reCAPTCHA sets cookies, transfers data to the US, and tracks users for ad targeting. Here’s why EU businesses are dropping it — and what to use instead.
The Hidden Cost of “Free” Bot Protection
reCAPTCHA is free. That’s the pitch. But for EU businesses, the real cost is buried in compliance risk.
Google’s reCAPTCHA sets multiple cookies (NID, _GRECAPTCHA), sends user data to US servers, and — per Google’s own Terms of Service — uses reCAPTCHA interactions to improve Google’s ad targeting products.
For any site that needs GDPR compliance, that’s three problems in one script tag.
What reCAPTCHA Actually Does
When a user loads a page with reCAPTCHA, the following happens:
-
Cookies are set —
NIDand_GRECAPTCHAare placed in the user’s browser - Data is transferred to the US — Mouse movements, browser fingerprints, IP addresses go to Google servers in the United States
- Google processes the data — Per their privacy policy, reCAPTCHA data feeds into Google’s risk analysis systems
This means every site using reCAPTCHA needs:
- A cookie consent banner (because reCAPTCHA cookies aren’t “strictly necessary”)
- A Data Processing Agreement with Google
- A legitimate legal basis for the US data transfer
- Disclosure in the privacy policy
The Legal Reality in 2025/2026
Several EU Data Protection Authorities have already flagged reCAPTCHA:
- The French CNIL has ruled that reCAPTCHA requires explicit consent because it sets non-essential cookies
- Austrian and German DPAs have questioned whether US data transfers meet GDPR standards post-Schrems II
- The European Accessibility Act (EAA), effective June 2025, adds another layer: visual CAPTCHA puzzles fail WCAG 2.2 AA standards
The trend is clear: using reCAPTCHA in the EU is becoming harder to justify legally.
What Makes a GDPR-Compliant Alternative?
A bot protection solution that actually works for EU businesses needs to:
- Set zero cookies — No consent banner needed for the bot protection itself
- Keep data in the EU — No transatlantic transfers, no Schrems II risk
- Work invisibly — No visual puzzles that fail accessibility standards
- Not track users — Bot protection shouldn’t be a data collection mechanism
Proof-of-Work: The Cookie-Free Approach
Proof-of-Work bot protection flips the model. Instead of tracking users to determine if they’re human, it forces the client to solve a small cryptographic puzzle (SHA-256).
The computation takes ~200ms on a modern device — humans don’t notice it. But bots trying to submit thousands of forms need to solve thousands of puzzles, making spam economically unfeasible.
No cookies. No tracking. No US data transfer. No consent banner needed.
Making the Switch
Replacing reCAPTCHA doesn’t have to be complex. With nForms Shield, the migration is a single script tag:
<!-- Before: reCAPTCHA -->
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
<div class="g-recaptcha" data-sitekey="YOUR_KEY"></div>
<!-- After: nForms Shield -->
<script src="https://api.nforms.eu/shield.js" />
No API key verification on the backend. No cookie consent changes. No privacy policy updates for a new US data processor.
The Bottom Line
reCAPTCHA was designed for a pre-GDPR world where tracking users across the web was the default. In 2026, EU businesses need bot protection that respects the legal framework they operate in.
The question isn’t whether reCAPTCHA works against bots. It does. The question is whether the compliance overhead is worth it when alternatives exist that don’t set cookies, don’t transfer data to the US, and don’t require visual puzzles.
For most EU businesses, the answer is increasingly: no.
I’m building nForms — a form backend with Proof-of-Work bot protection and WCAG 2.2 AA validation. EU-only infrastructure, zero cookies. If you’re dealing with reCAPTCHA compliance headaches, I’d love your feedback.
Top comments (0)