reCAPTCHA

reCAPTCHA

Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.

Google
Part of Google
Back to Vendor Library

Overview

Google reCAPTCHA is a bot-detection and CAPTCHA service that protects web forms, login pages, account registration flows, and checkout pages from automated abuse. It is available in three versions: v2 Checkbox, v2 Invisible, and v3 (continuous background scoring). reCAPTCHA Enterprise extends these capabilities for high-assurance environments.

What This Script Does

reCAPTCHA loads JavaScript from www.google.com/recaptcha/ and www.gstatic.com/recaptcha/. The specific behavior depends on the version deployed.

reCAPTCHA v2 Checkbox Presents a visible "I'm not a robot" checkbox. If the browser interaction pattern is insufficient, a visual challenge (image grid selection) is presented. Sets the _GRECAPTCHA cookie (session, essential) to maintain challenge state. Communicates with www.google.com to validate the user's solution.

reCAPTCHA v2 Invisible Runs behavioral analysis silently without showing a checkbox unless a challenge is needed. Same network contacts and cookie behavior as v2 Checkbox, but triggered programmatically on form submission.

reCAPTCHA v3 Executes continuously on every page where it is deployed and scores all user interactions on a 0.0 to 1.0 scale. The score is sent to the server for the application to decide whether to allow, block, or challenge the request. reCAPTCHA v3 sets the _GRECAPTCHA cookie (6 months, first-party) and collects:

  • Mouse movements, click patterns, and scroll behavior
  • Keystroke timing and cadence (not keystroke content)
  • Browser fingerprint: User-Agent, screen dimensions, installed plugins, language settings, timezone
  • Device motion and touchscreen signals on mobile
  • IP address and approximate geolocation
  • Whether the browser is running headless or in a WebDriver context

Data is sent to www.google.com/recaptcha/api2/ and recaptcha.net for scoring. Google's servers return a signed token that the application passes to its backend for server-side verification via www.google.com/recaptcha/api/siteverify.

reCAPTCHA Enterprise Offers the same behavioral analysis as v3, with additional signals including device reputation, account history, and integration with Google's fraud intelligence network. Enterprise scores are assessed via recaptchaenterprise.googleapis.com.

Cookies set:

  • _GRECAPTCHA (first-party, session or 6 months depending on version) — maintains challenge state and site identity

Domains contacted: www.google.com, www.gstatic.com, recaptcha.net, recaptchaenterprise.googleapis.com

Consent & Compliance

GDPR/ePrivacy: reCAPTCHA's security purpose makes it a candidate for the "strictly necessary" exemption under ePrivacy. However, the breadth of data collected — behavioral fingerprinting, long-lived cookies, transfer to Google — has drawn regulatory scrutiny. The Austrian DSB and French CNIL have both highlighted that Google reCAPTCHA transfers personal data to Google in the US, requiring a valid transfer mechanism. The German DSK has noted that reCAPTCHA data may be used by Google beyond the immediate security purpose. Operators relying on the strictly necessary exemption should document their assessment in a DPIA.

CCPA/CPRA: Data collected by reCAPTCHA is shared with Google. Google's privacy policy governs subsequent use. While security data collection is a recognized business necessity, operators should disclose this in their privacy policy.

EU-US Data Transfers: Google LLC participates in the EU-US Data Privacy Framework (DPF), providing a transfer mechanism for reCAPTCHA data processed on Google's US infrastructure.

Consent category: Essential (security/bot prevention).

Should You Block This Without Consent?

No. reCAPTCHA serves an essential security function — preventing automated attacks on forms and login pages. Blocking it would leave the site vulnerable to credential stuffing, spam, and bot abuse. Operators should disclose reCAPTCHA in their privacy policy, document the necessity justification in a DPIA, and note that the French CNIL and Austrian DSB have flagged Google data transfers as requiring attention even for security-purpose tools.

Visit website

Consent Categories

Essential

Also Known As

reCAPTCHA v3reCAPTCHA v2Google reCAPTCHAinvisible reCAPTCHAbot protection GDPR

Industries

Computers Electronics and TechnologySearch Engines

Tracked Domains (1)

www.recaptcha.netEssential

Frequently Asked Questions

Does reCAPTCHA require cookie consent?

No for most implementations. reCAPTCHA is essential security infrastructure protecting forms from automated abuse. The _GRECAPTCHA cookie is required to maintain challenge state and falls under the ePrivacy strictly necessary exemption. Operators should document the necessity justification in a DPIA and disclose reCAPTCHA in their privacy policy.

What data does reCAPTCHA v3 collect?

reCAPTCHA v3 sets _GRECAPTCHA (first-party, 6 months). It collects mouse movements, click patterns, keystroke timing, browser fingerprint (User-Agent, screen dimensions, plugins, timezone), IP address, and device signals. Data is sent to www.google.com/recaptcha/api2/ for scoring.

How does ConsentStack treat reCAPTCHA on protected forms?

ConsentStack classifies reCAPTCHA as essential and never blocks it. Blocking would expose forms and login pages to bot attacks. It is detected via scripts from www.google.com/recaptcha/ and www.gstatic.com/recaptcha/. ConsentStack keeps reCAPTCHA active regardless of the user's analytics or marketing consent choices.

Other Google Products

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Ads
Google Ads
Google Ads is Google's advertising platform for search, display, and remarketing campaigns. Conversion tracking scripts fire on advertiser landing pages to measure actions taken after ad clicks. The remarketing tag builds audience lists for retargeting users across Google's ad network.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
YouTube
YouTube
YouTube is Google's video platform, widely used to embed video content on external websites. The YouTube iframe player loads JavaScript that communicates with Google's servers for video playback, quality control, and ad serving. Embedded players may set cookies tied to the viewer's Google account to track watch history and personalize recommendations.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.
YouTube Player
YouTube Player
YouTube Player embeds YouTube videos on external websites via iframe. Scripts load from Google's servers and set cookies for video playback preferences, watch history, and ad targeting. Cookies are dropped even when visitors only view the embed without interacting with the player.

Related Vendors

Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Azure CDN
Azure CDN
Azure CDN is Microsoft's content delivery network that caches and serves website assets from globally distributed edge servers. Delivers HTML, CSS, JavaScript, images, and media to visitors from the nearest edge location to reduce latency. No tracking or advertising functionality — operates purely as transparent content delivery infrastructure.

Manage consent for reCAPTCHA

ConsentStack automatically detects and manages reCAPTCHA trackers so your site stays compliant with global privacy regulations.

Get started free