BVwG Austria judgment on Google reCAPTCHA

Inhaltsverzeichnis

1. BVwG Austria: Google reCAPTCHA only permissible with express consent
2. Background and how reCAPTCHA works
3. The specific case and the court decision
4. Consequences for website operators
5. Professional assessment
6. Conclusion
7. Protect your website form from bots and stay GDPR-compliant with CCM19

BVwG Austria: Google reCAPTCHA only permissible with express consent

The Austrian Federal Administrative Court (BVwG) has clarified in a groundbreaking ruling that the use of Google reCAPTCHA on websites is only permissible if the users concerned expressly consent to the processing of their personal data.

The ruling highlights the growing challenges in data protection - especially with widespread third-party services that collect data in the background.

Background and how reCAPTCHA works

Google reCAPTCHA is a widely used service designed to help website operators distinguish bots from human users and thus ward off attacks, spam and abuse. However, the service collects more than just simple behavioral data: In addition to analyzing mouse movements and keystrokes, a cookie (often the _GRECAPTCHA) is also set, which provides the visitor's end device with a unique identifier. Sensitive data such as IP address and other browser information can be transmitted to Google's servers.

The specific case and the court decision

In this case, a user visited the website of a political party - under circumstances in which he had already configured his data protection settings in such a way that he wanted to do without non-essential cookies. Despite this default setting, the reCAPTCHA tool was activated and the _GRECAPTCHA cookie was set on his device.

The user then complained to the competent data protection authority because he was not informed about the data transfer and had no opportunity to actively object to the processing of his personal data.

In its ruling, the Federal Administrative Court based its decision on European data protection principles, in particular the provisions of the GDPR and the ePrivacy Directive. The court came to the conclusion that reCAPTCHA - although it offers a certain security advantage - is not technically part of the basic functionality of a website.

Therefore, the processing of the data collected cannot be justified by a legitimate interest of the operator. Effective user consent would therefore have been mandatory.

"The implementation of reCAPTCHA is not technically necessary for the operation of the website, which is why a legitimate interest must be denied and the consent of the party involved would have had to be obtained."

^{Source: BVwG Austria: Google reCAPTCHA requires consent}

Consequences for website operators

The decision of the BVwG has far-reaching implications:

• Transparency and information: website operators must inform their users clearly and comprehensively about what data is collected and for what purpose.
• Consent processes: Active, informed opt-in consent must be obtained before setting cookies that are not technically mandatory - such as that of reCAPTCHA.
• Check alternatives: Given the strict data protection requirements, operators should also consider more privacy-friendly alternatives, such as locally hosted captcha solutions or tools that do not require invasive data collection.

This decision underlines the importance of consistent data protection management. Security functions that process personal data in the background are also increasingly coming under the scrutiny of supervisory authorities - both in Austria and in other EU countries.

^Sources:

• ^{https://www.ris.bka.gv.at/JudikaturEntscheidung.wxe?Abfrage=Bvwg&Dokumentnummer=BVWGT_20240913_W298_2274626_1_00}
• ^{https://www.dr-bahr.com/news/google-recaptcha-darf-auf-webseite-nur-mit-ausdruecklicher-einwilligung-eingesetzt-werden-da-technisch-nicht-notwendig.html}
• ^{Google reCAPTCHA: Consent required - KREMER LEGAL}

Professional assessment

Experts point out that the decision of the Federal Administrative Court should not be understood as a blanket ban on the use of reCAPTCHA. Rather, it shows that the data protection framework is becoming increasingly restrictive. The security advantages offered by Captcha solutions must not lead to users' rights to data protection and informational self-determination being disregarded. Website operators are therefore faced with the challenge of ensuring effective protection against bots and spam on the one hand and implementing data protection-compliant procedures on the other.

Conclusion

The ruling of the Federal Administrative Court marks an important step in the area of conflict between internet security and data protection. For operators, this means A secure web presence must not come at the expense of user privacy. Consistently obtaining clearly formulated consent before activating tools such as Google reCAPTCHA will be a must in future - otherwise there is a risk of significant legal consequences.

^Sources:

• ^{BVerwG Austria: Cookie consent for Google reCAPTCHA}
• ^{https://www.lawfirm.eu/en/news/detail/bvwg-bestaetigt-google-recaptcha-verstoesst-ohne-einwilligung-gegen-die-dsgvo.html}

Protect your website form from bots and stay GDPR-compliant with CCM19

To meet the requirements of the BVwG ruling and at the same time effectively protect your online forms from bots, it is advisable to obtain user consent directly on the form. With CCM19, you can easily implement this by first displaying a GDPR-compliant notice instead of the reCAPTCHA area. Google reCAPTCHA is only loaded after the user has given their express consent, which means you comply with data protection regulations and at the same time protect your forms from spam and misuse.

Detailed implementation instructions can be found in the CCM19 documentation.