Starting April 2, 2026, website operators will bear greater responsibility when using Google reCAPTCHA to protect their website forms. Background: Google’s role is changing from data controller to data processor.
This increases the effort for website operators to check and document GDPR compliance when using reCAPTCHA, as they are now responsible for complying with the legal data protection regulations.
Google has been criticized for years for collecting too much personal data for its reCAPTCHA service and for not being transparent enough about what the data is used for. The use of data for AI purposes and the storage of data in other EU countries cannot be ruled out either.
Leading data protection experts from Germany, including ePrivacy GmbH, therefore recommend using the change in responsibility as an opportunity to look for data-efficient alternatives to reCAPTCHA.
POWER CAPTCHA was developed in Germany as a data-efficient and GDPR-compliant solution for European data protection standards.
It works without cookies, does not store any data on the user’s end device and only stores personal data temporarily (for the duration of the security check), encrypted and on servers in Germany.
More about data protection at POWER CAPTCHA.
Find out more about the new obligations for website operators in the ePrivacy blog.
Enter a test name and click on the security checkbox to test POWER CAPTCHA. You can then submit the form.
Test now
With our demo, you can simulate the application on your website/app with fictitious data. You can find more information about the demo and additional test forms on our demo page.
