CAPTCHA and GDPR: 2026 State of Play

GDPR doesn't ban any specific CAPTCHA by name. But the regulation's interaction with how each CAPTCHA processes data has produced a clear hierarchy of risk in 2026. If you serve EU traffic, your CAPTCHA choice affects your compliance burden.

The legal framework, in one paragraph

GDPR requires a lawful basis for processing personal data, with consent being one option but legitimate interest being another. CAPTCHAs that collect data for security purposes can claim legitimate interest under Article 6(1)(f), but only if the data collection is proportionate to the security goal. If a CAPTCHA collects more data than needed for security , for example, by feeding visitor behavior to a third party for ad personalization , the legitimate interest claim weakens and consent becomes required.

CAPTCHAs that need active consent

• Google reCAPTCHA v2 and v3: Multiple EU enforcement actions (CNIL 2022, German DPA 2023, Italy 2024) have ruled that reCAPTCHA's data transfer to Google requires explicit consent, not legitimate interest. If you use reCAPTCHA in the EU, you need a cookie banner that mentions Google's processing and gives users a real opt-out.
• hCaptcha Publisher tier (with labeling): The 2024 Bavarian DPA opinion classified CAPTCHA image labeling as a separate data processing activity from security, requiring its own legal basis. Active consent is the safest path.

CAPTCHAs that need disclosure but not active consent

• hCaptcha Pro tier: No labeling work means the data collection is limited to security purposes. Listed in your privacy policy, no consent banner required, legitimate interest covers the processing.
• Cloudflare Turnstile: Cloudflare processes minimal data (IP, TLS fingerprint, request timing) for the specific security purpose of identifying bots. Listed in your privacy policy with Cloudflare named as a processor, no consent banner needed. The processor agreement is available from Cloudflare.
• Arkose Labs: Similar to Cloudflare , data processing is for security, disclosure in privacy policy is enough. Note this assumes you're a customer (it's enterprise-only).

CAPTCHAs that need almost nothing

• Friendly Captcha: EU-hosted, no cookies, no personal data leaves the visitor's browser beyond a hash result. Most legal opinions classify this as not processing personal data at all under GDPR. Mention in your privacy policy is good practice but not required.
• ALTCHA self-hosted: All processing happens on your infrastructure. If you don't process EU visitor data elsewhere, there's nothing to disclose specifically for ALTCHA. You're operating your own first-party security measure.
• mCaptcha self-hosted: Same as ALTCHA , self-hosted, no third-party processor involved.

Practical advice for EU traffic

If you have any meaningful EU traffic and you're using reCAPTCHA, switching to Cloudflare Turnstile or Friendly Captcha drops your compliance burden significantly. The migration is straightforward. The consent banner that mentions Google's reCAPTCHA processing also costs you conversion (every banner does); removing it improves UX and conversion alongside the privacy win.

If you have heavy EU compliance concerns (financial services, healthcare, government), Friendly Captcha or self-hosted ALTCHA is the cleanest path. Both let you say "no third-party CAPTCHA processor handles EU visitor data" without caveats.

If you're a US-only site that occasionally gets EU traffic, the compliance pressure is real but not as urgent. Most DPAs prioritize sites that actively target EU users. Turnstile remains a fine choice and lowers risk without requiring a full GDPR audit.

The pattern across all of these: choose the CAPTCHA that processes the minimum data needed for security, and the GDPR question shrinks. Choose one that processes broader behavioral data for non-security purposes, and the GDPR question grows.