Switching Google’s role with reCAPTCHA from Data Controller to Data Processor

Traveling for vacation 

So, we don’t link to Google’s terms or privacy policy, but the RECAPTCHA widget itself has links to those documents. Do we assume that those links will go away on or prior to April 2nd, 2026?

(And Kudos for not doing the change on Apr 1, and we can all see why...) 😃

I have the same question.

I have the same question as well

What is the return outcome if the privacy and terms reference links remain in use after April 2, 2026? will they simply be broken links?  

If there are some websites that are still referencing Google’s Privacy and Terms, will it be a a problem?
What should we put instead, what is recommended?

Same question.

Will the documentation in FAQs be updated? 

https://developers.google.com/recaptcha/docs/faq#id-like-to-hide-the-recaptcha-badge.-what-is-allowed

So are you saying our websites assume the role of Data Controller?

May I ask about references to this Privacy Policy and Terms of Service?

Does this refer to cases where you display the reference links yourself?
(It doesn't mean the links automatically displayed when reCAPTCHA is invoked, right?)

This looks like the next level of captcha protection.

I just looked for the way more faster to faund mi question 

I am 51 year old man I just looked for fastest way to go 

Thanks for the all comments.

1. Google’s Privacy Policy and Terms of use are referenced in the reCAPTCHA badge and some customers reference them on their website. We will remove those references from the reCAPTCHA badge starting April-2. We are asking customers who have linked those references  in their websites to remove them as well after April-2. 
2. Google’s privacy policy and Terms of use are not applicable for reCAPTCHA starting April-2. That said, those links will still be active covering other Google products. If you have those references on your website, we recommend you to remove those links as those are not applicable starting from April-2. 
3. Yes, the customer is a data controller.
4. We will update the FAQs link before April-2. 

I have the same question

Thanks for the update. A few questions remain still:

1. Up until now, we were only allowed to hide the reCAPTCHA badge, if we linked to Google’s Privacy Policy and Terms of use on the website. How is this handled now? Are we allowed to still hide the badge, even if we remove the links to Google’s Privacy Policy and Terms of use?
2. Are there any consequences/”punishments” if those links are not removed in time?
3. Is it okay to remove them now or do we need to wait for April 2? We have many client websites to go through and adjust and that will take some time, so I’d prefer doing this early if possible.

Thanks in advance!

Good to know ahead of time. Will new documentation be available prior to the change as well?

I’m using Google recaptcha v2 with checkbox, so after 2 April, 2026, the badge with text Privacy - Terms will be removed from UI like this. is it right?

You wrote: 

• Customer control: Your users’ personal data gathered at your web and mobile surfaces will be processed by reCAPTCHA in accordance with your instructions.

Please let me know how a user can impose instructions on Google, given that the agreement between the user (data controller) and Google (data processor) is written by Google and can only be accepted as is by the data controller.

best regards.

Cambio de rol: ¿Traslado de responsabilidad o verdadero empoderamiento del cliente? No creo..!!!

El anuncio del cambio de Google reCAPTCHA a "Procesador de Datos" es significativo y genera profundas inquietudes que trascienden la simple actualización de enlaces en nuestros sitios web.

Google destaca que nosotros, los propietarios de sitios web, nos convertimos en los "Controladores de Datos". Sin embargo, esta etiqueta parece venir cargada más de responsabilidades legales que de control real.

Las interrogantes clave que Google debe aclarar son:

1. ¿Dónde está realmente nuestro "control"? Si como Controladores debemos dar "instrucciones" a Google (el Procesador), ¿en qué parte del Anexo de Procesamiento de Datos en la Nube o de las Condiciones de GCP podemos modificar sustancialmente cómo se procesan los datos? ¿O nuestras "instrucciones" se limitan únicamente a implementar o no el script en nuestra página?

2. Responsabilidad desequilibrada: Asumimos la plena responsabilidad legal ante los usuarios y las autoridades por un procesamiento que ocurre en servidores de Google, con algoritmos de Google, bajo términos redactados exclusivamente por Google. ¿Qué garantías tangibles ofrece Google de que este modelo no deja a los clientes (ahora Controladores) en una posición de indefensión legal y técnica?

3. La falacia de la desconexión: Eliminar los enlaces a la Política de Google del widget no borra la realidad: los datos siguen fluyendo a Google. Este cambio parece más un ejercicio de relabeling legal para distanciar a Google de la responsabilidad directa ante el usuario final, que una transformación genuina que empodere al cliente.

4. ¿Y las auditorías? Como Controladores, debemos poder auditar a nuestros Procesadores. ¿El proceso para que un cliente audite las prácticas de procesamiento de datos de reCAPTCHA será accesible, ágil y sin costes prohibitivos?

Conclusión:
Celebraríamos un cambio que nos diera transparenencia y control real. Lo que se percibe aquí es un intento de que Google se lave las manos frente al usuario final, trasladando la pesada carga del cumplimiento normativo a los clientes, mientras retiene el control definitivo sobre el diseño, la operación y los términos del servicio.

Antes del 2 de abril de 2026, necesitamos aclaraciones contundentes, no sobre cómo eliminar enlaces, sino sobre cómo Google garantizará que esta nueva responsabilidad que nos imponen está respaldada por un poder de decisión y supervisión real y efectivo por nuestra parte.

Esperamos la respuesta de Google.

I have the same question

I’m using Google recaptcha v2 with checkbox, so after 2 April, 2026, the badge with text Privacy - Terms will be removed from UI like this. is it right?

 

I have the same question as well

Background

Here are some theoretical and legal thoughts:

​I’m a European data protection officer. I am aware that Google has to implement a solution that suits other jurisdictions, too. Here’s my personal opinion according responsibilities based on European legislation (GDPR, but also ePrivacy directive).

There are three models of legally assigning responsibility in a case where an organization uses a Google service such as reCAPTCHA. This should be applicable independent of the jurisdiction:

1. each party is responsible*
2. only one party is responsible*
3, both parties are jointly responsible*

* restricted to what they do with the service and the data it processes

1. is the old model: Google is responsible. Users need to agree to Google terms, thus the links in the banner. So the organization using the service forces users to enter into an agreement with a 3rd party. Google may use the data according to these terms and change them without the organization knowing. The organization did not have a contract that allowed them to take responsibility for using that service, e.g. on their website.

The criticism from European data protection authorities was the uncertainty about whether or not Google uses the data received for purposes that exceed the functionality desired by the organization using reCAPTCHA, like using IP/time/verification status for other Google products.

In my opinion, to resolve the criticism, it would have been sufficient to clearly state which party is responsible and to assure the organizations as part of a controller-to-controller contract that Google does not use insights gained by reCAPTCHA for anything else than what the organization knows about. That would still leave the “force user into entering terms with google” issue.

2. is the new model: “organization as controller, Google as processor”. It strives to solve all issues described before. Since Google enters into a contract with the organization, Google henceforth is bound to the instructions given by that organization. But Google cannot provide a standardized industry leading free of charge service it it were bound to instructions from different organizations. So the in contract (data protection agreement) Google will state what it does and how: service and data description, security measures, subprocessors and the legal framework.

3. would mean that Google and the organization “jointly determine the purposes and means of processing” (GDPR Art. 26). I don’t share the opinion of some data protection professionals that reCAPTCHA is a case for shared responsibility. Yes, there is ECU ruling C-210/16 on Facebook fan pages from 2018 but recent national rulings focus on the circumstances of the processing and don’t see a joint responsibility. Personally, I would only see a joint responsibility if the parties would actually discuss how to process and use personal identifiable information. That is clearly not the case for reCAPTCHA.

Remaining questions

So, thank you for that change, Google. I think it’s better than before. But there’s a downside not (yet?) addressed or asked about here: The contract.

Assume an organization that does not use any Google services yet, so it has not entered into any contracts or agreed to any terms with Google yet.

​@Sheik What would that organization legally need to do to use reCAPTCHA?

Would it need to enter into the Google Cloud Terms which the Google Cloud DPA is part of? These terms are huge and consist of many documents and cross references. From the organizations compliance point of view that would mean that they must check them all once, agree to all of them, and henceforth monitor changes. Or is or will be there a “light version” if an organization wants to use just reCAPTCHA?

Hi ​@Sheik and team! One question from my end is the impact of this change in terms of the reCAPTCHA cookie (`_grecaptcha`). I’m linking to the Google data privacy policy in my cookie details, which sounds like it should be changed, but is it correct to assume that this cookie will still exist? Any changes to the nature of the cookie itself?

​@Sheik 

1. If there are some websites that are still referencing Google’s Privacy and Terms, will it be a a problem?
2. What should we put instead, what is recommended?