Google reCAPTCHA Data Collection

TL;DR

Google collects a lot of data when you use reCAPTCHA, even the invisible versions. This includes your IP address, browsing history (through cookies), mouse movements, device information, and potentially other details about how you interact with websites using reCAPTCHA. It’s used to distinguish between humans and bots, but it does mean Google is tracking your behaviour.

Understanding What reCAPTCHA Does

reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a service provided by Google to protect websites from spam and abuse. It works by analysing user behaviour to determine if they are human or automated bots.

What Information Does Google Collect?

1. IP Address: Your IP address is logged every time you complete a reCAPTCHA challenge. This helps Google identify the location and potentially track patterns of abuse.
2. Cookies: reCAPTCHA uses cookies to store information about your browsing history on websites that use the service. These cookies help build a profile of your behaviour.
3. Mouse Movements & Keystrokes: Even if you don’t click any boxes, Google tracks how you move your mouse and press keys while interacting with reCAPTCHA challenges. This data is used to assess whether you are likely a human or a bot.
4. Device Information: Google collects information about the device you’re using, including your operating system, browser type, installed plugins, and screen resolution.
5. Website Interaction Data: reCAPTCHA can collect data about how you interact with the website itself (e.g., which links you click, forms you fill out) before and after completing the challenge. This is done to provide a broader context for identifying bots.
6. Google Account Information (If Logged In): If you’re logged into your Google account while using reCAPTCHA, Google can associate this data with your account.

Different Types of reCAPTCHA and Data Collection

• reCAPTCHA v2 (“I’m not a robot” checkbox): This version collects the information listed above when you check the box or solve image challenges.
• Invisible reCAPTCHA (v3): This is more subtle; it runs in the background and assigns a score to each user based on their behaviour. It still collects all of the same data as v2, but without requiring explicit interaction from the user. The website owner then decides what action to take based on this score.

How to Limit Data Collection

1. Browser Privacy Settings: You can block third-party cookies in your browser settings to limit Google’s ability to track you across websites. However, this may break some website functionality.
2. Privacy-Focused Browsers/Extensions: Using a privacy-focused browser (e.g., Brave) or browser extensions designed to block trackers can help reduce data collection.
3. Google Account Controls: Review and adjust your Google account activity controls to limit the amount of data Google collects about you. Link to Google Activity Controls
4. Website Alternatives: If possible, choose websites that don’t rely heavily on reCAPTCHA or offer alternative methods for preventing spam.

Checking if a Website Uses reCAPTCHA

You can use browser developer tools to check if a website is using reCAPTCHA.

1. Open Developer Tools: Press F12 in most browsers.
2. Network Tab: Go to the ‘Network’ tab.
3. Filter for “recaptcha” or “google”: Type ‘recaptcha’ or ‘google’ into the filter box. If you see requests being made to Google domains related to reCAPTCHA, the website is using it.