I suspect you are not even allowed to force people to accede to the cookies which protect your site from spammers. Bonkers.

In any case, the cookie “_GRECAPTCHA” used was not a technically necessary cookie and consent would therefore have had to be obtained. Implementing this service with [that cookie] could not be considered a technical necessity. For the reasons set out above, the data processing that followed the implementation of Google services (…) was not covered by any justification under Article 6(1) GDPR, which is why there was a violation of the right to confidentiality.

https://www.ris.bka.gv.at/Dokumente/Bvwg/BVWGT_20240913_W298_2274626_1_00/BVWGT_20240913_W298_2274626_1_00.html

Via

https://www.linkedin.com/posts/dr-carlo-piltz-631571b_entscheidungsdatum-activity-7270422586419761153-9YgE