Prevent google recaptcha setting a cookie (GDPR)

Question

We have integrated with Google recaptcha, and it sets some cookies with user data (example cookie is NID). On 25th of May, the GDPR will be live, and according to that law, website cannot set any cookie without user consent. That seems to be problematic, as in the docs of Google reCaptcha there is no information how to display it, without cookie being set. I don't belive that we are the only ones with that problem, so I truly belive that you can help me with our issues.

I will accept any help, links to docs, information about magic parameters which will prevent the google recaptcha setting the cookie, etc. I was digging for 2 days and I have found nothing. The only thing which I have found are new Google cookie policy rules which will be live on 25th of May, and information that if user want to block cookies, he should install the extension in his browser, which is not compliant with GDPR I think.

Thank you.

Answer 1

As far as I know, Google reCAPTCHA requires cookies, so I think you have 2 options:

• A) forget Google and look for another, cookie-free captcha service (eg PHP solution with temp files )

• B) enable Google reCAPTCHA only if the user allows cookies. (I did it on my website this way, because my point is that the captcha protects me. And I can tell this to my users, and I can tell them that site is only functional with those cookies.)

---

B) enabling Google reCAPTCHA only if user allows it

I suggest you to place a cookie consent window on your website which implements the "opt-in" pattern, and add reCAPTCHA script dynamically. You have to use a cookie to store the user's decision. Your script should do the following on page load:

1. Check if your cookie exists with value "allow"
2. If it does, add reCAPTCHA script
3. Otherwise, display the cookie consent window
4. Add a click event handler for the "Allow" button, which
   1. Adds your cookie with value "allow" and some expiration
   2. Adds reCAPTCHA script
   3. Hides cookie consent window

You can use for example the js-cookie library to manipulate cookies easily:

Cookies.set('your-cookie', 'allow', { expires: 365 }); // 365 days

if ('allow' == Cookies.get('your-cookie')) { /* ... */ }

And you can add reCAPTCHA script dynamically this way:

var script = document.createElement('script');
script.src = 'https://www.google.com/recaptcha/api.js'
document.body.appendChild(script);

The cookie consent window is not that hard to implement by hand, but you can also use eg Cookie Consent by Insites , it helps you create opt-in too.

Don't forget to write a cookie policy and include information about reCAPTCHA.

Answer 2

Remove the recaptcha from Google ! That is very easy to do. You can try to make your own captcha. It is not so complicate.

reCaptacha of Google is in violation of the RGPD.

There has to be a free consentment. The user must also be informed what is done with the data.

Answer 3

根据Google 的常见问题解答，如果您使用www.recaptcha.net域而不是www.google.com，您将只会得到一个名为 _GRECAPTCHA 的 cookie，我认为它可以归类为基本 cookie，因此根据欧盟法律不需要同意（尽管与法律专家核对是谨慎的做法，但我不是）。