CNIL: Google reCAPTCHA needs consent under ePrivacy-Directive

Facts

The French Data Protection Authority CNIL imposed a fine of 125,000 EUR on the company CITYSCOOT on March 16, 2023 (press release). CITYSCOOT offers short-term rental of e-scooters. The DPA considered the almost permanent tracking of the scooters a violation of the customers' privacy. In addition, the DPA identified other data protection violations and in this context also commented on the use of Google reCAPTCHA: CITYSCOOT used Google's reCAPTCHA mechanism for login and registration. The CNIL criticized that users were not informed about the access to information on terminal equipment when using reCAPTCHA. Also, the consent of the users was not obtained for such a procedure, which is in violation of French data protection law (Art. 82 of the French data protection law "Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés").

Position of CITYSCOOT

CITYSCOOT held that reCAPTCHA was used solely to secure an authentication mechanism and was necessary to ensure the security of the service. The service had been requested by the user to register or logging in to CITYSCOOT's service. Thus, an exception to the consent requirement applies (implementation of Art. 5 (3) of the ePrivacy Directive; in Germany, Sec. 25 (2) No. 2 TTDSG). Neither CITYSCOOT itself nor Google would have to obtain consent. The fact that the reCAPTCHA mechanism, which is directly integrated into the website, provides for a link referring to Google's privacy policy indicates that Google considers itself to be the controller and must inform the users. In any case, this was not the task of CITYSCOOT. CITYSCOOT was also not at all in a position to change the presentation of the reCAPTCHA mechanism and to include a checkbox for consent or another information link.

?

Decision of the CNIL

The CNIL points out that it is part of the website operator's obligations to make sure that its partners do not use any functions via its website that violate applicable data protection regulations. The CNIL thus also assigns a responsibility to the website operator in such cases. The website operator is often the only point of contact for Internet users. He had decided to use the reCAPTCHA mechanism and thus enabled the reading and writing of information on the terminal equipment of the users. Therefore, he would have to carry out the prior information and obtaining of consent on his own or together with the cookie operator.

According to the CNIL, the controller may invoke an exception to the information and consent requirement if the read or write operations in a user's terminal equipment serve exclusively to secure an authentication mechanism for the benefit of users, but not if these operations also serve other purposes that are not strictly necessary for the provision of a service. In the view of the CNIL, Google's reCAPTCHA mechanism not only serves to secure the authentication mechanism for the benefit of users, but also enables analysis on the part of Google. Google also informs the companies that use the reCaptcha mechanism about this in its terms of use, stating that it is the responsibility of these companies to inform the users and to obtain their consent to the collection and transfer of data to Google.

Therefore, in the present case, CITYSCOOT would have been obliged to inform the users and obtain their consent.