GDPR - reCAPTCHA with user's consent?

Question

This question is specifically about Google's reCAPTCHA, but may possibly apply to many other CAPTCHA solutions that are collecting "personal" data.

I was reading briefly about ePrivacy regulations and I have found very good resource about PECR and cookies at ICO. I have tried to contact ICO via their Live chat, but unfortunately they don't provide any legal advice. However, they said - "If you're collecting personal data, then you must comply with GDPR."

From what I could find online and from what I can see in browser, Google's reCAPTCHA is collecting client's hardware and software information in order to analyse if the client is human or robot. Some of the cookies are sent to google.com. Some unofficial sources say that Google even use their GA tracking cookie to identify human vs. bot. In my understanding this approach can be seen as tracking or fingerprinting.

So I'm wondering how is it actually from legal point of view? Do we really need to obtain user's consent before we can use Google's reCAPTCHA on website served to EU citizens?

ICO says, there are exemptions for

session cookies providing security that is essential to comply with data protection security...

Can be reCAPTCHA considered as tool for providing data protection security?

My point is that no bot will ever give consent to reCAPTCHA, so what is way out of this riddle?

UPDATE (2018-05-07) I noticed Google updated their EU user consent policy, that is linked from reCAPTCHA admin, located here: Their terms of service:

...it is your responsibility to provide any necessary notices or consents for the collection and sharing of this data with Google. For users in the European Union, you and your API Client(s) must comply with the EU User Consent Policy currently located at http://www.google.com/about/company/user-consent-policy.html.

So assuming the consent is required, I would like to rephrase my original question:

If I offer ways to give consent and/or deny reCAPTCHA; Is it legally acceptable to include and execute reCAPTCHA on website by default without prior consent?

Answer 1

“From your perspective you should not worry about asking permission to use reCaptcha as it is not you who is processing the data it is google and any GDPR compliance falls on them.“

This is plain wrong. If a user visits your website you are the controller of data collected on your website. Regardless of what entity collects that data.

However in my non-legal opinion reCAPTCHA falls under Article 6 section 1d and 1f. Also Recital 49.

1d:

“processing is necessary in order to protect the vital interests of the data subject or of another natural person;”

While you could argue in some cases (most probably) reCAPTCHA is used to reduce spam to a business entity thus not a “natural person”.

1f:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Here is where the real ruling applies “Legitimate interests”. You as a business have a legitimate interest in reducing spam into your business. Not only does spam take up your time but it also takes up your resources. As to the extent in which spam takes up is dependent on the usage in question. But nearly everyone can safely assume reducing spam (one of the cornerstones of the GDPR) is a legitimate interest.

Recital 49 (excerpt):

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

Answer 2

Are you looking from Google's perspective or your perspective?

From your perspective you should not worry about asking permission to use reCaptcha as it is not you who is processing the data it is google and any GDPR compliance falls on them.

From their perspective, it should not be a concern, GDPR is worried about Personally Identifiable Information and so 99% of hardware and software data and any tracking data with regards to your cursor movement to see if you are a robot or not will not fall under that category. Data which they could store would be like IP addresses which are protected under GDPR in most cases.

Answer 3

You wouldn't need consent for this type of cookie as it would be in the legitimate interest of the data controller to collect this information. The user completing a form and ticking a reCAPTCHA would be submitting data to the data controller anyway. Asking for consent would be silly if there is a real interest for the controller

Answer 4

The only thing I can imagine is to disable form submission by default and enable form submission together with reCAPTCHA on demand, after user gave consent to use reCAPTCHA.