If you integrate reCAPTCHA through your website, you'll need to include a Privacy Policy.
Both Google and the California Online Privacy Protection Act require a Privacy Policy agreement when a website or app integrates reCAPTCHA.
Here's why.
CalOPPA requires that any website or mobile app that collects personal information (name, email or physical address, birthdate, etc.) from any residents in the state of California include a Privacy Policy to inform users what information is being collected, and how it is being collected and used.
This requirement from CalOPPA is mandatory even if the website does not collect personal data directly but instead uses and/or integrates third parties, such as the reCAPTCHA in this case.
As part of its Terms of Use agreement, Google requires websites that use its reCAPTCHA service to include a Privacy Policy.
First, let's see why personal information is collected through reCAPTCHA.
How "Invisible Captcha" Works
Invisible Captcha, or reCAPTCHA, requires end-users to click a button that says "I'm not a robot" and Google can determine whether to prompt the user with additional question (i.e. select pictures that best describe X) to verify if that person is in fact not a robot.
ReCAPTCHA collects personal information from users to make this determination of whether they're human and not a bot.
So, what personal information does the reCAPTCHA collect?
First, the reCAPTCHA algorithm will check to see if there's a Google cookie placed on the computer being used.
Then, an additional reCAPTCHA-specific cookie will be added to the user's browser, and a complete snapshot of the user's browser window at that moment in time will be captured, pixel by pixel.
Some of the browser and user information collected at this time includes:
- All cookies placed by Google over the last 6 months,
- How many mouse clicks you've made on that screen (or touches if on a touch device),
- The CSS information for that page,
- The date,
- The language your browser is set to,
- Any plug-ins you have installed on the browser, and
- All Javascript objects
It's because of this personal information collection that the requirement by CalOPPA is triggered and a Privacy Policy is required when reCAPTCHA is integrated.
Google's Privacy Policy requirement
As mentioned earlier, Google's Terms of Service for reCAPTCHA requires websites that use reCAPTCHA to include "any necessary notices or consents for the collection and sharing of the data with Google."
Because CalOPPA explicitly requires a Privacy Policy to be in place when personal user information is collected, the Terms of Service for reCAPTCHA works to reiterate that requirement.
In other words, a Privacy Policy is a "necessary notice" within the scope of the Google's Terms of Service agreement because CalOPPA makes it necessary:
Before you can implement the reCAPTCHA captcha on your website, you have to agree to "explicitly inform visitors to your site that you have implemented the Invisible reCAPTCHA on your site.":
EU User Consent requirement
When users in the EU will be presented with your reCAPTCHA and have their personal information collected during authentication, Google has a special EU User Consent Policy that must be followed.
This consent policy has a few requirements:
- You must use "commercially reasonable" efforts to disclose your data collection, sharing and usage practices as a result of your use of Google products,
- You must obtain consent to collect, share and use any such data, and
- You must also use "commercially reasonable" efforts to provide end users with "clear and comprehensible" information about any cookie accessing and storing, and
- You must obtain consent to access and store these cookies.
Required notices can be accomplished through including specific clauses and information in a Privacy Policy and/or Cookie Policy.
Once you have these policies in place and the information is available to your users, obtaining consent can be as easy as having your users actively check a box that shows they consent to your data collection, usage and sharing, as well as to the storing and accessing of cookies.
The example below shows how Skype gets users to agree to the terms and clauses in its Cookie and Privacy Policy, both of which will include the required notices to satisfy the EU User Consent Policy requirements:
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.