GDPR and Captcha


What is GDPR

GDPR, The General Data Protection Regulation is an EU law on personal data protection for individuals and citizens of the European Union and the European Economic Area. It also addresses the export of personal data outside the EU.

It covers informed consent, personal data processing internal governance and reporting. GDPR also encodes the fundamental privacy and personal data rights of EU citizens as,

  • Right to be Informed and Consent

  • Right of Access

  • Right to Rectification (correction)

  • Right of Erasure

  • Right of Data Portability



How does GDPR Apply to Captcha

Any service that is able to identify individuals or infer personal identity and tracks their activities are potentially governed by the GDPR regulation (technically only in EU or for EU Citizens).

Free captcha services that monetize via advertisement by nature requires the tracking and harnessing of user activities online often without explicit and informed consent making them legally problematic.

Other captcha services that leverages pre-existing knowledge of user identity to infer human vs bot, such as Google reCaptcha which leverages Google Accounts info are bound by GDPR as well and may require additional compliance burden including explicit Data Processing Agreements.

The fact a captcha service by nature recognizes the hosted website and URL (activity), as well as the end user IP addresses (identity) implies tracking and privacy concerns, including GDPR.

MTCaptcha and GDPR


MTCaptcha is designed from the grounds up to be privacy sensitive. Fundamentally MTCaptcha captcha service does not collect or track any personal identifiable information at all, mitigating privacy concerns and minimizing compliance cost.

MTCaptcha non-reversibly anonymizes end user internet IP addresses. Cookies are used as a technology to help evaluate bot risk, though cookies are not used for individual tracking and does not contain any implicit or explicit personal identifiers.

The widget also includes clear privacy and terms to insure users are well informed. Since no personal information is tracked or stored, privacy and data consent becomes irrelevant and not needed.

Data is always encrypted both in transit and at rest. Explicit privacy protecting processes and policies are in place in adherence to GDPR requirements.

Captcha and Website Profiling

image from

image from

Individual privacy concerns aside, captcha services can also be a source of website profiling. The data collected via captcha can help analyse site popularity, customer geography and infer trends and market intelligence. This can be a concern for application providers as well as security sensitive customers.

MTCaptcha has clear data policies in place to never sell, share or make accessible our customers data, so that our customer always have full control and confidence.