Google reCAPTCHA v3 vs Cloudflare Turnstile
The default everyone's leaving vs the default everyone's moving to. Accuracy gap, privacy gap, the one case for sticking with reCAPTCHA.
reCAPTCHA v3 is the most accurate CAPTCHA in the world. It has Google's behavioral dataset behind it, which is roughly the size of every other CAPTCHA's dataset combined. Turnstile is the most privacy-respecting CAPTCHA in the world that doesn't require self-hosting. The gap between them on accuracy is real but narrowing; the gap on privacy is not closing.
What reCAPTCHA actually does
reCAPTCHA v3 returns a 0.0 to 1.0 score per request based on Google's behavioral analysis of the visitor. You write code that interprets the score (typically 0.5 is the threshold). The score considers cursor movement, time on page, IP reputation, Google account state, browsing history from other Google-connected sites, and dozens of other signals. The accuracy comes from the breadth of that signal set.
What Turnstile does differently
Turnstile gives you a pass/fail, not a score. Internally it runs a similar set of checks (TLS fingerprint, request timing, IP reputation, browser challenge) but it does not use cross-site browsing history because Cloudflare doesn't have that. The accuracy is roughly 90-95% of what reCAPTCHA v3 achieves, which is good enough for nearly every public-facing form. Where reCAPTCHA still pulls ahead is on highly targeted attacks against the largest sites (banking, ticket resale, account takeover at scale), because Google's cross-site signal helps there.
The privacy gap
reCAPTCHA v3 sends every visitor's behavioral data to Google, even visitors who aren't logged into Google. Several EU regulators have ruled against using reCAPTCHA without explicit consent. CNIL fined a French agency for it. Turnstile sends a much smaller payload to Cloudflare, doesn't set cookies, and Cloudflare's business model doesn't depend on monetizing that data.
When to keep reCAPTCHA
Specifically: financial signup flows where a single fake account costs hundreds of dollars in fraud, account takeover prevention for sites with millions of users, and any case where you've tuned the 0.0-1.0 score threshold and need that precision. For comment forms, contact forms, newsletter signups, and the vast majority of public web forms, Turnstile is now the better default.