First, let's see why personal information is collected through reCAPTCHA.
How "Invisible Captcha" Works
Invisible Captcha, or reCAPTCHA, requires end-users to click a button that says "I'm not a robot" and Google can determine whether to prompt the user with additional question (i.e. select pictures that best describe X) to verify if that person is in fact not a robot.
ReCAPTCHA collects personal information from users to make this determination of whether they're human and not a bot.
So, what personal information does the reCAPTCHA collect?
First, the reCAPTCHA algorithm will check to see if there's a Google cookie placed on the computer being used.
Then, an additional reCAPTCHA-specific cookie will be added to the user's browser, and a complete snapshot of the user's browser window at that moment in time will be captured, pixel by pixel.
Some of the browser and user information collected at this time includes:
All cookies placed by Google over the last 6 months,
How many mouse clicks you've made on that screen (or touches if on a touch device),
The CSS information for that page,
The language your browser is set to,
Any plug-ins you have installed on the browser, and
As mentioned earlier, Google's Terms of Service for reCAPTCHA requires websites that use reCAPTCHA to include "any necessary notices or consents for the collection and sharing of the data with Google."
Before you can implement the reCAPTCHA captcha on your website, you have to agree to "explicitly inform visitors to your site that you have implemented the Invisible reCAPTCHA on your site.":
EU User Consent requirement
When users in the EU will be presented with your reCAPTCHA and have their personal information collected during authentication, Google has a special EU User Consent Policy that must be followed.
This consent policy has a few requirements:
You must use "commercially reasonable" efforts to disclose your data collection, sharing and usage practices as a result of your use of Google products,
You must obtain consent to collect, share and use any such data, and
You must also use "commercially reasonable" efforts to provide end users with "clear and comprehensible" information about any cookie accessing and storing, and
You must obtain consent to access and store these cookies.
Once you have these policies in place and the information is available to your users, obtaining consent can be as easy as having your users actively check a box that shows they consent to your data collection, usage and sharing, as well as to the storing and accessing of cookies.