Friendly Captcha and Data Protection – What Website Operators Need to Know

If a website operator uses Friendly Captcha, they process user and technical data for the purpose of bot defence and spam prevention on the basis of legitimate interests under Art. 6(1)(f) GDPR – without consent being required. This is a decisive difference from other CAPTCHA solutions such as Google reCAPTCHA. This information is based on statements by the provider and publicly accessible sources.

A. Purpose and Function of Friendly Captcha

Friendly Captcha is a privacy-friendly CAPTCHA alternative from the German Friendly Captcha GmbH based in Wörthsee (Bavaria). It serves the prevention of spam, bot attacks, and automated abuse on websites and forms.

In contrast to Google reCAPTCHA (which tracks user behaviour), Friendly Captcha uses a cryptographic proof-of-work approach:

• The visitor's browser solves a mathematical task in the background (proof of work). This is invisible to genuine users and is solved in fractions of a second. For bot traffic, however, it is very time-consuming (seconds to minutes), which makes bot attacks impractical.
• No tracking, no behavioural detection: In contrast to Google reCAPTCHA, no data on user behaviour (mouse movements, clicks, scrolling behaviour) is captured.
• No cookies: Friendly Captcha works without HTTP cookies or third-party tracking.
• Minimal data: Friendly Captcha records only technical data (IP address, anonymised) in order to detect abuse.

Technical integration: The website operator embeds a JavaScript code snippet in their form or website. When a user wants to submit the form, the browser starts the proof-of-work calculation. After successful resolution, the form is released.

B. Mandatory Disclosures in the Privacy Policy on Friendly Captcha

The GDPR requires website operators to transparently explain the following points:

• Processing purposes (Art. 13(1)(c)): Why is data processed?
• Legal bases (Art. 13(1)(c)): On what legal basis does the processing take place?
• Legitimate interests (Art. 13(1)(d)): Where legitimised on the basis of legitimate interests, set these out
• Recipients or categories of recipients (Art. 13(1)(e)): To whom is data passed on?
• Retention period (Art. 13(2)(a)): How long is data stored?

Special feature with Friendly Captcha: Because Friendly Captcha is based on legitimate interests (not on consent), no cookie banner is required. This is a major advantage over Google reCAPTCHA, which requires consent.

C. Provider of Friendly Captcha: Friendly Captcha GmbH

Special feature: Friendly Captcha is a German company – data processing takes place in the EU, there are no third-country transfers to the USA.

D. Data Processing by Friendly Captcha – Procedure

E. Data Collected When Using Friendly Captcha

In contrast to other CAPTCHA solutions, Friendly Captcha collects very little data:

• IP address (anonymised): For detecting suspicious patterns and abuse prevention. The IP is not stored in connection with the user or other data.
• Timestamp: The time of the proof-of-work calculation, for the analysis of attack patterns.
• Technical success/error status: Whether the proof-of-work calculation was successful or not.

No tracking of:

• Mouse movements
• Clicks
• Scrolling behaviour
• Browser history
• Device information (beyond reCAPTCHA)
• Behavioural profiles
• Cross-site tracking

This minimal data can be classified into the following standardised data type category:

• Web server log data (anonymised): IP address (anonymised or hashed), date/time, technical metadata for bot detection
• Security events: Success/failure of the captcha solution, suspicious patterns

F. Purposes of Use When Using Friendly Captcha

Friendly Captcha processes data for the following purposes:

• Provision of functionality: Provision of the CAPTCHA widget for the verification of human users
• Security and abuse protection: Bot detection and blocking, spam prevention, protection of forms from automated attacks
• Abuse prevention: Detection of suspicious patterns (e.g. mass submissions from one IP address)

These purposes are narrowly defined and relate exclusively to security – not to marketing or profiling.

G. Legal Bases for Friendly Captcha

Category: Friendly Captcha is a security and abuse protection tool.

Legal basis: Legitimate interests under Art. 6(1)(f) GDPR.

The website operator has a legitimate interest in protecting their forms and website from bot attacks, spam, and abuse. This interest is legitimate and proportionate. The interference with users is minimal (a brief proof-of-work calculation, invisible) and no tracking is carried out.

No consent required: Because Friendly Captcha is based on legitimate interests, not on tracking cookies, no user consent is required. This is a decisive advantage over Google reCAPTCHA.

Proportionality: The processing is proportionate because:

1. Only minimal data is collected (anonymised IP)
2. No tracking or profiling takes place
3. Data is deleted immediately
4. The benefit (security) outweighs the interference

H. Special Features and Notes on Friendly Captcha

• Privacy-friendly: Friendly Captcha is deliberately designed as a privacy-friendly alternative to Google reCAPTCHA. There is no behaviour-based tracking.
• No consent required: Because Friendly Captcha is based on legitimate interests, no cookie banner is necessary. This is a major practical advantage.
• European provider: Friendly Captcha GmbH is based in Germany (Wörthsee, Bavaria). Data is processed on EU servers.
• GDPR-compliant: Friendly Captcha is explicitly designed to be GDPR-compliant and presents itself as an alternative to US providers.
• Processor: Friendly Captcha acts as a processor (Art. 28 GDPR) – there is a processor relationship between the website operator and Friendly Captcha.
• DPA: A Data Processing Agreement should be in place. This may be set out in the terms of use or concluded separately.
• Proof-of-work load: The proof-of-work procedure places a minimal load on the user's browser (CPU/battery), but is not entirely invisible. Some users may notice delays (a few seconds).
• Not an alternative to strong authentication: Friendly Captcha is bot protection, not an authentication method (e.g. not recommended for login pages with highly sensitive data).

I. FAQ on Friendly Captcha

J. Conclusion and Recommendation on Friendly Captcha

Summary: Friendly Captcha is a privacy-friendly, GDPR-compliant CAPTCHA solution from a German provider. It is based on legitimate interests and does not require consent.

Advantage over Google reCAPTCHA: Friendly Captcha does not track user behaviour, does not collect profiling data, and does not require a cookie banner. This makes implementation simpler and more data-protection-compliant.

Security vs. data protection: Friendly Captcha shows that effective bot prevention is also possible without invasive tracking. The proof-of-work approach is elegant and privacy-friendly.

Recommended approach: Friendly Captcha should be mentioned in the privacy policy under a brief heading "Security and abuse protection". Due to the minimal data processing and the absence of tracking, the description can be very concise.