Google reCAPTCHA loads on forms and sends data to Google
reCAPTCHA (especially v3) loads on any page with a protected form, sets cookies and sends behavioural signals and the visitor’s IP to Google — often long before the visitor submits anything or accepts cookies.
Why it matters
reCAPTCHA sits in a grey area: fraud/abuse prevention can be a legitimate interest for the specific form it protects, but the common pattern of loading it site-wide on page load — including on pages with no form — is harder to justify and still transfers data to Google in the US (KVKK Art. 9 / GDPR Chapter V). The nuance is where it loads and why, not a simple yes/no.
How to fix it
Scope reCAPTCHA to the pages and moment it is actually needed: load the script only when the visitor focuses or interacts with the protected form, not on every page load. Disclose it in your privacy notice, and consider a privacy-respecting alternative (e.g. hCaptcha, Turnstile, or a self-hosted challenge) where cross-border transfer is a concern.
<!-- Load reCAPTCHA lazily, only when the form is engaged -->
const form = document.querySelector('form#contact');
let loaded = false;
form.addEventListener('focusin', () => {
if (loaded) return;
loaded = true;
const s = document.createElement('script');
s.src = 'https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY';
document.head.appendChild(s);
}, { once: true });
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.