[whakim]

For a lot of sites, as you mention, it's payments and testing credit cards.

I have found that simply throwing a reCaptcha onto your form forces you to make a bad choice between protecting the user's privacy and creating a mostly-seamless experience: if you don't want most of your users identifying school buses, you need to send all their behavior to Google.

To get around that, I've tried layering a number of different approaches. These include outright throttling/blocking repeated form submissions from the same ip; using a honeypot field; using a third-party email verification/validation service; showing captchas only under certain very restrictive circumstances (heuristics that make a guess/overall traffic patterns); etc. It's more work, and still a bit cat-and-mouse but at least I don't feel like I'm pissing off every potential customer