Login
Free Trial

Migrate from Google reCAPTCHA to captcha.eu: A Practical Guide for European Websites

A clean blue-and-white illustration of a laptop showing a three-step migration guide from Google reCAPTCHA to captcha.eu. The screen presents panels for removing the old CAPTCHA, integrating captcha.eu with a code snippet, and verifying a successful setup with an “I am human” checkbox. Subtle EU stars, a faint map of Europe, and icons for privacy, accessibility, and security reinforce the European compliance theme.
captcha.eu

Google’s reCAPTCHA migration is already changing how website owners manage keys, billing, privacy disclosures and Google Cloud projects. April 2, 2026 brings a significant shift in how Google defines its legal role. If you are touching this layer anyway, this is the right moment to ask a bigger question: should you simply accept the Google Cloud migration, or switch to a European alternative with a simpler privacy and procurement story?

Estimated reading time: 11 minutes

Try CAPTCHA.eu free – no credit card
View all integrations

Short answer: Google says existing reCAPTCHA Classic keys can be self-migrated or automatically migrated into Google Cloud, and keys continue to function without code changes after migration. This is not a panic event. However, it is a real structural change. Google no longer allows new Classic keys. Automated migration began in Q4 2025 and completes in Q1 2026. From April 2, 2026, reCAPTCHA runs under Google Cloud terms with customers as the sole controller of Customer Data. The _GRECAPTCHA cookie remains. For many European teams, that makes this the right moment to move not just away from Classic, but away from reCAPTCHA altogether.

WHAT GOOGLE CHANGED

Strong fit for organizations that want Austria hosting, no cookies, no tracking, accessible user flows and a simpler story for European procurement.

WHAT THIS MEANS FOR YOU

You now need to review project ownership, billing, updated privacy notices, and controller responsibilities instead of treating reCAPTCHA as a simple website widget.

WHY SWITCH TO CAPTCHA.EU

Use the migration moment to move to an EU-hosted, no-cookie setup with direct platform integrations, TÜV-certified accessibility, and a cleaner story for European websites.

What this guide covers

What changes with Google reCAPTCHA migration

Google’s own migration documentation makes one thing clear: reCAPTCHA Classic is being folded into the Google Cloud model. New Classic keys are no longer allowed. Existing customers can either migrate their keys themselves or wait for automated migration. Google began automated migration in Q4 2025 and says the process completes in Q1 2026.

Two common summaries are both incomplete. “Nothing changes” is wrong because key management, billing posture, and ownership now sit inside Google Cloud. At the same time, “everyone must manually migrate by the end of 2025” is also wrong because Google explicitly documents an automated migration path.

What changes on April 2, 2026: Starting on that date, Google says reCAPTCHA customers become the sole controller of Customer Data, and Google processes that data under Google Cloud terms as a processor. Google also says customers should remove references to Google’s Privacy Policy and Terms of Use from their websites because those references no longer reflect the legal roles accurately from that date onward. The _GRECAPTCHA cookie does not disappear. Privacy notices still need to reflect your actual deployment.

How to complete the Google Cloud migration

If you decide to stay on reCAPTCHA, you need to complete the migration into Google Cloud Console. Manual migration is recommended over waiting for automatic migration because automatic migration may assign your keys to an unwanted new project, making future management harder. If your website generates more than 10,000 assessments per month, you also need to enable billing before migrating to avoid service disruptions.

Migrating via the reCAPTCHA Admin Console

  • Log into your reCAPTCHA Admin Console and select your project.

  • Select the keys you want to migrate and click Submit.

  • Google Cloud Console opens with your project and keys already populated.

Migrating via the Google Cloud Console

    • Ensure you have owner, editor, or reCAPTCHA admin permissions in Google Cloud. If not, ask your system administrator.

    • Go to the reCAPTCHA page in Google Cloud Console and select the correct project.

    • In the Classic keys section, find the key you want to migrate, click “Upgrade key,” and confirm.

    • Verify the migrated key appears under “reCAPTCHA keys” (not the Classic keys section).

    Important: Do not delete your Classic key from either console during or after migration. Deleting it removes it from both platforms simultaneously and immediately breaks your site’s bot protection.

    Why many teams are re-evaluating reCAPTCHA instead of just accepting the migration

    For some organisations, staying on reCAPTCHA is the right decision. If your team already works comfortably inside Google Cloud, understands the billing model, and has privacy and procurement review already built around Google services, then a self-migration may be enough.

    However, many website operators are not in that position. They run forms, sign-up flows, login pages, public-facing services, or regulated user journeys where every third-party component gets reviewed for privacy, accessibility, and procurement burden. In those settings, the migration is not just a technical maintenance task. It is a natural decision point.

    Three specific issues make reCAPTCHA difficult for European teams even after the April 2026 changes. First, the _GRECAPTCHA cookie remains, which means the ePrivacy cookie consent question does not go away. Second, Google Cloud’s billing model introduces a free tier ceiling of 10,000 assessments per month, after which costs apply. Third, the Google Cloud Console adds governance complexity for teams that do not already operate inside that ecosystem.

    That is where captcha.eu has a clear role. Instead of moving deeper into the Google Cloud reCAPTCHA model, you can use the same project window to move to a European setup built around Austrian hosting, no cookies at the CAPTCHA layer, and direct integrations for common CMS, commerce, and authentication stacks.

    Should you stay on reCAPTCHA or move to captcha.eu?

    Pricing is usually the second question after “does it actually work?” This is a like-for-like view for small to medium deployments. Always verify current pricing directly with each provider before purchasing.

    STAY ON RECAPTCHA IF

    You want continuity inside Google Cloud

    • You already manage infrastructure or security tooling in Google Cloud.
    • You want to keep Google’s scoring, Account Defender, and enterprise feature set.
    • You are comfortable reviewing billing, quotas, cookie consent, and controller responsibilities as ongoing obligations.

    SWITCH TO CAPTCHA.EU IF

    You want a simpler European setup

    • You want no cookies at the CAPTCHA layer and less ePrivacy and GDPR overhead.
    • You need EU-hosted processing and a simpler vendor story for procurement and audits.
    • You use WordPress, TYPO3, Keycloak, Magento, or NEOS and want direct plugin-based integration.
    • You need independently verified WCAG 2.2 AA accessibility compliance — captcha.eu holds WACA Silver certification from TÜV Austria.

    How to migrate from reCAPTCHA to captcha.eu

    In practice, this project is usually smaller than the phrase “replace reCAPTCHA” suggests. The right approach is not a dramatic rebuild but a structured cleanup of one security layer. The better your inventory is at the start, the smoother the switch becomes.

    • Inventory every place where reCAPTCHA runs.

      List contact forms, sign-up forms, logins, account recovery, checkout, booking flows, comments, and any custom API-backed widgets. Note whether you use checkbox, invisible, or score-based logic today.

    • Choose the protection model for each flow.

      Some flows need silent background protection. Others benefit from a visible widget as a user-trust signal. Do not copy every old reCAPTCHA behaviour by default. Use the migration to simplify your abuse-defence design where possible.

    • Replace the frontend integration.

      Remove the existing reCAPTCHA script and widget calls, then install captcha.eu through the plugin or implementation path that fits your stack. The script is a straightforward replacement and most integrations take under an hour.

    • Update server-side verification.

      Switch the verification endpoint, credentials, and any reCAPTCHA-specific assumptions in your backend logic. This is the right moment to remove old score thresholds or Google-specific action logic you no longer need.

    • Clean up privacy and legal documentation.

      Remove reCAPTCHA-specific privacy notice entries, cookie disclosures, and any references to Google’s Privacy Policy or Terms of Use that you were asked to remove per Google’s own April 2026 guidance. Document the new protection layer for product, legal, and support teams.

    • Test the highest-risk flows first.

      Start with the pages where bot abuse hurts most: login, registration, password reset, forms, and checkout. Confirm form completion, false-positive behaviour, analytics, and fallback handling before rolling out broadly.

    Practical recommendation: Turn this into a migration with a short decision memo, not just a technical ticket. In one internal note, capture why you stayed with reCAPTCHA or why you switched to captcha.eu. That single step keeps engineering, privacy, procurement, and management aligned, and it gives you documentation if an audit question comes up later.

    Migration shortcuts for common stacks

    WordPress

    Install directly from the WordPress plugin directory, no manual download needed. Protects login, registration, comments, Ninja Forms, Gravity Forms, Contact Form 7, WPForms, and Elementor Pro.
    WordPress plugin overview
    WordPress install guide

    TYPO3

    Supports both TYPO3 Forms and PowerMail via Composer. The most widely used CMS in Austrian, German, and Swiss public sector and enterprise environments.
    TYPO3 plugin overview
    TYPO3 install guide

    Keycloak

    Replaces Keycloak’s built-in reCAPTCHA directly. Protects browser login, registration, and reset credentials flows, the three authentication entry points most targeted by automated attacks.
    Keycloak plugin overview
    Keycloak install guide

    If your platform is not listed above, the full plugins and platforms overview covers Magento 2, NEOS, and additional frameworks. The documentation hub has implementation guides for React, Vue, Angular, Node.js, and PHP.

    Common migration mistakes to avoid

    The first mistake is assuming Google’s automatic migration ends the project. Automatic migration can keep keys working, but it does not answer your product, privacy, cost, or accessibility questions. Those remain open regardless of which migration path Google uses.

    The second mistake is overlooking indirect reCAPTCHA dependencies. Many teams remember the obvious form widget and forget the form builder plugin, sign-up middleware, checkout extension, or custom login wrapper that also calls the reCAPTCHA API. A thorough inventory before you start saves debugging time after you switch.

    The third mistake is copying the old setup too literally. A migration is a useful chance to remove unnecessary friction. Google itself says it does not recommend checkbox keys because they add user friction without meaningfully improving detection accuracy. Use the switch as an opportunity to move to invisible or low-friction protection where appropriate.

    The fourth mistake is forgetting to update privacy documentation after the switch. If you move away from reCAPTCHA, you need to remove reCAPTCHA and Google-specific disclosures from your privacy notice, cookie policy, and any internal vendor lists. Leaving stale entries in legal documentation creates its own compliance risk.

    Related reading

    This guide focuses on the migration decision and process. The articles below answer the next questions most teams have once they decide to re-evaluate reCAPTCHA.

    Frequently Asked Questions

    Do I have to manually migrate reCAPTCHA?

    No. Google documents both self-migration and automated migration. Automated migration began in Q4 2025 and completes in Q1 2026. The real question is not whether migration exists, but whether you want to stay in the Google Cloud reCAPTCHA model or switch to another provider while the project window is open.

    Will my current reCAPTCHA integration stop working immediately if I do nothing?

    Google says migrated keys continue to function without code changes, which reduces the immediate technical risk. However, it does not remove the need to review ownership, billing, privacy notices, and broader vendor decisions. Waiting also means Google may assign your keys to an automatically created project that is harder to manage later.

    What changes on April 2, 2026?

    Google says reCAPTCHA customers become the sole controller of Customer Data and Google processes that data under Google Cloud terms as a processor. Google also says website operators should remove references to Google’s Privacy Policy and Terms of Use from their websites because those references no longer match the legal roles from that date. The _GRECAPTCHA cookie remains in place.

    Does the April 2026 change make reCAPTCHA GDPR-compliant for European websites?

    The change improves the contractual structure, but it does not resolve all GDPR and ePrivacy obligations automatically. Cookie consent, transfer documentation, and privacy notice updates all remain the operator’s responsibility. For a full analysis, see our dedicated reCAPTCHA GDPR compliance article.

    How long does a migration from reCAPTCHA to captcha.eu take?

    For a single-platform site using one of the supported plugins (WordPress, TYPO3, Keycloak, Magento, NEOS), the technical switch typically takes under an hour. Multi-platform setups or custom API integrations take longer depending on how many flows use reCAPTCHA. The inventory step at the beginning of the migration process is usually what takes the most time.

    Why migrate to captcha.eu instead of Cloudflare Turnstile or hCaptcha?

    Turnstile and hCaptcha are both reasonable options depending on your context. The main reasons European teams choose captcha.eu are: Austrian hosting with no data processing outside the EU, no cookies at the CAPTCHA layer (removing the ePrivacy consent question), independently verified WCAG 2.2 AA accessibility via WACA Silver certification from TÜV Austria and direct plugins for the CMS and authentication platforms most common in European markets. For teams in regulated sectors or public procurement, those specifics matter more than feature-level comparisons.

    Legal note: This article is written for general informational purposes and does not constitute legal advice. Whether a specific CAPTCHA deployment is appropriate depends on your actual implementation, your jurisdiction, and your internal privacy and procurement requirements.

    Use the migration moment to simplify your stack

    Google’s migration forces many teams to review reCAPTCHA anyway. If you would rather use that effort to move to an EU-hosted, no-cookie alternative with direct integration paths and TÜV-certified accessibility, start with captcha.eu. 100 free requests, no credit card required.

    Start free trial
    Contact sales

    Recent Posts

    en_USEnglish
    de_DEGerman fr_FRFrench es_ESSpanish nl_NLDutch it_ITItalian en_USEnglish