Skip to main content
All guides
Moderate KVKK m.5 · GDPR Art. 6 · Chapter V (transfers) · Anti-fraud

Google reCAPTCHA loads on forms and sends data to Google

reCAPTCHA (especially v3) loads on any page with a protected form, sets cookies and sends behavioural signals and the visitor’s IP to Google — often long before the visitor submits anything or accepts cookies.

Why it matters

reCAPTCHA sits in a grey area: fraud/abuse prevention can be a legitimate interest for the specific form it protects, but the common pattern of loading it site-wide on page load — including on pages with no form — is harder to justify and still transfers data to Google in the US (KVKK Art. 9 / GDPR Chapter V). The nuance is where it loads and why, not a simple yes/no.

How to fix it

Scope reCAPTCHA to the pages and moment it is actually needed: load the script only when the visitor focuses or interacts with the protected form, not on every page load. Disclose it in your privacy notice, and consider a privacy-respecting alternative (e.g. hCaptcha, Turnstile, or a self-hosted challenge) where cross-border transfer is a concern.

<!-- Load reCAPTCHA lazily, only when the form is engaged -->
const form = document.querySelector('form#contact');
let loaded = false;
form.addEventListener('focusin', () => {
  if (loaded) return;
  loaded = true;
  const s = document.createElement('script');
  s.src = 'https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY';
  document.head.appendChild(s);
}, { once: true });

Does your site have this issue?

Run a free scan to find out in seconds.

Official sources

Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.

Related guides

These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.