Google's reCAPTCHA system is a security tool that many businesses use, which was designed to protect your business and your users from abusive bots and spam.

Maintaining multiple levels of security on your website and making sure that your Privacy Policy is up to date and accurately reflects your business's privacy practices are essential steps in keeping users' personal data secure.

This article will take you through what exactly reCAPTCHA is, what rules you need to follow whenever your business uses reCAPTCHA, and how to create a reCAPTCHA compliant Privacy Policy.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

What is ReCAPTCHA?

ReCAPTCHA is Google's version of a CAPTCHA. You have more than likely clicked on the box verifying that you are not a robot, and then clicked on the images that the reCAPTCHA directed you to choose. Newer versions of reCAPTCHA only require you to click the box saying that you are not a robot, while older versions will use images to determine whether or not you are in fact a human.

Adding a reCAPTCHA to your website helps to keep it safe from bots, and helps users to feel more secure when inputting their information.

CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart" (really!) and is a tool that is used to differentiate human internet users from bots. A CAPTCHA functions as a fully automated system, which helps to provide a low-cost layer of protection for your website.

You've probably come across a CAPTCHA in the form of a test where you need to type skewed letters into a box in order to login or save your information.

2Captcha, a company that provides a CAPTCHA solving service, shows users an image of a CAPTCHA on its website:

2Captcha Captcha Solving Service example screenshot

Ascension Medical Group uses a reCAPTCHA to weed out bots whenever it asks patients to provide personal information:

Ascension Medical Group: Validate patients details form with reCAPTCHA highlighted

One of the ways reCAPTCHAs work is by checking your browser to see if you already have a Google cookie installed. Cookies are files that store information about how you interact with specific websites.

ReCAPTCHAs require users to share their cookies and other personal information with Google, which means that any business that uses reCAPTCHAs must abide by certain privacy regulations.

Rules You Need to Follow When Using ReCAPTCHA

Rules You Need to Follow When Using ReCAPTCHA

Google has its own requirements for any businesses that use reCAPTCHA, but you should also be aware of state and global privacy legislation concerning the collection of personal information.

Google's ReCAPTCHA Requirements

Google's Terms of Service agreement requires that any website that uses its reCAPTCHAs abides by the rules listed in its Privacy Policy:

Google Terms of Service intro clause with Agree to Privacy Policy section highlighted

That means that if your business uses reCAPTCHAs, then you should make sure that your Privacy Policy covers the same topics that Google's Privacy Policy does. Those topics include what information you collect and why, who you share the information you collect with, and how you keep user's data secure, among others.

Privacy Law ReCAPTCHA Requirements

According to the United Nations Conference on Trade and Development (UNCTAD), 137 countries currently have legislation concerning personal information and privacy. That means that if your company does business with consumers from any of these countries then you need to be aware of any national or regional privacy rules and make sure that you aren't violating any of their regulations.

In the U.S., there are a number of states that have enacted privacy laws including California, Colorado, Connecticut, Utah, and Virginia. Each of these state privacy laws give consumers the right to access and/or delete their personal information, as well as the right to opt-out of the sale of their personal information.

These laws also require that businesses are transparent about how they handle consumers' personal information and refrain from discriminating against consumers for exercising their rights.

The California Consumer Privacy Act (CCPA) requires that businesses divulge what kind of data they collect, what purposes they use it for, and whether and with whom they share the personal information they collect.

The CCPA also requires that businesses inform users of their rights to request information about how their data is used and to request that their data be deleted. Section 1798.100 of the official text of the CCPA outlines consumers' rights to know the details of how their personal information is collected and used:

California Legislative Information: CCPA Section 1798 100: Consumer rights and inform about information collected purposes section

And, Section 1798.105 informs consumers of their right to request that their personal information be deleted:

California Legislative Information: CCPA Section 1798 105 a

If your business uses reCAPTCHa and your business or any of your consumers reside in states with privacy laws, then you will need to make sure that your Privacy Policy includes information about what kinds of data you collect and how you use it, as well as information about what your consumers' rights are and how they can access or delete the personal information that you collect.

You should also make sure to keep up to date on the status of new privacy legislation, and adjust your Privacy Policy accordingly as privacy laws are introduced and passed in other states.

The General Data Protection Regulation (GDPR) is the European Union's (EU) premier privacy legislation, requiring organizations that handle information from residents of the EU to get user's consent before collecting or processing personal information, keep the data they collect secure, and only use data that is essential to their business.

Failure to follow GDPR rules can result in hefty financial penalties of up to 4% of your business's annual revenue.

Article 7 of the official text of the GDPR explains how businesses need to get consumers' consent before processing their data:

GDPR Article 7: Consent clauses 1 through 4

Article 5 of the GDPR requires that a company only collects personal data for purposes necessary for the functioning of the business, and securely processes the personal information it collects:

EUR-Lex GDPR Article 5 Section 1: Processing personal data

While there are a number of requirements when it comes to compliantly implementing reCAPTCHA, you can see that they really aren't difficult to meet if you're already complying with privacy requirements and have a detailed Privacy Policy.

How to Create ReCAPTCHA-Compliant Privacy Policy

How to Create ReCAPTCHA-Compliant Privacy Policy

If your business uses reCAPTCHA, then you need to make sure that your Privacy Policy complies with Google's Terms of Service, as well as state and global privacy legislation requirements.

Google's Privacy Policy Requirements

You must agree to Google's Terms of Service before using its reCAPTCHA system, which means that your business needs to have a Privacy Policy that lets consumers know:

  • How you collect and use their personal information
  • Who you share their information with
  • How you keep their information secure

Creative Commons is an open source global sharing platform that uses reCAPTCHA on its contact form:

Creative Commons contact form with reCAPTCHA highlighted

When users tick the "I'm not a robot" box, a new page opens, requiring users to select certain images to prove that they aren't a malicious bot:

Example of a Google reCAPTCHA puzzle screenshot

Creative Commons maintains a Privacy Policy that lets users know that they must agree to its terms before using any of its Services. Creative Commons' Privacy Policy describes what kind of information it collects, and how it uses and shares users' personal information, which helps it to comply with Google's reCAPTCHA requirements:

Creative Commons Privacy Policy: Intro and Table of Contents

State Privacy Policy Requirements

In order to remain compliant with state laws, you should make sure that your business:

  • Informs consumers of their right to access and delete any of their personal information that your business collects, as well as the right to opt-out of the sale of their personal information to any third parties
  • Is transparent about how you collect and use consumers' personal information, as well as how you keep it secure

The Home Depot requires users wishing to create an account with the company to pass a reCAPTCHA test, and provides users with a link to its Privacy and Security Statement:

The Home Depot Create Account form with reCAPTCHA and Privacy and Security Statement link highlighted

When users click on The Home Depot's Privacy and Security Statement link, they are taken to a new page, which includes a California Privacy Rights and Report section which outlines what California consumers' privacy rights are and how the Home Depot complies with the CCPA:

The Home Depot Privacy and Security Statement: California Privacy Rights and Report clause

Global Privacy Policy Requirements

Privacy laws vary by country, but Europe's GDPR is one of the most prominent global privacy laws, and requires that the businesses under its jurisdiction:

  • Only use and store data that is essential to the functioning of the business
  • Keep the data they collect secure

Roku is a company that provides digital streaming devices to users around the world, and uses a reCAPTCHA to help keep users' account information secure:

Roku sign in form with reCAPTCHA highlighted

Roku's Privacy Policy describes how it keeps the data it collects secure, as well as how it transfers and stores data, which helps it to fulfill some of the GDPR's requirements:

Roku Privacy Policy: Data Storage Transfers and Security clause


ReCAPTCHA is a test designed by Google that helps to differentiate humans from bots. You can use reCAPTCHA to help protect your business and your users' information.

You need to follow certain privacy rules in order to use reCAPTCHA, including those outlined in Google's Terms of Service, as well as any applicable state and global privacy regulations.

The CCPA is California's primary privacy legislation, and serves to inform consumers of their rights as well as let them know how businesses collect and use their personal information.

The GDPR is the European Union's main privacy and data law, and it requires that applicable companies get consent from consumers before collecting their personal information, and keep the information they collect secure, among other directives.

In order to create a reCAPTCHA-compliant Privacy Policy, you should make sure that it includes information about:

  • How you collect and use consumers' personal information
  • How you keep the personal information you collect secure
  • Whether you share the data you collect with any third parties

You should also inform consumers of their rights concerning their personal information and privacy, and let them know how they can access and delete their data, as well as give them the opportunity to opt-out of the sale of their information.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy