Checklist for CAPTCHA selection

For many people, CAPTCHAs are an integral part of websites today, as they are used to ward off illegal or harmful attacks. However, many website managers do not really have any experience with the various CAPTCHA service providers.  It is not uncommon to fall back on the easiest CAPTCHA solution to find and implement.

At the same time, it can be seen that the use of CAPTCHAs as a means of protection against spam and other malicious activities, which have happened millions of times, many website operators or providers of online services are not aware of the negative effects of conventional CAPTCHAs on the user experience.

This is because CAPTCHAs can be perceived as time-consuming, frustrating and difficult to understand for some users, especially those with disabilities or using mobile devices. They can also be seen as an invasion of privacy, as some CAPTCHA services track users or use third-party services that raise privacy concerns. These disadvantages can lead to lower conversion rates and the exclusion of certain users from online content and services. 

What should you watch out for with free CAPTCHA solutions?

A large number of CAPTCHA solutions exist today. Some of them are also available free of charge. Some are open source or are financed by donations. However, a large proportion of free CAPTCHA solutions are financed through advertising, the sale of user data or the creation of website profiles. Consequently, tracking mechanisms are used, as tracking and harnessing users' online activity is an essential part of generating advertising revenue. All too often, however, users are not explicitly informed of this and proving that explicit and conscious consent has been obtained remains legally problematic.  

Why are organizations looking for alternatives to popular captcha like reCaptcha by Google?

Due to the GDPR and subsequent case law, more and more organizations are trying to find alternatives to the most popular CAPTCHA providers.  Google's reCaptcha and other providers are not considered GDPR compliant. For example, Google's reCaptcha uses existing knowledge about the identity of the user, which is not always easy to map in the data protection information, as Google does not fully disclose all mechanisms. There is also a noticeable trend towards an increase in the search for providers that not only offer GDPR-compliant CAPTCHA services but are also based within the EU.