Login
Free Trial

Is hCaptcha GDPR-Compliant? What Website Owners Need to Know

Illustration analyzing whether hCaptcha is GDPR compliant, showing a human verification widget, privacy vs security balance scale, EU data protection symbols, and a compliance checklist.
captcha.eu

hCaptcha can be part of a GDPR-compliant setup, but it does not arrive compliant out of the box, and it takes more governance work than many website owners expect.

Intuition Machines, the US company behind hCaptcha, offers a data processing agreement, EU–US Data Privacy Framework certification, and standard contractual clauses. Those are real tools, and they matter. But they do not do the compliance work for you. Legal basis, cookies, international data transfers, and accessibility all still need to be sorted at your end, before you go live, not after a supervisory authority comes knocking.

This article walks through exactly where those questions arise, what they mean in practice, and what a defensible setup actually looks like.

Editorial note: This article is for informational purposes and does not constitute legal advice. For questions about your specific implementation or applicable national law, please consult a qualified privacy or legal professional.

Table of contents

At a glance: the four GDPR questions hCaptcha raises

Before diving into the detail, here is a quick map of the key issues. Each one is explained fully below.

GDPR question
hCaptcha’s position
What you as the operator must still do
International data transfer
DPF-certified; SCCs available in DPA
Verify the DPA is signed; document your transfer assessment
Cookies and ePrivacy
Sets cookies including hmt_id
Assess whether the technical necessity exemption applies in your jurisdiction
Role (processor or controller)
Acts as processor per its FAQ
You remain the controller. Lawful basis, transparency and vendor oversight stay with you.
Accessibility
Targets WCAG 2.2 AA; some visual challenges remain partially inaccessible
Test the real user flow. Do not rely on the vendor’s statement alone

How hCaptcha actually works

When someone submits a form on your website, hCaptcha steps in to decide: is this a human or a bot? Depending on your plan, it either shows a visible challenge (the familiar “pick all the traffic lights” task), uses invisible background signals or applies a mix of both. If the check passes, it hands the form a token. Your server then verifies that token with hCaptcha’s API.

To run that analysis, hCaptcha processes technical and behavioural data. Its privacy policy lists communications metadata such as the originating IP address, along with analytics information including browser type, ISP, platform, device type, operating system and access timestamps. It also sets cookies, including htm_id described as a first-party cookie used for strictly necessary, anonymous, service-related statistics and technical functions including accessibility support.

That data processing, the IP addresses, the browser signals, the cookies, is where the GDPR questions begin.

Why this matters more than it might seem

Is it easy to treat CAPTCHA as a small technical detail? It is not. CAPTCHA sits at the front door of the most sensitive workflows on your website: login, password reset, registration, checkout, and contact forms. These are exactly the flows attackers target first.

Credential stuffing, where automated tools test millions of stolen username and password combinations, hits login forms specifically. Fake account creation, card testing, and form spam hit the others. ENISA’s threat landscape reports consistently rank automated abuse of web-facing applications among the most common attack types affecting European organisations.

That makes choosing a CAPTCHA both a security decision and a data-protection decision. A tool that reduces bot risk but creates legal exposure, through unresolved cookie consent, unclear transfer basis, or accessibility gaps, solves one problem while quietly creating another. For IT managers, developers, and DPOs, it is worth treating those two sides of the question together.

The three GDPR risk areas, explained

1. International data transfer

Intuition Machines is a US company. Its privacy policy states that it may process personal data of covered individuals in the United States as part of providing the service. It is also certified under the EU–US Data Privacy Framework.

DPF certification is a legitimate and meaningful transfer tool, but it is not a blank cheque. The EDPB’s guidance makes clear that organisations must verify the mechanism is in place and in scope. It must not simply assume that certification covers every scenario. A useful reference point is the Austrian Data Protection Authority’s 2022 ruling on Google Analytics (GZ: 2021-0.586.257). Which found that transmitting IP addresses and browser identifiers to a US server constitutes a transfer of personal data. While that ruling concerned Google Analytics specifically, it illustrates how strictly EU supervisory authorities may scrutinise transfers of technical metadata to US-based providers and why the analysis cannot be skipped simply because a tool holds DPF certification.

In practical terms: sign the DPA, confirm that DPF certification is current and document your transfer assessment in writing. Do not assume that because a vendor has ticked the DPF box, the work is done on your side.

2. Cookies and ePrivacy, a separate question that GDPR does not answer

This is the risk area most often missed, and it reliably catches website operators off guard.

GDPR and the ePrivacy Directive are two different instruments. Article 5(3) of the ePrivacy Directive requires consent before placing cookies or accessing information on a user’s device, unless a specific technical necessity exemption applies. The EDPB’s guidelines on cookies make clear that this exemption is narrow. It must be assessed on a use-case-by-use-case basis; it is not a general carve-out for security or anti-bot tools.

hCaptcha sets cookies. Its cookie policy listshtm_id  and describes it as used for technical and service-related purposes. Whether the technical necessity exemption applies to your specific deployment depends on the concrete use case and the position of your national supervisory authority.

Here is the point that catches people: even if your GDPR legal basis is contract performance or legitimate interests, that does not resolve the ePrivacy cookie question. They are independent obligations. Getting one right does not automatically get you the other. If you cannot clearly demonstrate that the exemption applies in your jurisdiction, the operationally cleaner routes are either loading hCaptcha only after explicit consent, or using a cookie-free CAPTCHA that removes the question entirely.

3. Role allocation: what “processor” actually means for you

hCaptcha’s FAQ states that Intuition Machines acts as a processor for its customers in the relevant GDPR context. That framing is helpful, and the DPA reflects it for core service delivery.

But here is what does not change: you are still the controller. You decide which pages carry the CAPTCHA, what legal basis you rely on, how users are informed, and how you handle a data subject request that touches hCaptcha-processed data. The widget is outsourced. The accountability is not.

In practice: your privacy notice should disclose hCaptcha’s processing. Your record of processing activities should list Intuition Machines as a sub-processor, and you should be able to explain to a supervisory authority why you made the deployment choices you made.

Does the plan tier change the compliance picture?

Yes and this is the detail most deployments overlook entirely.

On some plan tiers, data use and contractual controls can differ materially. Enterprise customers may be able to negotiate stricter privacy terms than free-tier deployments, including restrictions on how interaction data is used beyond core service delivery.

If your organisation is processing data from users in regulated sectors, like healthcare, finance, public services, the applicable data use terms are worth examining carefully before deployment, not after. Reviewing the current terms for your specific plan and, where necessary, negotiating DPA clauses that reflect your obligations is part of responsible vendor selection under GDPR’s accountability principle.

Accessibility: a compliance question, not a footnote

Accessibility tends to be treated as a secondary consideration in CAPTCHA decisions. For many in-scope digital services operating in the EU, it is no longer optional. The European Accessibility Act, which entered force across member states from June 2025, means that covered businesses and services must meet accessibility requirements, with WCAG 2.2 AA as the relevant technical standard for most web-based implementations.

hCaptcha’s accessibility statement says it targets WCAG 2.2 AA compliance and has carried out internal and external audits. It also acknowledges, honestly, that some visual image challenges cannot be made fully accessible while still performing their security function.

That gap has real consequences. A vendor-level accessibility statement does not make your specific deployment accessible. The following areas require genuine testing in the real user flow, not a check against a PDF from the vendor:

  • Keyboard navigation. Can the widget be activated and completed without a mouse? This needs to work for every user.
  • Screen reader and audio challenge compatibility. The audio challenge and fallback experience should be tested across screen readers and browser combinations before you rely on it as an accessibility path. Behaviour can vary significantly between NVDA, JAWS, and VoiceOver, and across different browsers.
  • Error state handling. When a challenge fails or times out, are error messages announced to assistive technology, or do they appear visually only?
  • Mobile behaviour. Does the widget render and function correctly in a mobile browser with system accessibility features enabled?

For public-sector organisations and services with a broad user base, these tests are not optional extras. They are part of what compliance actually requires.

How to reduce GDPR risk if you continue using hCaptcha

If you have worked through the above and decided hCaptcha is the right tool for your context, the following steps will put you in a materially stronger position.

  • Sign and keep the DPA.

    General privacy policies are not enough. The DPA governs your processor relationship and should be in your vendor documentation file, signed, dated, and retrievable if a DPA asks for it.

  • Verify your transfer basis.

    Confirm DPF certification is current at the time of deployment, not just at the time you first read about it. Document your transfer assessment in writing.

  • Work through the ePrivacy cookie question separately.

    Map exactly when cookies are set. If you cannot clearly argue that the technical necessity exemption applies in your jurisdiction, load hCaptcha post-consent or use a cookieless alternative. Skipping this assessment does not make the obligation go away.

  • Review your plan tier and data use terms.

    Check whether the applicable terms are compatible with your obligations, especially if you are processing data from users in regulated or sensitive contexts.

  • Test accessibility for real.

    Run the keyboard navigation, audio fallback, error state, and mobile tests described above. Do not treat a vendor compliance statement as a substitute for a live test.

  • Layer your defences.

    This matters more than it might first appear. The more you can reduce how often any CAPTCHA challenge actually fires, through rate limiting, server-side validation, honeypot fields, and login attempt monitoring, the less data gets processed by any third-party CAPTCHA tool in the first place. Fewer triggers mean fewer data points sent to an external processor. That is good for privacy and good for user experience simultaneously. CNIL explicitly highlights CAPTCHA as one tool within a wider set of measures, not a standalone solution. Layering also means that if hCaptcha is unavailable or blocked by a user’s privacy tool, which happens, your core protection does not collapse entirely.

  • Update your privacy notice.

    Confirm that hCaptcha’s processing is disclosed, that users are informed of the US transfer basis, and that your record of processing activities reflects Intuition Machines as a sub-processor.

Conclusion

hCaptcha is not automatically unlawful in Europe. For organisations prepared to do the governance work, signed DPA, transfer documentation, ePrivacy cookie assessment, plan-tier review and real accessibility testing, it can be part of a compliant deployment.

The honest answer, if hCaptcha is GDPR-compliant, is: it depends on how you deploy it, what plan tier you are on, which sector you operate in, and how thoroughly you have documented your decisions. Vendor certification is a starting point, not a finishing line.

For some organizations, that trade-off may still be acceptable. However, others may prefer a European CAPTCHA solution that reduces privacy friction and avoids visual challenge barriers. In that context, captcha.eu can be a relevant alternative. It is hosted in Austria, designed to be GDPR-compliant, uses no cookies and no tracking, and holds WACA Silver / WCAG 2.2 AA certification.

FAQ – Frequently Asked Questions

Is hCaptcha GDPR-compliant by default?

No. hCaptcha provides a DPA, DPF certification, and SCCs, but these are tools for operators to use — not a compliance guarantee. Legal basis, the ePrivacy cookie question, transfer documentation, and accessibility all remain the website operator’s responsibility.

Does hCaptcha transfer personal data to the United States?

Yes. Intuition Machines states that it may process personal data in the United States as part of providing the service, and that it is EU–US Data Privacy Framework certified. DPF certification is a valid transfer mechanism, but it needs to be verified as current and documented as part of your transfer records.

Does hCaptcha use cookies?

Yes. Its cookie policy lists cookies including htm_id, described as used for technical and service-related purposes. Whether ePrivacy consent is required before setting those cookies depends on whether the technical necessity exemption applies in your specific jurisdiction and use case. That cannot be assumed, it requires a deliberate assessment.

Does the hCaptcha pricing plan affect compliance?

It can. Data use and contractual controls may differ between plan tiers, and enterprise customers may be able to negotiate stricter privacy terms than other deployments. If you are processing data from users in regulated sectors, it is worth reviewing the applicable terms for your specific plan before deployment.

Is hCaptcha accessible?

hCaptcha targets WCAG 2.2 AA compliance and provides an audio challenge as an alternative to visual tasks. However, it acknowledges that some visual challenges cannot be made fully accessible while still performing their security function. Accessibility needs to be verified through real testing, keyboard navigation, the audio fallback experience across different screen readers and browsers, and error state announcements, not assumed from the vendor’s statement alone.

Can I skip the cookie consent assessment if my GDPR legal basis is legitimate interests?

No. The ePrivacy Directive’s cookie requirements are independent of GDPR. Even with a valid GDPR lawful basis, Article 5(3) of the ePrivacy Directive still applies separately. A compliance gap on one is not fixed by getting the other right.

What is a GDPR-compliant alternative to hCaptcha?

For organisations where EU data hosting, no cookies, and certified accessibility are requirements rather than preferences, captcha.eu was built around exactly those constraints. Austrian hosting, no cookies, no tracking, invisible integration, and independently verified WCAG 2.2 AA conformance via WACA Silver certification from TÜV Austria.

100 free requests

You have the opportunity to test and try our product with 100 free requests.

Start Trial

If you have any questions

Contact us

Our support team is available to assist you.

Contact Us

Recent Posts

en_USEnglish
de_DEGerman fr_FRFrench es_ESSpanish nl_NLDutch it_ITItalian en_USEnglish