Does youtube-nocookie.com prevent all YouTube cookies?

No. YouTube-nocookie.com prevents HTTP cookies from being set on page load, but it uses Local Storage to store a device identifier (yt-remote-device-id) without consent. Cookies are also set as soon as the visitor clicks "Play". The term "nocookie" is therefore misleading.

Do I need a cookie banner if I use youtube-nocookie.com?

Yes. The nocookie mode does not exempt you from collecting consent. The Local Storage used by YouTube and the cookies set on playback require prior consent under the GDPR and the ePrivacy Directive. A compliant cookie banner is still mandatory.

How do I block the YouTube iframe before the visitor gives consent?

The recommended method is to use a CMP that automatically blocks third-party iframes. Technically, the iframe's src is moved to a data-src attribute and only restored after consent. A placeholder (image or message) replaces the video in the meantime.

What is the difference between youtube-nocookie.com and full iframe blocking?

YouTube-nocookie.com is an option provided by Google that reduces initial tracking (no DoubleClick, no personalization). Iframe blocking prevents any YouTube content from loading before consent, including Local Storage and network connections. The two are complementary: use nocookie AND block the iframe.

Does autoplay work with youtube-nocookie.com?

Technically autoplay is possible but strongly discouraged. It immediately triggers cookie placement and data transfer to Google, making it impossible to collect prior consent. To comply with the GDPR, playback must be triggered by a voluntary user action, after consent.

Does Consent Mode v2 automatically handle embedded YouTube videos?

No. Consent Mode v2 applies to Google tags (Analytics, Ads) and not to third-party content iframes. Blocking YouTube videos before consent must be handled separately through your CMP's iframe blocking system.

YouTube nocookie: embed videos without cookies?

TL;DR

YouTube-nocookie.com is Google's "privacy-enhanced mode" for embedding videos without setting cookies on page load. In practice, this domain does not guarantee GDPR compliance: it uses Local Storage to store a device identifier (yt-remote-device-id) before any interaction, and sets cookies as soon as the visitor clicks "Play". To be compliant, you need to combine youtube-nocookie.com with iframe blocking before consent, using a CMP or a "2-click" solution.

What is youtube-nocookie.com?

YouTube-nocookie.com is an alternative domain provided by Google that allows you to embed YouTube videos in "privacy-enhanced mode". It replaces the youtube.com domain in the iframe embed code.

When you copy the embed code from a YouTube video, an "Enable privacy-enhanced mode" option is available at the bottom of the embed window. Checking this box changes the iframe domain from youtube.com to youtube-nocookie.com.

The stated goal: no cookies are set as long as the visitor does not interact with the video. Google describes this mode as follows: views of videos in privacy-enhanced mode are not used to personalize the browsing experience on YouTube.

How to enable nocookie mode on YouTube

The process is straightforward and requires no technical skills.

Go to the YouTube page of the video you want to embed. Click "Share" below the video, then "Embed". In the window that opens, check the "Enable privacy-enhanced mode" box at the bottom. The iframe code updates automatically.

The change is visible in the URL: the domain switches from https://www.youtube.com/embed/VIDEO_ID to https://www.youtube-nocookie.com/embed/VIDEO_ID.

Before (standard mode)

After (nocookie mode)

If your site already has videos embedded in standard mode, you can do a bulk replacement in your database: replace all occurrences of youtube.com/embed/ with youtube-nocookie.com/embed/. This is a quick operation that does not break video functionality.

Why youtube-nocookie.com is not enough for GDPR compliance

This is the key point of this article, and the reason many websites believe they are compliant when they are not.

Local Storage is used before any interaction. Even without clicking "Play", simply loading the youtube-nocookie.com iframe writes a unique device identifier (yt-remote-device-id) to the browser's Local Storage. This identifier is a UUID that expires after one year. It can potentially track a device across visits. The GDPR and the ePrivacy Directive do not regulate cookies alone: any storage mechanism capable of collecting personal data falls within scope. Local Storage is covered.

Cookies are set as soon as you click "Play". The term "nocookie" is misleading. A more accurate name would be "delayed cookies". As soon as the visitor starts playback, YouTube sets cookies on their device, without consent having been collected through a compliant mechanism. Simply continuing to use the content does not constitute valid consent under the GDPR.

Network connections to Google are established. Even in nocookie mode, loading the iframe establishes connections to Google servers (including for Google Fonts embedded in the player). These connections transmit the visitor's IP address, which constitutes a transfer of personal data.

In short: youtube-nocookie.com reduces initial tracking (no DoubleClick, no personalized suggestions), but does not eliminate it. It is not a standalone GDPR compliance solution.

What the regulation actually requires

The GDPR and the ePrivacy Directive set a clear framework for embedding third-party content like YouTube videos.

Prior consent is mandatory before any non-essential cookies or trackers are set. This consent must be freely given, specific, informed, and unambiguous. Loading third-party content that transmits personal data (IP address, session identifiers) to a server located in the United States also requires a valid legal basis.

The French data protection authority (CNIL) itself uses an iframe blocking system on its own website: YouTube videos are hidden behind an information message until the visitor consents to YouTube cookie placement. This is the reference method.

Your site's privacy policy must mention the use of embedded YouTube videos, the data transmitted to Google, and the cookies set during playback.

How to embed YouTube in a GDPR-compliant way

There are three approaches, from simplest to most robust.

Approach 1: external link to YouTube

Instead of embedding the video, display a static thumbnail hosted on your own server with a link to the YouTube page. No iframe, no cookies, no connection to Google. The visitor leaves your site to watch the video. This is the safest solution but the least engaging.

Approach 2: "2-click" solution

The video is replaced by a placeholder (preview image or information message) until the visitor gives consent. Clicking the placeholder triggers a message explaining that loading the video involves data transfer to Google. A second click confirms consent and loads the iframe. This can be implemented manually in JavaScript: the iframe's src is moved to a data-src attribute and only restored after consent.

Approach 3: iframe blocking via a CMP (recommended)

A consent management platform (CMP) like FlowConsent automatically blocks YouTube iframes from loading until the visitor accepts the relevant cookie category. The visitor sees a placeholder with an explanatory message. After consenting through the cookie banner, the iframe loads normally. If the visitor revokes consent, the video is blocked again. This is the most robust solution because it centralizes management of all third-party content (YouTube, Google Maps, social widgets) in a single mechanism.

In all three cases, always use the youtube-nocookie.com domain rather than youtube.com. Even though it is not sufficient on its own, it reduces ad tracking (DoubleClick) and is a good complementary practice.

Platform specifics: WordPress, Webflow, and common CMS

On WordPress, several plugins handle iframe blocking before consent. Plugins like Complianz, Borlabs Cookie, or Real Cookie Banner detect YouTube iframes and automatically replace them with a placeholder until consent is given. Some of these plugins cache the video thumbnail on your own server, preventing any connection to Google before consent.

On Webflow, iframe blocking requires a custom script or integration with a CMP that supports third-party script blocking. The principle is the same: the iframe's src is emptied or moved to a data attribute, and only restored after consent collected by the cookie banner.

On Shopify, themes do not offer native iframe blocking. You need a compatible CMP or a custom blocking script injected via the theme.liquid file.

The FlowConsent cookie scanner lets you quickly verify whether your embedded YouTube videos set cookies or Local Storage before consent.

Consent Mode v2 and embedded YouTube videos

The Google Consent Mode v2 primarily applies to Google tags (Analytics, Ads, Floodlight). It allows these tags to adapt their behavior based on the user's consent choice, sending cookieless pings when consent is denied.

For embedded YouTube iframes, Consent Mode v2 does not automatically block video loading. The YouTube iframe is third-party content independent of the Google tag system. Iframe blocking before consent remains necessary whether Consent Mode is enabled or not.

If you use Consent Mode v2 for your Google Analytics and Google Ads tags, your embedded YouTube videos must be handled separately through your CMP's iframe blocking system.

Common mistakes (and how to avoid them)

Assuming youtube-nocookie.com = GDPR compliance. The domain name is misleading. It reduces tracking but does not eliminate it. Local Storage and cookies on "Play" click remain violations if consent has not been collected.

Not mentioning YouTube in your privacy policy. Even with a CMP and nocookie mode, the cookie policy must list YouTube as a third-party service, describe the data transmitted, and the cookies set.

Forgetting Local Storage in your audit. Standard cookie audits detect HTTP cookies but not always Local Storage and Session Storage. A full audit must check the "Local Storage" and "Session Storage" tabs in the browser developer tools.

Using autoplay with youtube-nocookie.com. Autoplay on an embedded video immediately triggers cookie placement and data transfer to Google, with no opportunity to collect consent first. Autoplay and GDPR compliance are incompatible for embedded YouTube videos.

Updating new embeds but forgetting old ones. If your site has videos embedded for years, they probably still use the standard youtube.com domain. A bulk replacement in the database is necessary.

Checklist: embedding YouTube compliantly

Enable "privacy-enhanced mode" (youtube-nocookie.com) for all embedded videos.
Replace old youtube.com embeds with youtube-nocookie.com in the database.
Set up iframe blocking before consent (via CMP or "2-click" solution).
Display an informative placeholder instead of the video for visitors who have not consented.
Mention YouTube, the cookies set, and data transmitted in the privacy policy.
Verify with browser developer tools that no cookies or Local Storage are written before consent.
Never use autoplay on embedded YouTube videos.
Regularly scan the site with a tool like the FlowConsent scanner to detect residual trackers.
If using Consent Mode v2, handle YouTube iframe blocking separately from Google tag configuration.
Test consent revocation: after withdrawing consent, verify that the video is blocked again.

Conclusion

YouTube-nocookie.com is a useful first step but not sufficient on its own. It reduces ad tracking and prevents cookies on page load, but Local Storage, cookies on playback, and network connections to Google remain compliance issues. The only GDPR-compliant approach combines nocookie mode with iframe blocking before consent, using a CMP or a "2-click" solution.

To check whether your embedded YouTube videos create compliance issues, run a free scan of your site with FlowConsent.

YouTube nocookie: embedding videos without cookies on your site