For nearly two decades, reCAPTCHA was the default. You dropped in two script tags, added a checkbox, and never thought about it again. In 2026 that calculus changed, and if you build for EU users, it changed in ways worth a second look.
This isn't a "reCAPTCHA is dead" post. It isn't dead. It still works, it still blocks bots, and for plenty of sites it's still fine. But the terms shifted, the pricing shifted, and the GDPR position shifted onto you. I built captchaapi.eu as an EU-native alternative, so I have a horse in this race. I'll be straight about where reCAPTCHA still wins.
TL;DR
| reCAPTCHA | captchaapi.eu | |
|---|---|---|
| Free tier | 10,000/mo, per organization | 10,000/mo, commercial OK |
| Entry paid tier | $8/mo above the free tier | €9/mo Starter (20,000 req) |
| EU-only data residency | No, US-anchored processors | Default (Hetzner Nuremberg) |
| Cookies / cross-site profiling | Yes | None |
| Cookie banner needed | Yes | No |
| GDPR role | Sole controller (Google dropped to processor, April 2026) | I'm your processor, pre-signed DPA |
| Google Cloud account | Required beyond the free tier | Not needed |
| Over your quota | Free: errors. Paid: metered overage | Free: cap. Paid: keeps serving, no overage bill |
If you build for EU users and you'd rather not wire up a cookie banner or a Google Cloud billing account, that's the whole pitch. The detail is below.
What actually changed in 2026
Three things, all from Google's own documentation and migration notices.
Google offloaded the controller role onto you. As of April 2, 2026, Google shifted from joint controller to data processor for reCAPTCHA. You were always a controller (you choose why and how the captcha runs), but Google previously shared that role and processed data for its own purposes too. Now that responsibility sits squarely with you, and Google's own notice tells you to remove references to Google's Privacy Policy and Terms of Use from your site.
It now lives inside Google Cloud. Classic reCAPTCHA keys were folded into Google Cloud projects through 2025, completing in Q1 2026. New Classic keys are no longer issued. To use reCAPTCHA beyond the free tier you need a Google Cloud project with a billing account and a credit card on file.
The free tier is 10,000 per organization. Not per site. Per organization, aggregated across every account and every site you run. If you manage three sites, they share one 10,000-assessment bucket. Cross it without billing enabled and reCAPTCHA returns errors for additional assessments. Above the free tier: $8/month flat up to 100,000, then $1 per 1,000 beyond that.
None of this is catastrophic. But it's the kind of structural change that makes "I'll just use reCAPTCHA, everyone does" worth re-examining. Especially the GDPR part.
The GDPR problem (the real headline)
This is the part that matters most for EU developers, and it predates the 2026 changes.
When a visitor hits a reCAPTCHA-protected page, Google sets cross-site cookies, harvests browser metadata (user agent, screen resolution, fonts, timezone, language), and computes a risk score based on that visitor's activity across every Google property and every reCAPTCHA-protected site they've touched. Google calls it "advanced risk analysis". Under GDPR, that's profiling under Article 4(4).
Two consequences follow.
First, data leaves the EU. Google's processors are global and anchored in the US. Since Schrems II invalidated Privacy Shield in 2020, transfers to the US have rested on Standard Contractual Clauses plus a transfer impact assessment that has to acknowledge the surveillance risk the CJEU flagged. The 2023 EU-US Data Privacy Framework restored an adequacy route for certified importers, but it's already facing legal challenge, and either way you're leaning on a US transfer mechanism rather than keeping the data in the EU to begin with.
Second, you need the cookie banner. Cookies plus profiling plus non-essential data collection means consent. That's a CMP integration, a DPO sign-off, and friction on every visitor before they even reach your form. EU regulators have backed this up with fines. In March 2023 France's CNIL fined Cityscoot €125,000, and deploying reCAPTCHA without prior consent under Article 82 of the French Data Protection Act was one of the grounds (decision SAN-2023-006).
A proof-of-work CAPTCHA sidesteps the whole chain. No cookies, no cross-site profiling, no transatlantic transfer, no banner. If you want the mechanics, I wrote up how proof-of-work replaces cookies in a separate post.
Where captchaapi.eu is genuinely stronger
I'll keep this to things that are true and checkable.
No cookies, no tracking. The proof-of-work runs in the browser. The only identifier touched server-side is the visitor's IP, immediately hashed (SHA-256 with a per-deployment salt), held in cache for minutes, and never written to disk or a database. There's no cross-site graph because there's nothing to correlate.
EU-only by default. Hosted on Hetzner in Germany. Data never leaves the EU. Not as a premium add-on, as the baseline. No SCCs, no transfer impact assessment.
No cookie banner needed. Nothing to consent to means nothing to ask about. Your form works on first paint.
The compliance paperwork is done for you. A pre-signed DPA sits on the legal page. Grab it, staple it to your file, done. Lead supervisory authority is the Czech ÚOOÚ. Sub-processor list is published with a 30-day change-notice commitment.
No Google Cloud account, no credit card to start. Sign up, integrate, ship. The free tier is 10,000 requests/month with commercial use allowed; paid Starter is 20,000 for €9 with no cloud project to wire up.
No surprise overage bill. Tier-for-tier, to be precise. A reCAPTCHA project that crosses 10,000 without billing enabled starts returning errors, and your form can fail; turn billing on and it keeps serving but meters you ($8 flat to 100,000, then $1 per 1,000 over). On captchaapi.eu's paid tiers, going over your monthly quota also keeps serving, but it doesn't auto-bill you for the overflow: challenges stay at the normal difficulty, forms keep submitting, and you get a heads-up email to upgrade when it suits you. To be straight, my Free tier includes 10,000/month; reaching that cap stops service until you upgrade or the cycle resets. (A separate per-project ceiling absorbs active botnet attacks; under normal traffic it's unreachable.)
A lighter page. The widget is around 19 KB minified versus reCAPTCHA's several-hundred-KB payload. You'll see it in your Core Web Vitals.
Where reCAPTCHA still wins
A comparison that only flatters its own side isn't worth reading.
- Brand recognition. Every dev has heard of reCAPTCHA. Mine, not yet. If your stakeholder needs a name they recognize, that's a real factor.
- A more battle-tested free tier. reCAPTCHA's free tier is 10,000/month and mine matches it with commercial use allowed, but reCAPTCHA's has years of production hardening, and its per-organization pooling can suit multi-site orgs. For heavier production use, my €9 Starter steps up to 20,000.
- Risk intelligence at scale. reCAPTCHA sits on an enormous behavioral dataset and a mature risk engine. For high-value fraud targets (payment flows, account takeover), that depth is hard to match, and it's exactly the part that creates the GDPR friction.
- Maturity. Two decades in production, every CMS integration imaginable, battle-tested at a scale I'm nowhere near.
If you need a globally recognized name on a high-fraud surface and the GDPR overhead is something your legal team is happy to carry, reCAPTCHA is a defensible choice. captchaapi.eu is built for the EU developer who'd rather not carry that overhead at all.
If you've already ruled out reCAPTCHA and you're weighing privacy-first options against each other, I also put captchaapi.eu head-to-head with Friendly Captcha.
The hybrid option for Laravel developers
You don't have to pick one CAPTCHA for your whole app. A pattern I like: keep reCAPTCHA's risk engine where fraud cost is highest (a payment or high-value checkout flow), and use a privacy-first proof-of-work CAPTCHA everywhere else (signup, login, password reset, contact forms) where you mostly want spam defense without the cookie banner on every page.
In Laravel, wiring captchaapi.eu into those routes is a Composer install and a validation rule.
composer require captchaapi/laravel
php artisan vendor:publish --tag=captchaapi-config
Set your keys in .env:
CAPTCHAAPI_SITE_KEY=pk_live_...
CAPTCHAAPI_SECRET_KEYS=sk_live_...
Drop the widget into your layout <head>:
<x-captchaapi::widget />
Add data-captcha to the form you want protected:
<form action="/contact" method="POST" data-captcha>
@csrf
<input type="email" name="email" required>
<button type="submit">Send</button>
</form>
Validate the attestation in your controller:
$request->validate([
'email' => ['required', 'email'],
'captcha_attestation' => ['required', 'captcha'],
]);
That's it. Verification is a local HMAC check against your secret key. Pure PHP, no server-to-server round trip on every submit. Leave reCAPTCHA on the checkout, run proof-of-work on the rest, and only the high-fraud route carries the cookie banner.
Livewire gets first-class support too:
use Captchaapi\Laravel\Concerns\WithCaptcha;
use Livewire\Component;
class RegisterForm extends Component
{
use WithCaptcha;
public string $email = '';
public function register(): void
{
$this->validateWithCaptcha([
'email' => 'required|email',
]);
// captcha_attestation validated, proceed
}
}
Replay protection (each attestation accepted once within its TTL) is on by default and uses your app's cache. There's a kill-switch (CAPTCHAAPI_ENABLED=false) for local and CI, and a FakeCaptchaapi helper so your feature tests don't need real attestations.
Want to try it on a real form? Grab a free site key and you'll be running in a minute. No card, no Google Cloud project.
Bottom line
reCAPTCHA didn't die in 2026. It moved into Google Cloud, dropped to processor so the controller role sits with you alone, and tightened the free tier. For an EU developer, the GDPR position was the awkward part long before any of that: cross-site profiling, US transfers, and a mandatory cookie banner on every protected page.
If you want bot defense that's GDPR-compliant by default, EU-hosted, cookie-free, and doesn't ask you to wire up a Google Cloud billing account, captchaapi.eu is built for exactly that. And if you're not ready to move everything, the hybrid pattern lets you keep reCAPTCHA where its risk engine earns its keep and go privacy-first everywhere else.
Or look at the pricing first.
captchaapi.eu is built and operated by Vladislav Rajtmajer in Plzeň, Czech Republic. EU-hosted on Hetzner Germany. Read the DPA · Laravel package on GitHub
Sources: Google Cloud reCAPTCHA documentation (billing, tiers, quotas) and Google's April 2026 data-processor migration notice, verified May 2026. Verify current pricing and terms on Google's site before making a decision.