29 June 2019
This requirement from CalOPPA is mandatory even if the website does not collect personal data directly but instead uses and/or integrates third parties, such as the reCAPTCHA in this case.
First, let's see why personal information is collected through reCAPTCHA.
How "Invisible Captcha" Works
Invisible Captcha, or reCAPTCHA, requires end-users to click a button that says "I'm not a robot" and Google can determine whether to prompt the user with additional question (i.e. select pictures that best describe X) to verify if that person is in fact not a robot.
ReCAPTCHA collects personal information from users to make this determination of whether they're human and not a bot.
So, what personal information does the reCAPTCHA collect?
First, the reCAPTCHA algorithm will check to see if there's a Google cookie placed on the computer being used.
Then, an additional reCAPTCHA-specific cookie will be added to the user's browser, and a complete snapshot of the user's browser window at that moment in time will be captured, pixel by pixel.
Some of the browser and user information collected at this time includes:
As mentioned earlier, Google's Terms of Service for reCAPTCHA requires websites that use reCAPTCHA to include "any necessary notices or consents for the collection and sharing of the data with Google."
Before you can implement the reCAPTCHA captcha on your website, you have to agree to "explicitly inform visitors to your site that you have implemented the Invisible reCAPTCHA on your site.":
EU User Consent requirement
When users in the EU will be presented with your reCAPTCHA and have their personal information collected during authentication, Google has a special EU User Consent Policy that must be followed.
This consent policy has a few requirements:
Once you have these policies in place and the information is available to your users, obtaining consent can be as easy as having your users actively check a box that shows they consent to your data collection, usage and sharing, as well as to the storing and accessing of cookies.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.