reCAPTCHA Change: April 2026

What Google’s update means for your website (and what to change)

Google has announced a reCAPTCHA change in April 2026 that affects how data submitted to reCAPTCHA is handled. From 2 April 2026, Google says it will switch from acting as a data controller to a data processor for reCAPTCHA, processing data “strictly for your use” in the service. If you want a quick hands-on check of where reCAPTCHA appears on your site (forms, pop-ups, login pages), you can get in touch with Phoenix Web Services and we’ll point you to the exact places that usually need updating.

The key point is this: your website’s user-facing wording may need to change, even though the reCAPTCHA feature itself is not expected to change.

What’s actually changing?

In plain terms, the role change affects the legal framing of who decides how personal data is used:

  • A controller decides the purposes and means of processing.
  • A processor processes personal data on behalf of the controller, following instructions.

That controller vs processor distinction is a core concept in UK GDPR governance. (If you’re not sure which role applies to which part of your site, it’s worth reading the ICO’s guidance for context.)

Google’s notice says that, from 2 April 2026, reCAPTCHA data processing will be governed by Google’s Cloud Data Processing Addendum.

What you need to do by 2 April 2026

Google’s email includes one very practical action that many sites will miss:

1) Remove references to Google’s Privacy Policy and Terms of Use (where they are shown “in connection with reCAPTCHA”)

If your site currently displays wording like:

  • “Protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply”
  • Any footer/form note that explicitly points to Google Privacy Policy / Terms in relation to reCAPTCHA

…Google’s message indicates those references need to be removed from 2 April 2026.

This often appears:

  • under contact forms
  • on quote / booking forms
  • in comment forms
  • on login or registration pages (membership plugins)
  • in pop-ups or sticky bars added by a forms plugin or theme template

2) Check whether your privacy policy needs a small wording update

Even if you remove the Google Terms/Privacy references near the form, your privacy policy may still mention reCAPTCHA.

A sensible update is usually:

  • a clearer sentence explaining you use reCAPTCHA to reduce spam and abuse
  • who the service provider is (Google)
  • that the service processes data as part of bot protection

Because this crosses into compliance specifics, it’s best treated as general information rather than legal advice. If you have a privacy adviser, run your exact wording past them.

3) Confirm what type of reCAPTCHA you’re using

Not all implementations show the same notices.

Common setups include:

  • reCAPTCHA added by a forms plugin
  • reCAPTCHA embedded by a theme/template
  • reCAPTCHA added via a security plugin
  • reCAPTCHA Enterprise (Google Cloud)

The “where to change it” depends on which of these you’re using. If you only update one place, the old wording can still be sitting elsewhere.

A quick WordPress checklist (5 minutes)

If you want a fast DIY scan to help before the reCAPTCHA Change in April 2026:

  • Search your site text (including footer widgets) for: “reCAPTCHA”, “Privacy Policy”, “Terms of Service”, “protected by”
  • Check your main forms: Contact, Quote/Enquiry, Newsletter sign-up
  • Check your login page (especially if you use a membership or learning plugin)
  • Check pop-ups (they often have separate form settings)
  • Check your cookie/consent tools (some add reCAPTCHA-related notes automatically)

If you find the wording but cannot locate where it’s being injected, it’s usually coming from a plugin setting or a template file rather than the page editor.

Why this matters beyond “legal wording”

Even when functionality does not change, trust signals do.

If a user sees outdated legal references, it can:

  • reduce confidence (especially for service businesses taking enquiries)
  • increase drop-offs on forms
  • create inconsistency between your form notices and your privacy policy

In other words, it’s a small change that protects the smoothness of your enquiry journey.

One helpful source to bookmark

Google’s notice points customers towards the Cloud Data Processing Addendum, which explains how Google processes customer data for covered services. Here it is if you need to reference it when updating your documentation:
Google Cloud Data Processing Addendum.

Next step

Remember, reCAPTCHA Change April 2026. If you’d like, Phoenix can do a quick “reCAPTCHA wording and placement” check across your site, identify every instance of the old references, and tell you exactly what to change and where (especially helpful on WordPress sites where forms and templates can add notices in multiple places)..

Request a FREE reCAPTCHA review

Author

  • AskPhoenix - The Digital Marketing Bird sunset colour drawn phoenix with wings spread Logo

    Who is AskPhoenix

    AskPhoenix is the Digital News Bird at Phoenix Web Services, sharing clear, practical insights to help small businesses thrive online. With over 25 years’ experience in internet marketing, this fiery bird keeps a close eye on the latest SEO, web design and digital trends, turning complex updates into simple, actionable news.

    You will find AskPhoenix regularly reporting on what really matters in digital marketing, both here on the Phoenix Web Services website and across your favourite social media channels.

    View all posts News Editor

Related Posts

Request A Quote
Request A Quote
Scroll to Top