On September 13, 2024 (Case W298 2274626-1/8E), the Austrian Federal Administrative Court (BVerwG) ruled that Google reCAPTCHA may only be used on websites with explicit user consent. The court determined that reCAPTCHA is not a technically necessary tool and is not covered by a legitimate interest of website operators. This decision significantly impacts the use of third-party tools on websites and requires website owners to review their data protection practices.
Case Background
A user visited a political party’s website to apply for membership. Cookies, including those from Google reCAPTCHA, were stored on their device without prior information or consent. The user complained to the data protection authority, arguing that reCAPTCHA transmits data such as IP addresses and browser details to Google servers. The authority confirmed the violation, but the website operator contested the decision.
Court Ruling
The court upheld the data protection authority’s decision, ruling that Google reCAPTCHA cannot be used without explicit consent. The reasoning:
- Not technically necessary: reCAPTCHA is not essential for the website’s core functionality.
- No legitimate interest: Preventing bot entries is beneficial but does not justify data collection without consent.
- Explicit consent required: Since neither technical necessity nor legitimate interest applies, user consent is mandatory.
Practical Implications
The ruling has broad implications for website operators:
- Review third-party tools: Websites must assess all external services, including reCAPTCHA.
- Consent requirement: Tools that are not strictly necessary require explicit user consent. This applies to services like Google Fonts and the Google Toolbar, which also transmit data to third parties.
- Transparency: Users must be clearly informed about data collection and processing.
- Beyond Captcha services: The decision impacts all third-party tools, not just CAPTCHA solutions.
Summary
The Austrian BVerwG ruling confirms that Google reCAPTCHA requires explicit user consent. It underscores the importance of data protection and forces website operators to rethink their use of third-party services. Websites must now ensure compliance by obtaining user consent and increasing transparency.
