19

We have integrated with Google recaptcha, and it sets some cookies with user data (example cookie is NID). On 25th of May, the GDPR will be live, and according to that law, website cannot set any cookie without user consent. That seems to be problematic, as in the docs of Google reCaptcha there is no information how to display it, without cookie being set. I don't belive that we are the only ones with that problem, so I truly belive that you can help me with our issues.

I will accept any help, links to docs, information about magic parameters which will prevent the google recaptcha setting the cookie, etc. I was digging for 2 days and I have found nothing. The only thing which I have found are new Google cookie policy rules which will be live on 25th of May, and information that if user want to block cookies, he should install the extension in his browser, which is not compliant with GDPR I think.

Thank you.

Ma Kro
  • 1,232
  • 4
  • 20
  • 34
  • Consent is one of six lawful grounds for processing data. It may be arguable that anti-spam measures such as reCaptcha can fall under "legitimate interests" (ie you don't need to ask for consent) – poshest Nov 28 '18 at 12:14
  • 1
    Sure, anti-spam measures such as a CAPTCHA would certainly fall under "legitimate interests". But would targeting cookies? The gotcha with reCAPTCHA is that this legitimate-interest, quite-necessary-in-today's-world feature is inextricably _bundled_ with unwanted and unrelated Google targeting (https://cookiepedia.co.uk/cookies/NID) cookies (`_ga`, `_gid` for v2; `NID` for v3). Bleh, Google: You should provide an option to use reCAPTCHA *without* the cookies. As it is, you've given me and others no choice but to ditch reCAPTCHA. – Tyler Rick May 09 '20 at 00:17
  • Google reCAPTCHA requires cookies, but they are not only used to check whether the poster is a robot. You may try to ask the user for permission at the form (and then enable reCAPTCHA) or even say that by pressing the *SEND* button you allow Google cookies and enable reCAPTCHA on the fly. I have not tried this, but pressing a button and stating what happens is a valid way to get permission from the user. You also have to give an alternative way for the user to post; so you may try to turn the form page into a message with an email address to write to (of the proper cookies are not allowed.) – Javier Elices Nov 12 '20 at 15:38
  • *"website cannot set any cookie without user consent"* this is not true. You can set cookies that are solely for functionally required for the correct operation of the site. – user229044 Jan 05 '22 at 15:51

3 Answers3

11

As far as I know, Google reCAPTCHA requires cookies, so I think you have 2 options:

  • A) forget Google and look for another, cookie-free captcha service (e.g. PHP solution with temp files)

  • B) enable Google reCAPTCHA only if the user allows cookies. (I did it on my website this way, because my point is that the captcha protects me. And I can tell this to my users, and I can tell them that site is only functional with those cookies.)

B) enabling Google reCAPTCHA only if user allows it

I suggest you to place a cookie consent window on your website which implements the "opt-in" pattern, and add reCAPTCHA script dynamically. You have to use a cookie to store the user's decision. Your script should do the following on page load:

  1. Check if your cookie exists with value "allow"
  2. If it does, add reCAPTCHA script
  3. Otherwise, display the cookie consent window
  4. Add a click event handler for the "Allow" button, which
    1. Adds your cookie with value "allow" and some expiration
    2. Adds reCAPTCHA script
    3. Hides cookie consent window

You can use for example the js-cookie library to manipulate cookies easily:

Cookies.set('your-cookie', 'allow', { expires: 365 }); // 365 days

if ('allow' == Cookies.get('your-cookie')) { /* ... */ }

And you can add reCAPTCHA script dynamically this way:

var script = document.createElement('script');
script.src = 'https://www.google.com/recaptcha/api.js'
document.body.appendChild(script);

The cookie consent window is not that hard to implement by hand, but you can also use e.g. Cookie Consent by Insites, it helps you create opt-in too.

Don't forget to write a cookie policy and include information about reCAPTCHA.

juzraai
  • 5,693
  • 8
  • 33
  • 47
  • 1
    sorry but it's not what I asked for. Hiding recaptcha when user didn't agree on cookies is something that everyone knows that they can do. Many 3rd parties has some magic parameter which blocks the cookie, but doesn't block the functionality of the element, and I'm looking for something like that. For example brightcove player has a data attribute. Video is working, cookies are not set. I'm looking for something like that. – Ma Kro Jun 16 '18 at 23:34
6

According to Google's FAQ if you use the www.recaptcha.net domain instead of the www.google.com domain you will only get one cookie called _GRECAPTCHA. I recon this can be classed as an essential cookie, thus not requiring consent according to EU law (though it would be prudent to check with a legal expert, which I'm not).

Martin Brown
  • 24,692
  • 14
  • 77
  • 122
1

According to Google's FAQ if you use the www.recaptcha.net domain instead of the www.google.com domain you will only get one cookie called _GRECAPTCHA. I recon this can be classed as an essential cookie, thus not requiring consent according to EU law (though it would be prudent to check with a legal expert, which I'm not).

Thanks @Martin Brown: this helped me for the cookie consent solution from https://www.cookieyes.com/

induk
  • 61
  • 4
  • Please don't add "thank you" as an answer. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation), you will be able to [vote up questions and answers](https://stackoverflow.com/help/privileges/vote-up) that you found helpful. - [From Review](/review/late-answers/33107751) – Harrison Nov 11 '22 at 10:10