Isn't it funny how they really say it up front - By all superficial accounts and impressions ReCaptcha is just a test of being a human - you found all the pictures that included parts of a bike for instance - so you've proved yourself and off you go.
But what is demonic spyware-as-a-business-model Google ACTUALLY doing?
First, what they always do - lie to your face.
Second, more specifically, capturing (CAPTCHA-ing and RE-CAPTCHA-ing) all kinds of data about you.
That is, something as easily clean as "they passed the test - move on" is really monitoring the hell out of you, sending data back to US processors, when there are perfectly more simple and elegant process for even their stated "advanced monitoring" rationale (a rationale that would not even seem necessary)
Google's secondary excuse to distract tech heads: "Oh, well if they were to be able to visit the site and then fill out a form and complete the 'order' in an inhumanly quick time then they must not be a human".
Okaaaay.. but your Turing test was supposed to screen that ANYWAY! That was the predecessor! Making any further lame, less elegant, reverse Turing test inapplicable!
But sure... let's say it would be logical to apply yet another "are you human" after you've applied a legitimate one already (it's NOT logical, but let's say) . . .
A beginning coder could program using timestamps and record locally how long it takes from beginning of interaction with website to finishing an order. Or could record how long it takes to fill out a form.
In no way, shape, or form, would that require it to be sent BACK TO THE U.S. FOR "PROCESSING".
Our main source for this analysis and discussion is an article on how a website could stay compliant with European Union privacy regs and still use ReCaptcha. Spoiler: It's not out-of-the-box compliant.

Yes... .wait for it.. F'ing google, with more money than many small countries, in no way should be expected to just make their self-contained product compliant with privacy regs for nearly an entire continent.
#Sarcasm
It's left to individual website owners to take on the risk of informed consent for web visitors.
We also mention the parallels of creeping lower levels of expectation of privacy and its parallel to U.S. Fourth Amendment (I darned well know that, but initially called it fifth amendment) search and seizure law (i.e. warrants, probable cause, and the like).
In the end, the article says exactly what I'm telling you. As regard "proportionality" of how much data you should be collecting, versus your need to collect, in terms of the concerns of privacy invasion , the United Kingdom's Information Commissioner's Office (ICO) says this is the relevant measure:
“Is the processing proportionate to that purpose, or could it be seen as using a sledgehammer to crack a nut?”
In answer, the article cited states simply:
"Google ReCaptcha V3 takes a sledgehammer approach."
The article "GDPR & Recaptcha: How to stay compliant with GDPR" on measuredcollective.com goes on with more analysis and information than covered in this podcast, including alternatives to F-ing Google, that are relatively proportionate (i.e. HCaptcha, FriendlyCaptcha).
One, wait for it, doesn't even have to use cookies.
But waaait - how could King-of-the-World Google need all this complexity but another solution needs not but a tiny fraction of what Google needs, to do "the same job"???
BECAUSE GOOGLE'S BUSINESS MODEL (that probably makes them vast NSA and/or CIA or DIA money on the "side") IS SPYWARE!!!!!!.