If you’re a WordPress website owner and your site uses Gravity Forms with reCAPTCHA, you need to know about upcoming changes to Google’s reCAPTCHA terms of service.
The TL;DR takeaway is that Google will no longer take responsibility for data collected by your forms, so you need to tweak your privacy policy to cover your business for liability.
What the heck is reCAPTCHA?
Google’s reCAPTCHA has several cybersecurity capabilities, but for the purposes of this article, it helps website owners combat bots attacking your site with spam via your forms.
The tool adds those “I’m not a robot” pop-up boxes that you have to interact with when completing a form. The added step of checking a box or identifying objects in images prevents a high portion of spam from getting through.
Some sites may not use the pop-up checkbox functionality, and just use reCAPTCHA’s other bot-detecting capabilities (such as mouse movement). In either case, you can see the reCAPTCHA badge near the form.
What’s changing?
To this point, Google has acted as the data controller for reCAPTCHA. The Government of Canada states that a data controller “must protect personal data and ensure privacy compliance.” So up until now, Google has been legally responsible for deciding how user data is handled and ensuring that it stays compliant with global privacy laws.
This includes the data collected by your forms, such as IP addresses and email addresses.
Starting on April 2, 2026, Google is switching to a data processor. You may have already received this notice:
A data processor acts on behalf of the controllers, but does not take any responsibility for the data collected. Google will basically be a tool that you’ve hired to process your forms’ data, while you become legally responsible for telling site visitors what you do with that data. Specifically, that you send it to Google for security checks.
Are my forms going to break?!
Nope, your forms will continue to function exactly as they do now. There won’t be an interruption of service, you don’t need to adjust the settings, and you don’t need to hire a developer to help you out.
Google will automatically update the little badge that appears in the reCAPTCHA pop-up box, but otherwise nothing changes with the form or the robot-checking process.
You do have to update your privacy policy, and it’s a good idea to start that process now in case you want to run it by a lawyer before the April 2nd deadline.
What changes do I need to make to my privacy policy?
With Google’s change to being a data processor, your site is no longer covered by Google’s terms of service (linked via the reCAPTCHA badge or otherwise available via the product).
You need to add a section to your privacy policy that explicitly states:
- That you use reCAPTCHA
- That it collects user data
- What kind of data it collects
- Why you use it/why it collects that data
- That it shares that data with Google’s servers for processing
- That those servers may be in other regions (GDPR/EU)
If you already have a section referencing reCAPTCHA in your privacy policy, you need to adjust any language that references data being subject to Google’s privacy policy and terms of service.
Although you can get an AI tool to write this new blurb for your privacy policy, we highly recommend either getting a lawyer to review it, or just getting a lawyer to write it for you.
Ignoring this change and not updating your privacy policy means you’ll be using “hidden tracking” on your site. You’ll effectively be collecting users’ data without disclosure, which leaves you vulnerable to complaints or fines under laws like GDPR.
About the Author
More by This Author
