Why is Google reCAPTCHA free?

Because your visitors pay for it. reCAPTCHA scores their behavior to decide who is human and sets a cookie that fingerprints them, then puts the solving effort to work training Google's machine-learning systems. The spam protection is real, but the price is your visitors' data flowing to Google.

Is reCAPTCHA a GDPR problem?

It can be. reCAPTCHA collects behavioral data and sends it to Google's servers in the US, which raises both a consent question and a data-transfer one under GDPR. Regulators have penalized sites over how it was deployed. A CAPTCHA that sets no cookie and keeps data on your own server sidesteps the issue.

What can I use instead of reCAPTCHA?

A proof-of-work CAPTCHA. It blocks the same mass spam by charging a spammer compute on every request, without watching your visitors or setting a tracking cookie. The picks above range from fully self-hosted to a managed European service, so you can match the effort you want to spend.

Will I lose spam protection if I drop reCAPTCHA?

For the everyday flood of form spam and fake signups, no. Proof-of-work makes high-volume automated submissions expensive, which is where most abuse comes from. You give up Google's behavioral scoring, but in return your form stops profiling everyone who fills it in.

Is moving off reCAPTCHA hard?

It is usually a small change. You swap the widget on your form and verify the response on your server, which each project shows with copy-paste examples. Most people start with one busy form, confirm it works, then roll it out across the site.

Reviewed by Gabriel Bachmann

Best reCAPTCHA Alternatives in 2026

3 private alternatives, vetted against our public criteria.

reCAPTCHA blocks spam by surveilling the people who fill in your forms. It scores their mouse movements and click timing and sets the _GRECAPTCHA cookie to fingerprint them, then sends that data to Google’s servers in the US. The solving effort itself becomes training labels for Google’s models. You get free spam protection. Your visitors get profiled, and you inherit a GDPR question you did not ask for.

ALTCHA

Self-hosted CAPTCHA that proves a visitor is human with a background proof-of-work puzzle. No cookies, no tracking, MIT licensed.

Covered Open Source No account Self-hosted Web Free

Visit site →

mCaptcha

Self-hosted, proof-of-work CAPTCHA written in Rust. Rate-limits abusive traffic without tracking or profiling your visitors.

Hardened Open Source No account Self-hosted Web Free

Visit site →

Friendly Captcha

Invisible, managed CAPTCHA from Germany. Uses background proof-of-work and no cookies, so visitors never solve a puzzle.

Covered Easy setup Web Freemium

Visit site →

Why settings won’t fix reCAPTCHA. The tracking is not a feature you can switch off, it is the mechanism. reCAPTCHA tells humans from bots by watching behavior and matching it against everything Google already knows, so the surveillance and the spam-blocking are the same process. There is no configuration that keeps the protection while dropping the data collection. On top of that, the challenges you serve do double duty as training data for Google’s machine learning, and the cookie ties each visitor to an identifier that follows them. The only real fix is to stop using a tool whose method is profiling, which is the whole point of the picks above.

What actually matters in a CAPTCHA. Two questions sort the field. First, where does the check happen? A self-hosted CAPTCHA like ALTCHA or mCaptcha runs the verification on your own server, so no visitor data leaves your infrastructure at all. Second, what is the method? A background proof-of-work puzzle asks the visitor’s browser to compute a small task before the form submits, which a real person never notices but a spammer pays for on every request. Pair those two and you stop the flood without setting a cookie or building a profile, and without a consent prompt, because there is nothing to consent to. That is the trade in your favor: spam protection that costs the abuser compute instead of costing your reader their privacy. Past those two, one practical choice remains, which is how much you want to run yourself. A self-hosted tool gives you full control and keeps every byte on your own machine, while a managed European service hands the upkeep to someone else for a fee, so weigh the time you can spend against the bill you can absorb.

How to switch. Pick one tool from the list and drop its widget into the form you most want to protect, then verify the response on your server using the project’s documented examples. Give a busy form, a contact box or a signup, the first slot so you see the effect quickly, then roll the same setup out across the site. The visitor experience usually gets simpler, since most of these are invisible or a single checkbox rather than a wall of distorted images. And reCAPTCHA is rarely the only Google script on a page, so once it is gone, the broader de-Google playbook covers the analytics and font scripts that leak the same way. Browse the full ranked set of privacy-friendly CAPTCHAs to compare hosting and cost before you commit.

Frequently asked

Why is Google reCAPTCHA free?: Because your visitors pay for it. reCAPTCHA scores their behavior to decide who is human and sets a cookie that fingerprints them, then puts the solving effort to work training Google's machine-learning systems. The spam protection is real, but the price is your visitors' data flowing to Google.
Is reCAPTCHA a GDPR problem?: It can be. reCAPTCHA collects behavioral data and sends it to Google's servers in the US, which raises both a consent question and a data-transfer one under GDPR. Regulators have penalized sites over how it was deployed. A CAPTCHA that sets no cookie and keeps data on your own server sidesteps the issue.
What can I use instead of reCAPTCHA?: A proof-of-work CAPTCHA. It blocks the same mass spam by charging a spammer compute on every request, without watching your visitors or setting a tracking cookie. The picks above range from fully self-hosted to a managed European service, so you can match the effort you want to spend.
Will I lose spam protection if I drop reCAPTCHA?: For the everyday flood of form spam and fake signups, no. Proof-of-work makes high-volume automated submissions expensive, which is where most abuse comes from. You give up Google's behavioral scoring, but in return your form stops profiling everyone who fills it in.
Is moving off reCAPTCHA hard?: It is usually a small change. You swap the widget on your form and verify the response on your server, which each project shows with copy-paste examples. Most people start with one busy form, confirm it works, then roll it out across the site.