Seoxpert.io
Get started
criticalPrivacy & Compliance

Google reCAPTCHA Loaded Before Consent (Schrems II Risk)

Google reCAPTCHA loads before user consent, risking unlawful EU-US data transfer under Schrems II.

By Seoxpert Editorial · Published

Why it matters

Loading Google reCAPTCHA before user consent can result in unlawful international data transfers, violating GDPR and Schrems II rulings. This exposes sites to regulatory penalties and damages user trust, especially for EU audiences. Search engines may also flag or penalize non-compliant sites, impacting SEO.

Impact

Failure to address this issue can lead to GDPR enforcement actions, fines, and loss of user trust.

How it's detected

Automated crawlers detect www.google.com/recaptcha requests loading before any consent mechanism is triggered.

Common causes

  • Embedding reCAPTCHA scripts directly in page markup without consent gating
  • Using plugins or CMS modules that auto-load reCAPTCHA
  • Lack of a consent management platform (CMP) or improper CMP integration
  • Misconfigured tag managers triggering reCAPTCHA before consent
  • Not updating legacy forms or widgets relying on reCAPTCHA

How to fix it

Replace Google reCAPTCHA with privacy-friendly alternatives like Cloudflare Turnstile, hCaptcha (with EU option), or Friendly Captcha (EU-hosted). If you must use reCAPTCHA, ensure it only loads after explicit user consent via your consent management platform. Update all forms and scripts to respect consent before initializing reCAPTCHA.

Code examples

Problem: reCAPTCHA loaded without consent

<script src="https://www.google.com/recaptcha/api.js" async defer></script>

Fix: Load reCAPTCHA only after consent

if (userHasConsented()) {
  var script = document.createElement('script');
  script.src = 'https://www.google.com/recaptcha/api.js';
  script.async = true;
  script.defer = true;
  document.head.appendChild(script);
}

FAQ

Why is loading Google reCAPTCHA before consent a GDPR issue?

Because it transfers personal data (like IP address) to the US before the user has given explicit consent, violating Schrems II and GDPR requirements.

What are alternatives to Google reCAPTCHA that are GDPR-compliant?

Cloudflare Turnstile, hCaptcha (with EU data option), and Friendly Captcha (EU-hosted) are GDPR-friendly alternatives.

Can I keep using Google reCAPTCHA if I gate it behind consent?

Yes, but you must ensure reCAPTCHA only loads after the user has given explicit consent for data transfer.

How do I know if my site loads reCAPTCHA before consent?

Check your site’s network requests on page load or use automated privacy compliance tools to detect pre-consent loading of reCAPTCHA.

Found this issue on your site?

Run a scan to see if Google reCAPTCHA Loaded Before Consent (Schrems II Risk) affects your pages.

Scan my website →