Google reCAPTCHA ruled unlawful without consent by Austrian court

On September 13, 2024, the Federal Administrative Court of Austria delivered a significant ruling that will impact how websites implement security tools across the European Union. The court determined that website operators must obtain explicit user consent before implementing Google's reCAPTCHA service, reinforcing the strict interpretation of data protection laws under the General Data Protection Regulation (GDPR).

The court case (BVwG - W298 2274626-1/8E) emerged just seven months ago when an individual filed a complaint after discovering a political party's website was transmitting personal data to Google through the reCAPTCHA service despite having explicitly declined consent. The ruling, published on November 28, 2024, represents a decisive interpretation of data privacy regulations that will likely influence future decisions across EU member states.

This decision builds upon a foundation of prior GDPR enforcement actions, aligning with the European Court of Justice's perspective on data processing and legitimate interest established in the landmark C-252/21 case of July 2023. The Austrian ruling specifically addresses the increasingly common implementation of Google services on websites and clarifies the legal requirements for their use.

The complaint concerned a political party website that implemented Google reCAPTCHA, a service designed to differentiate between human users and automated bots. According to the court documents, when the complainant visited the website to register for party membership, they immediately deactivated cookies and tracking functions through the site's privacy settings. Despite this action, the court found that 615 data packets had already been transmitted between the user's device and Google's servers.

The investigation revealed that the website operator had configured Google reCAPTCHA to set the "_GRECAPTCHA" cookie automatically, regardless of user preferences. This cookie contained unique randomly generated values that, combined with the user's IP address and browser data, allowed Google to create a digital fingerprint and track user behavior across websites.

In its defense, the website operators argued they were responsible only for content, not technical implementation, claiming an external contractor handled website design. They further contended that cookie settings were controlled by users and that no data processing occurred without consent. The operators suggested that previous consent given to Google on other websites might have triggered the data transfer, absolving them of responsibility.

The court decisively rejected these arguments, establishing several important legal principles. First, it affirmed that website operators remain data controllers even when outsourcing technical implementation, as they make the final decisions about which technologies to implement. Second, the court determined that pre-existing consent on other platforms does not constitute valid consent for a new website.

Most significantly, the court ruled that Google reCAPTCHA cannot be justified under the "legitimate interest" provision (Article 6(1)(f) GDPR). While acknowledging that preventing bot attacks benefits website operators, the court found this interest did not outweigh users' privacy rights since reCAPTCHA is not technically necessary for website functionality.

"In the opinion of the deciding Senate, cookies set by the Google reCAPTCHA service are not necessary for the operation of a website, which is why the complainants do not have a legitimate interest, regardless of the fact that preventing bot entries is beneficial for website operators," the court stated in its ruling.

The court emphasized that since the reCAPTCHA implementation "has no influence on the functionality of the website," operators must obtain explicit user consent before employing the service. This differentiates reCAPTCHA from technically essential cookies that enable core website functions.

Legal experts note this decision aligns with the EU's increasingly strict interpretation of what constitutes "necessary" data processing. Dr. Carlo Piltz, a partner at Piltz Legal who shared analysis of the case on LinkedIn, highlighted the court's application of the European Court of Justice's C-252/21 decision, which established rigid standards for claiming legitimate interest as a processing basis.

For marketing professionals and website operators, this ruling has immediate practical implications. Websites using Google reCAPTCHA must now ensure they obtain explicit consent before activating the service. This typically means implementing a two-tier consent system where users can decline non-essential services while still accessing core website functionality.

The decision also affects how websites handle other Google services like Google Fonts, Google Maps, and analytics tools that transmit user data to Google's servers. Each service must now be evaluated against the strict necessity standard established by the court.

Privacy advocates have welcomed the decision, noting it addresses a common practice where websites implement third-party services that begin processing data before users have the opportunity to provide or withhold consent. The ruling clarifies that this "consent after the fact" approach violates GDPR principles.

The case is particularly significant because it involved a political party website, where data about visitors' political affiliations constitutes a special category of personal data under GDPR Article 9, subject to enhanced protection. The court recognized that Google would know "which pages of the party had been opened and that a membership registration with the party had been carried out under his IP address."

For technology providers, the ruling adds pressure to develop privacy-preserving alternatives to current implementations. Several open-source CAPTCHA solutions that operate without third-party data transfers are already gaining traction as GDPR-compliant alternatives.

The Austrian Federal Administrative Court's decision represents another step in the ongoing refinement of GDPR interpretation across Europe. While this ruling is specific to Austria, courts in other EU member states typically consider such decisions when addressing similar cases, creating a consistent approach to data protection enforcement.

Website operators now face the challenge of balancing security needs against stricter privacy requirements. Many will need to reconfigure their technical implementations to ensure valid consent mechanisms are in place before any third-party services activate. This will likely accelerate the trend toward privacy-by-design approaches where data protection considerations are integrated into initial website development rather than addressed afterward.

Timeline

• July 2023: European Court of Justice issues landmark ruling in C-252/21 establishing strict standards for legitimate interest processing
• Early 2024: Individual visits political party website to register for membership
• Early 2024: Individual discovers data transferred to Google despite opting out
• March 7, 2023: First complainant submits initial statement to Austrian DPA
• March 17, 2023: Complainants claim they are not responsible for website design
• April 20, 2023: Co-involved party notes continued data protection violations
• May 30, 2023: Austrian Data Protection Authority rules in favor of complainant
• June 27, 2023: Website operators file appeal against DPA decision
• September 13, 2024: Federal Administrative Court of Austria issues final ruling
• November 28, 2024: Court decision published and made publicly available