Prevent google recaptcha setting a cookie (GDPR)

Question

We have integrated with Google recaptcha, and it sets some cookies with user data (example cookie is NID). On 25th of May, the GDPR will be live, and according to that law, website cannot set any cookie without user consent. That seems to be problematic, as in the docs of Google reCaptcha there is no information how to display it, without cookie being set. I don't belive that we are the only ones with that problem, so I truly belive that you can help me with our issues.

I will accept any help, links to docs, information about magic parameters which will prevent the google recaptcha setting the cookie, etc. I was digging for 2 days and I have found nothing. The only thing which I have found are new Google cookie policy rules which will be live on 25th of May, and information that if user want to block cookies, he should install the extension in his browser, which is not compliant with GDPR I think.

Thank you.

Answer 1

As far as I know, Google reCAPTCHA requires cookies, so I think you have 2 options:

• A) forget Google and look for another, cookie-free captcha service (e.g. PHP solution with temp files)

• B) enable Google reCAPTCHA only if the user allows cookies. (I did it on my website this way, because my point is that the captcha protects me. And I can tell this to my users, and I can tell them that site is only functional with those cookies.)

---

B) enabling Google reCAPTCHA only if user allows it

I suggest you to place a cookie consent window on your website which implements the "opt-in" pattern, and add reCAPTCHA script dynamically. You have to use a cookie to store the user's decision. Your script should do the following on page load:

1. Check if your cookie exists with value "allow"
2. If it does, add reCAPTCHA script
3. Otherwise, display the cookie consent window
4. Add a click event handler for the "Allow" button, which
   1. Adds your cookie with value "allow" and some expiration
   2. Adds reCAPTCHA script
   3. Hides cookie consent window

You can use for example the js-cookie library to manipulate cookies easily:

Cookies.set('your-cookie', 'allow', { expires: 365 }); // 365 days

if ('allow' == Cookies.get('your-cookie')) { /* ... */ }

And you can add reCAPTCHA script dynamically this way:

var script = document.createElement('script');
script.src = 'https://www.google.com/recaptcha/api.js'
document.body.appendChild(script);

The cookie consent window is not that hard to implement by hand, but you can also use e.g. Cookie Consent by Insites, it helps you create opt-in too.

Don't forget to write a cookie policy and include information about reCAPTCHA.

Answer 2

According to Google's FAQ if you use the www.recaptcha.net domain instead of the www.google.com domain you will only get one cookie called _GRECAPTCHA. I recon this can be classed as an essential cookie, thus not requiring consent according to EU law (though it would be prudent to check with a legal expert, which I'm not).