GDPR-compliant CAPTCHA
POWER CAPTCHA - no cookies
THE CAPTCHA-GDPR-PROBLEM
What you need to consider
Many captchas either process personal data, do not specify exactly what data they process, or store data on servers outside the E.U. – without the explicit consent of the user. These captchas are not GDPR / DSGVO compliant and are a problem for website operators. As a website operator, you are responsible for complying with the legal data protection requirements on your website. Therefore, you should use a captcha solution on your website that does not require user consent or the use of cookies. According to the GDPR, the use of captchas with data storage outside the EU or storage of personal data requires prior consent for use by users (analogous to cookie banners). This also applies, for example, to the use of Google reCAPTCHA and becomes a problem if users do not give their consent. Then you cannot legally use the protective function of the captcha.
POWER CAPTCHA only processes data that is absolutely necessary for the security check. This data is stored in volatile memory for the duration of the security check and then automatically deleted. POWER CAPTCHA is therefore GDPR-compliant and you do not require user consent. Learn more about the problems of using Google reCAPTCHA as well as about data storage and server security with POWER CAPTCHA!
DATA PROTECTION PROBLEMS WITH GOOGLE CAPTCHA
Why the use of Google reCaptcha is problematic
reCAPTCHA from Google is currently the most widely used captcha. However, data protection experts have some reservations about the use of reCAPTCHA. For example, Google’s general privacy policy contains references to the use of various personal data, but not currently to the specific use of data. It therefore remains unclear whether other personal data is processed by Google reCAPTCHA in particular, e.g. to analyze user behavior.
This is a problem for you as a website operator:in because you have to specify the categories of processed data in your privacy policy also
“Website operators should definitely check alternatives. If Google reCAPTCHA is nevertheless integrated, the controller must be aware that it must be able to prove lawful use in accordance with Art. 5 (1), (2) GDPR. If you cannot explain how Google processes the user data, you cannot inform the user transparently and cannot prove the lawful use.” (FAQ, as of 10.06.2024) Original Quote: „Website-Betreiber sollten unbedingt Alternativen prüfen. Wird dennoch Google reCAPTCHA eingebunden, muss sich der Verantwortliche im Klaren sein, dass er den rechtmäßigen Einsatz gem. Art. 5 Abs. 1, 2 DS-GVO nachweisen können muss. Wer nicht darlegen kann, wie Google die Nutzerdaten verarbeitet, kann den Nutzer nicht transparent informieren und den rechtmäßigen Einsatz nicht nachweisen.“ (FAQ, Stand 10.06.2024)
For you, this means that you cannot legally use reCAPTCHA within the scope of the GDPR and may even have to face fines or warnings. In addition, website operators with a high level of service and customer orientation want to create as few barriers as possible and reduce the use of data requiring consent.
When using POWER CAPTCHA, no unencrypted personalized data is stored. We generally store personal data only temporarily, encrypted and on servers in Germany. We do not use cookies and do not store any data on the user’s device. Therefore, your visitors do not have to agree to the use and the use is GDPR/ DSGVO compliant.
GDPR COMPLIANT DATA STORAGE
How we transfer and store data
When you submit a form that is protected with POWER CAPTCHA or log into a protected area, the POWER CAPTCHA server is informed that a captcha should be checked (security query). The IP address of the user (for the Enterprise edition optionally an additional value like username or email address) is transmitted encrypted and stored hashed (not as plain text). We keep this data in volatile memory (cache or RAM memory) and do not write it to hard disks at any time.
The data is necessary for POWER CAPTCHA to function. We therefore store the data only until the security check and the current processing period is completed. The maximum duration of storage is based on the blocking periods defined in the POWER CAPTCHA plans. Under the Enterprise plan, we can store the data for a maximum of 3 days (customer setting).
In our free whitepaper you can find more information about how your website communicates with our server.
SERVER SECURITY AT POWER CAPTCHA
Certified data centers in Germany
POWER CAPTCHA runs on secured servers in certified data centers in Germany.
We follow the following standards when selecting our server providers: All providers are ISO 27001:2013 certified, minimum TIER 3 colocation operators who operate their sites 100% in Germany. In addition, our providers use 100% green electricity.
DEMO FORM
Enter a test name and click on the security checkbox to test POWER CAPTCHA. You can then submit the form.
POWER CAPTCHA DEMO
Test now
With our demo you can simulate the application on your website / app with fictitious data. You can find more information about the demo and additional test forms on our demo page.
PROTECT YOUR WEBSITE
Get started with POWER CAPTCHA
You want to use POWER CAPTCHA on your website? Then get your license here and follow our step-by-step instructions.