Mette Nielsen  |  15/06/2022

Why businesses should care about CAPTCHA

With changing rules and technology it is important to understand CAPTCHAs, how they work, and why they are needed. Here are the basics.

CAPTCHAs have evolved from simple letter sequences to a variety of more complex challenges or user behaviour assessments today. For businesses with an online presence, CAPTCHAs are an important part of site security and performance. However, with constantly changing rules and technology it is important to understand how CAPTCHAs work, why they are used and if they are keeping up with the times. 

What are CAPTCHAs?

An acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart,” CAPTCHA has been around since the 2000s to validate if a user is in fact human, and not just a bot crawling the internet.

CAPTCHAs filter out bots from performing tasks on your website that you don’t want them to, such as signing up through forms, requesting quotes, or writing comments. Bots are computer programs that are engineered to perform specific actions. They can cause unwanted traffic and slow down services for legitimate users. Some bots are beneficial, for example those Google use to crawl websites for their search results. But many are unwanted or harmful.

CAPTCHAs are a way to control and restrict bot access to certain services on a website where it is important that only legitimate users get access.

How do CAPTCHAs work?

Most CAPTCHAs work by giving the user a challenge that only a human can solve. The classic example would be a string of obscured letters and numbers that the user must type out. Bots have traditionally not been able to decipher these but are slowly becoming more sophisticated. This has led to an evolution in CAPTCHA challenges, such as image-recognition and checkboxes. Image-recognition CAPTCHAs give the users several different images in a grid. The user must pick the pictures that contain the correct object, such as traffic lights, busses or pedestrian crossings.

Some CAPTCHAs also assess the user’s behaviour on the website, without interacting with them directly. If a user for example enters the homepage of a website, navigates to sign up for a newsletter and completes that signup, all in less than a second, that is a strong indicator that it is a bot. It would then trigger a CAPTCHA challenge. If the user on the other hand spent a few minutes on a blog post, scrolled down to the bottom of the page, and then signed up for the newsletter, they are more likely a genuine user.

The issue with customer behaviour CAPTCHAs is that they rely on user data to work. That can be an issue when it comes to GDPR. More about that below. 



GDPR states you must have a legal basis for processing data. The data must also be proportionate to need (you cannot collect more data than you would reasonably need for a task) and you cannot send personally identifiable data (PII) data out of the EEA or UK. 

Many CAPTCHA providers process user behaviour data to build predictions on whether someone is a bot or not. This data would be processed in the country in which the provider is located, often outside the EEA and UK. Google’s reCAPTCHA is one example. It is also possible that the amount of data collected for this purpose exceeds the data rules of proportionality. 

Standard Contractual Clauses (SCCs) can however be used to safeguard how the data is being processed, so it is possible to remain compliant through extra steps, but the safer option is to choose a provider which does not process personal data as a default.

Some CAPTCHAs do not need personal data to work. Image recognition can for example be done without gathering any data except a record of which images have been chosen by the user. Whether this image data is processed outside of the EEA or the UK is less important, as it is not personally identifiable. Mono Solutions uses hCaptcha’s image-recognition challenges for this reason.


Why care about CAPTCHAs

CAPTCHAs are an important part of the security and performance of your website, but as technology and regulations change, CAPTCHA challenges must keep up. That is why it is important for online businesses to care about which CAPTCHA challenges are in use on their websites. Businesses must choose the providers and challenges that are sophisticated enough to protect their website, but which also comply with regulations.


About Mono  

Mono was founded on the belief that all small businesses deserve the same level of online presence and performance as larger companies. With Mono platforms and products, we want to provide small businesses an all-in-one solution to boost their online presence and sell more. We not only want to provide the digital tools to fulfil their digital presence needs, but we also want to share inspiration for small business owners and web designers for their digital journey.