Turnstile GDPR

I haven’t really found anything elsewhere regarding Turnstile specifically.

Turnstile presents itself as a zero-trust CAPTCHA solution, however I’m not sure how to handle it regarding the GDPR.

Isn’t including the script-tag without consent of the user already a breach of the GDPR as sensitive data such as the user’s IP and referer are being communicated to foreign servers? To me this seems comparable to outright including Google Fonts which right now opened up a whole wave of written warnings at least here in Germany.

As such, my question is:
Will I need to ask for the user’s permission to include Turnstile and enable Captcha (i.e. all forms that I want to protect via Turnstile)?`

Thank you for your support.

Usual disclaimer: This is not legal advice. Courts with regards to GDPR/DSGVO tend to rule wildly differently, so it’s hard to make any definite prediction.

With that out of the way… GDPR explicitly allows using technical information where reasonably necessary. For example you don’t need to ask for cookie permissions if you only ever use a session id cookie.
Safety and security are considered a technical necessity to run a site. So using available technical information for ensure s+s is within reasonable use is permissable.

The Google Fonts related wave to dissuasions this year was partly a scam. The underlying court verdict specifically refered to the problem of not only using GF, but also the wide and constant tracking employed by Google, which is again facilitated by using GF directly from their servers.
Cloudflare does not widely track people, Cloudflare does not have a virtual monopoly on search and Cloudflare is not a large ad company.

Lastly a well crafted privacy policy on your website, clearly detailing the use of Turnstile always helps.

tl;dr: Turnstile is very like within the bounds of permissive use of technical measures for safety and security. Furthermore the specific basis of the Google Font verdict simply doesn’t apply to Turnstile / Cloudflare.

That said, I’d be curious myself if Cloudflare had any further certifications, as the compliance documents are a bit lacking there. AFAIK there are certifications of the TüV (German) available, and the “trusted data processor” self-certification initiative just got off the grounds as well.
That said, Cloudflare’s GDPR and DPA are in a rather good shape.

1 Like

Thank you Stephan! This helped me a lot!

GDPR explicitly allows using technical information where reasonably necessary.

I was aware of this passage within the GDPR but not sure if it would also apply to Turnstile.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.