What has changed?
As of April 2, 2026, Google has changed the specific Terms of Service for reCAPTCHA.
Previously, the specific Terms of Service contained provisions obliging their customers to refer to Google’s Terms of Use and Privacy Policy when integrating reCAPTCHA and, if necessary, to obtain consent for data transfers to Google. These provisions therefore indicated that Google acted as its own controller. These provisions have now been removed from these Terms of Service.
But what is the consequence of this change?
Only a clarification. reCAPTCHA is subject not only to these specific Terms of Service but also to the Google Cloud Terms of Service and the Cloud Data Processing Addendum (DPA). These agreements already indicated that Google acts as a data processor.[1] In this respect, the change to the specific Terms of Service merely resolves a contradiction.
What does Google advise its customers?
Google points out in its FAQ that references to the Google Terms of Use and Privacy Policy should be removed due to the contract adjustment.
What needs to be done?
For all website and app operators currently using reCAPTCHA, this specifically means:
Information obligations (Art. 13, 14 GDPR)
The privacy policy must be adjusted: Google is no longer to be classified as a third party in connection with reCAPTCHA, but as a data processor.
Record of processing activities (Art. 30 GDPR)
The entry in the record of processing activities regarding reCAPTCHA must also be adjusted accordingly. For Google as recipient, the category data processor must be listed here.
What has not changed? The problems.
The contract adjustment does not change the fundamental data protection challenges associated with using reCAPTCHA.
Lack of transparency in data processing
Google provides no conclusive information in its DPA[2] or its Terms of Service about which personal data are specifically processed and when they are deleted. Google has also updated its developer pages for implementing reCAPTCHA[3] – but without specifying data types and retention periods.
This means essential information about data processing is missing. Without this information, central requirements of the GDPR cannot be met. This particularly concerns the fulfillment of information obligations under Art. 13, 14 GDPR and also the determination of a viable legal basis – because without complete information on data processing, no interests can be weighed, and no informed consent can be formulated.
Terminal equipment access and TDDDG
Regardless, it should be noted that, according to the Google FAQ, the _GRECAPTCHA cookie is set by the reCAPTCHA service.
The use of the cookie constitutes access to the terminal equipment, which is subject to the requirements of Section 25 TDDDG. Access to terminal equipment generally requires consent, unless it is strictly necessary for a service explicitly requested by the user.
An exception to the consent requirement can therefore only be assumed here if reCAPTCHA is absolutely necessary for the provision of the service specifically requested by the user and the associated access to the terminal equipment is limited exclusively to the processing operations necessary for this purpose.
reCAPTCHA is intended to check whether an interaction with a specific element on a website or app, e.g., clicking a login button or submitting a form, originates from a machine or a human. It is therefore often argued that reCAPTCHA serves security purposes, particularly protection against automated access and abuse.
The German Data Protection Conference (DSK) assumes that user-oriented security cookies may be necessary for a service explicitly requested by the user. However, it is still necessary that only the required data are processed so that the explicitly requested service can be provided “securely, quickly, and stably.” Such an assessment is not reliably possible in the case of reCAPTCHA, as Google does not provide information about which data are processed by the cookie. Likewise, Google provides no specific information on retention periods.
The Austrian Federal Administrative Court ruled in a 2024 decision that the following non-exhaustive list of data was collected: IP address, referrer URL, information about the operating system and browser, possibly cookies, mouse movements and keystrokes, dwell time and settings of the user’s device (e.g., language settings, location, browser settings), and a unique user identification number, which marks the terminal equipment.
Assuming the processing would be limited to the data from this court decision, the scope is greater than necessary for a pure bot check, e.g., when clicking a login button. According to the DSK, the assignment of unique identification markers should be particularly critically questioned, because in only a few cases is such storage absolutely necessary for the provision of a website or app.
Due to a lack of information on data processing and thus a lack of proof of technical necessity within the meaning of Section 25 (2) TDDDG, a consent requirement must therefore generally be assumed.
At the same time, effective consent requires that data subjects are sufficiently informed about the nature, scope, and purposes of data processing. This prerequisite is currently also not met in the case of reCAPTCHA due to the lack of transparency, meaning that effective consent cannot be obtained.
Our Conclusion
The new contract adjustment thus solves none of reCAPTCHA’s central data protection problems. For controllers, its use continues to be associated with considerable legal uncertainties. Those who already use reCAPTCHA should reflect Google’s role as a data processor in their own privacy information to increase transparency. Furthermore, alternatives to Google’s reCAPTCHA should be examined.
[1] The Google Cloud Terms of Service incorporate the Cloud Data Processing Addendum. The Cloud Data Processing Addendum has referred to the “Google Cloud Platform Services Summary” (https://cloud.google.com/terms/services/index-20230427) since September 2022 for the affected Google services, which already listed reCAPTCHA at that time. Since then, the Cloud Data Processing Addendum applies to reCAPTCHA.
[2] Processed data: “Data relating to individuals provided to Google via the Services, by (or at the direction of) Customer or by its End Users”
[3] last accessed on 2026-04-15
