Heiko Mamerow

Web development with WordPress

Switch from reCAPTCHA to hCaptcha for GDPR

With the judgment of the regional court München from 20.01.2022 it was made clear that in Germany Google Fonts are no longer allowed to be embedded remotely without the consent of the user.

Therefore is it best to load the fonts locally. This means the fonts need to store on the same location where the website is running. This is from an technical point easy to implement and my experience has shown that it also results in better web performance.

It is worth checking carefully your websites whether things are still being loaded from external. A GDPR pitfall can be services that are integrated via iframe like Googles reCAPTCHA or Google Maps.

reCAPTCHA is more or less the standard for Turing tests on forms and therefore very common. If you are already in the process of ridding your website of remote Google Fonts, you will have to deal with reCAPTCHA as well.

What is the problem with reCAPTCHA and GDPR?

Googles reCAPTCHA is loading Google Fonts via CDN. It injects the Fonts – as well as the entire other files – inside an iframe. Therefore you have no access to this files or her datas and you can not control her. Ergo you have an “GDPR problem” in Germany with reCAPTCHA.

Red highlighted: Google Font from CDN with Domain fonts.gstatic.com.

What are the alternatives?

There are a few other CAPTCHAS you can use or on the other hand you have to deal without it altogether.

The latter may not sound so reassuring. But it’s worth looking at what actually happens when no CAPTCHA is used. I’ve found that for lesser known websites/domains, not much more spam came in than the CAPTCHA removed. Furthermore, additional methods such as honeypots can also be used to combat spam.

I made an little research for good alternatives to reCAPTCHA. In the end, there was a few serious candidates for me.

The winner (but not the nicest solution): hCaptcha

hCaptcha is at the time the CAPTCHA system of my choice. Same like reCAPTCHA it injects his code inside an iframe. But this code seems GDPR conform:

  1. No external Google Font.
  2. Complies with GDPR.
Example of hCaptcha

It serves its purpose but I am not completely satisfied with hCaptcha. Because there is only a very limited possibility to adjust the layout – only choose between light or dark them. That’s all. You can not even customize the color.

Better alternative but only limited: Friendly Captcha

Friendly Captcha could be definitive the better choice. It doesn’t came with an iframe and therefore you can adapt the layout very well to the style of the website.

EU endpoints only with professional plan.

So far so good unfortunately there is one big restriction: with the basic plan accounts, the operation is only carried out via the servers in USA. While a restriction to EU servers is only possible with the professional plans. Professional plans starts – at the time of writing this – by 200€/mo.

How to switch to hCaptcha

Register hCaptcha Account

First of all you (or your client) need an Account on https://www.hcaptcha.com/ Fortunately this is a simple formality and in most cases should not cause any costs because hCaptcha is free to use for publishers of any size.

After you registered you directly become two codes: sitekey and secret.

There is one option to care: you can set the level of difficulty for the CAPTCHA.

Easy is hard enough.

In my experience, it is best to set the difficulty level to the easiest level. Otherwise you frustrate the users too much. The check is apparently much more sensitive and difficult to solve than with reCAPTCHA.

Bring hCaptcha to your website

You need an Plugin like hCaptcha for WordPress. This plugin supports a huge bunch of forms and plugins. Of course you can also use it for you custom hand coded forms.

If you installed and activated the plugin got to there settings and add the sitekey and secret. That’s it. Now you can use hCaptcha.

PS: Don’t forget to deactivate your old reCAPTCHA. 😉

PPS: Of course i am not a lawyer and i can’t give you legal certainty.


Leave a Reply

Your email address will not be published.