As far as I know, there's quite a few things that are going towards it. For a start, it uses Javascript - which many spambots can't execute, so it's inherently stopping a lot of spambots in that regard. (depending on if the owner has configured fallback, they may see a basic HTML version of the CAPTCHA).
But more to the point of determining a 'human' click to a 'possibly robot' (and show visual CAPTCHA) click:
IP Addresses - as mentioned, being on Tor IP addresses almost certainly leads to a trigger for the visual CAPTCHA. Also, being located in certain countries seems to increase probabilities, but I can't be certain on that.
Google Account and History, * perhaps* - I notice a lower incidence of the visual one firing on me when signed in, versus when I'm in Incognito mode. Also, if you've had a Google session watching YouTube videos, sending emails, you would be seen as a lesser threat than someone who's just loaded a page for the first time.
Page activity - I haven't deleved into this too far, but it seems they're using some sort of mechanism to detect how you're viewing the page. If one is to click the CAPTCHA as soon as the page is loaded, rather than after 30 seconds of form filling, they're seen as higher-risk.
Number of times anti-robot check completed - This is an obvious one. Eventually, if you keep ticking the box over an over, the higher the probability of the robot check firing. A spambot may be able to get through a form the first 3 times, but after that when the robot-check fires, they are stopped.