not automatically guarantee full compliance.

3. Transparency and data minimisation: still critical questions

The DPA defines the scope of data very broadly as:

“Data relating to individuals provided to Google via the Services, by (or at the direction of) Customer or by its End Users.”

It does not specify concrete categories of personal data.

Based on publicly available information, the processing appears to involve primarily technical and behavioural signals used to distinguish humans from bots, largely processed on a temporary basis.

However:

  • the categories of data are not exhaustively described,

  • the retention period may extend up to 180 days,

  • and each controller must verify how reCAPTCHA is actually implemented in their specific setup.

The core issue is not necessarily that the data is excessive.
The issue is whether the controller can demonstrate that it is proportionate and limited to what is strictly necessary.

Under the GDPR, accountability requires more than trust. It requires evidence.

4. Legal basis: legitimate interest or consent?

Preventing spam and abuse can, in principle, qualify as a legitimate interest under Article 6(1)(f) GDPR.

Following the introduction of the DPA, relying on legitimate interest may be more defensible than before. That said, controllers still need to:

  • carry out and document a proper balancing test,

  • assess proportionality,

  • verify the actual scope of data processed in practice.

There is also the ePrivacy dimension.

If reCAPTCHA relies on non-essential cookies or similar technologies, prior consent may be required under applicable ePrivacy and national cookie rules — unless the tool can genuinely be considered strictly necessary for a service explicitly requested by the user.

And here the tension becomes practical.

A user wants to submit a form.
They do not explicitly request that their behavioural data be analysed by a third party.

If consent is treated as the safest legal basis and reCAPTCHA is only loaded after opt-in:

  • no consent means no protection,

  • the form remains vulnerable,

  • and a bot is unlikely to click “Accept”.

This illustrates that the choice of legal basis is not merely a theoretical compliance debate. It directly affects how your website operates.

5. New DPA. Familiar compliance questions.

As of 2 April, the formal legal position of the free version is clearly stronger than before.

From a contractual standpoint, this is an important improvement. The controller–processor relationship is now structured, and the framework aligns more closely with Article 28 GDPR standards.

But compliance is not achieved by contract alone.

Controllers must still:

  • determine the actual scope of personal data processed in their specific implementation,

  • properly define and document the chosen legal basis,

  • ensure consistency between privacy notices and real data flows,

  • update records of processing activities,

  • assess any international data transfers and applicable safeguards.

Google is undoubtedly moving closer to European data protection expectations.

However, the responsibility for demonstrating GDPR compliance remains with the controller.

What about your website?

Your privacy policy is not just a formality.

It is visible not only to users — but also to competitors, dissatisfied customers, business partners, and, if necessary, supervisory authorities.

A privacy notice should reflect what truly happens behind the scenes.

Are you confident that:

  • all tools used on your website are properly disclosed?

  • the roles of third parties are accurately defined?

  • your legal basis has been genuinely assessed rather than assumed?

  • your documentation would withstand regulatory scrutiny?

We help our clients ensure that what they declare publicly accurately reflects the data processing taking place internally.

If you would like to understand whether your reCAPTCHA setup is simply a security feature — or a potential compliance exposure — let’s talk.

You might be also interested in...

News
No category

03.03.2026

The Standard That Defines Our Practice

It’s not only about what we do. It’s also about the standard we work to. Based on client feedback, Legal 500 has recognised JLSW for Billing & Efficiency and NPS® – a measure of trust and willingness to recommend. Behind this recognition is a philosophy we believe in: clarity, accountability and solutions grounded in real … Continue reading “The Standard That Defines Our Practice”

Read more >>

No category

02.02.2026

🌍 Madrid wrap-up | Legal Netlink Alliance

Madrid, great conversations, and people who genuinely understand how cross-border cooperation works – that’s probably the most accurate short summary of this year’s Legal Netlink Alliance meeting. A few intensive days were enough to exchange experiences (and doubts), reflect on where our profession is heading, and once again confirm that in cross-border work, trust and … Continue reading “🌍 Madrid wrap-up | Legal Netlink Alliance”

Read more >>

See all

Adres Poznań
ul. 28 czerwca 1956 r. 406
61-441 Poznań
woj. wielkopolskie
Tel.: +48616734520

Adres Warszawa
Rondo Daszyńskiego 2b
00-843 Warszawa
woj. mazowieckie
Tel.: +48221189227

NIP: 7781465914
REGON: 301219323


Pozycjonowanie: SEMPIRE

Manage your cookie settings

Change your consent  |  Canceling consent