Google Adds Hand‑Gesture Verification to reCAPTCHA, Prompting New Privacy & Consent Considerations
What Happened — Google’s reCAPTCHA, part of Google Cloud Fraud Defense, now offers a hand‑gesture verification option. The feature captures short video clips of a user’s hand, extracts 21 landmark coordinates, and discards the footage after the check. Camera access is required, but Google states the data is not linked to a user’s identity, audio is never recorded, and no third‑party sharing occurs.
Why It Matters for Compliance & Audit Readiness
- The new capture of biometric‑like data (hand landmarks) triggers privacy‑law obligations (GDPR Art. 9, CCPA) and requires documented consent and data‑retention policies.
- Organizations must evidence that any additional data collection is covered by their privacy impact assessments and that users can revoke camera permissions, aligning with SOC 2 CC3.1 (Privacy) and CC5.2 (System Operations).
- Accessibility alternatives must be documented to satisfy both regulatory accessibility mandates and SOC 2 CC6.1 (Security Awareness & Training).
Who Is Affected – SaaS platforms, e‑commerce sites, financial‑services portals, and any web application that embeds Google reCAPTCHA for login, registration, password reset, or checkout flows.
Recommended Actions
- Conduct a Data Protection Impact Assessment (DPIA) for the hand‑gesture feature and update privacy notices to reflect the new video capture.
- Verify that consent mechanisms (explicit opt‑in, revocation ability) are in place and that the data‑deletion timeline is auditable.
- Ensure alternative verification methods (visual/audio) remain available for users with accessibility needs and document this in your SOC 2 controls.
- Map the new data‑handling steps to your continuous‑compliance evidence collection process.
Technical Notes – The verification uses on‑device video analysis to extract 21 hand‑knuckle coordinates; no audio is recorded and the video is deleted after processing. Google asserts no identity linkage or third‑party sharing. Source: Help Net Security