Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Plyr is an open''source HTML5 media player JavaScript library that wraps and styles native browser video and audio elements. By itself it sets no cookies and performs no tracking; privacy risk arises only when developers configure Plyr to wrap third''party embeds such as YouTube or Vimeo.
Plyr is a lightweight, accessible and customisable HTML5, YouTube and Vimeo media player written in vanilla JavaScript by Sam Potts. The library, distributed under the MIT licence from plyr.io and via the cdn.plyr.io CDN, replaces the default browser controls of <video> and <audio> elements with a styled, keyboard-accessible interface. Plyr is widely used by publishers, educators and SaaS platforms that want a consistent player UI without shipping a heavy framework. Crucially, Plyr is a UI wrapper: the player itself does not transmit telemetry, does not set cookies, and does not call home to any analytics endpoint.
When Plyr is used to play a self-hosted MP4 or WebM file, it is GDPR-friendly out of the box. No first-party cookies are created, no fingerprinting takes place, and the only network traffic is the byte-range request for the media file itself. Loading the library from cdn.plyr.io adds a single HTTPS round-trip to Cloudflare; the Cloudflare CDN may log the visitor IP and User-Agent in standard access logs, but that processing is a normal infrastructure activity and does not trigger an ePrivacy consent obligation. Sites that prefer to avoid the CDN entirely can self-host the Plyr JavaScript and CSS bundles from their own origin.
Plyr is most commonly configured to wrap a YouTube or Vimeo iframe. The moment that iframe is injected into the DOM, the third-party provider takes over: YouTube sets VISITOR_INFO1_LIVE, YSC and PREF cookies, fetches scripts from googlevideo.com and doubleclick.net, and shares the viewer IP address with Google in the United States. Vimeo behaves similarly, setting vuid, _abexps and player cookies and contacting vimeocdn.com. Under Article 5(3) of the ePrivacy Directive and the CJEU Planet49 judgment (C-673/17), storing or reading these cookies requires prior, freely given, specific, informed and unambiguous consent. The consent obligation belongs to the publisher embedding the player, not to Google or Vimeo.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Plyr supports YouTubes privacy-enhanced mode by accepting URLs from youtube-nocookie.com instead of youtube.com. In this mode, YouTube defers cookie placement until the visitor actually presses play, which materially reduces the tracking surface but does not eliminate consent obligations because tracking still occurs on playback. For Vimeo, passing the dnt=1 query parameter to the embed URL disables Vimeos own analytics cookies and tells Vimeo to suppress tracking pixels. Neither mode removes the IP-address transfer to the United States, so a lawful transfer mechanism under Chapter V GDPR (typically Standard Contractual Clauses plus the EU-US Data Privacy Framework) remains necessary.
Implement a click-to-load or consent-gated facade: render only a thumbnail and a play button until the visitor has consented to the relevant cookie category. Plyrs setup() method should be called only after consent is granted, so that the YouTube or Vimeo iframe is never injected for non-consenting users. Document the legal basis (Article 6(1)(a) GDPR consent) in your records of processing, list each third-party domain in the cookie banner, and provide a granular toggle that maps to the Plyr embed type. For self-hosted media, no consent banner entry is required and the player can load immediately.
Websites using Plyr must obtain user consent under GDPR regulations.
DPIA considerations
Plyr itself does not require a DPIA because the library is loaded client''side from a CDN and processes no personal data. A DPIA may be needed when Plyr is configured to wrap YouTube, Vimeo or other third''party providers, because those embeds load tracking cookies and may transfer IP addresses and viewing behaviour to the United States. Controllers should document the lawful basis for each third''party provider, assess Schrems II transfer risks, and implement consent gating before iframes are loaded.
Sample consent text
This page uses Plyr to display a video hosted on YouTube. Loading the player will set cookies on your device and share your IP address with Google. Click Accept to enable the video, or Decline to keep the player blocked.
Third-party domains contacted
cdn.plyr.ioplyr.iowww.youtube.comwww.youtube-nocookie.complayer.vimeo.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| plyr (localStorage key) | functional_localstorage_not_a_cookie | persistent_until_cleared_by_user | Plyr does not set HTTP cookies. The reference player stores user preferences such as volume level, captions language and playback speed in the browsers localStorage under the key plyr. This is local-only state and is not transmitted to any server; it does not trigger ePrivacy Article 5(3) consent because it is strictly necessary for the requested service (UI preferences). |
| no_first_party_cookies | no_cookie | n_a | Plyr loaded standalone (self-hosted or via cdn.plyr.io for a self-hosted MP4/WebM file) sets zero HTTP cookies. The only network call is to the CDN for the JS/CSS assets, which is treated as a standard infrastructure log. No consent banner entry is required for Plyr itself. |
| third_party_cookies_when_wrapping_youtube_or_vimeo | third_party_marketing | varies_per_provider_typically_6_months_to_2_years | When Plyr is configured to wrap a YouTube or Vimeo iframe, the third-party provider sets its own tracking cookies (YouTube: VISITOR_INFO1_LIVE, YSC, PREF; Vimeo: vuid, _abexps, player). These cookies require prior user consent under Article 5(3) ePrivacy Directive and the CJEU Planet49 judgment. They are attributed to the wrapped provider, not to Plyr, but the publisher remains responsible for obtaining consent before the iframe loads. |
This service may collect user data. Ensure GDPR compliance with FlowConsent.
Plyr by itself does not require consent. The library is loaded client-side from cdn.plyr.io, sets no cookies, and performs no tracking. Consent is only required when Plyr is configured to wrap a third-party embed such as YouTube or Vimeo, because those providers set tracking cookies. Under Article 5(3) of the ePrivacy Directive and the CJEU Planet49 ruling, the publisher must obtain prior, freely given, specific, informed and unambiguous consent before the embedded iframe is loaded.
Plyr itself sets no cookies. The reference player stores user preferences such as volume and captions only in localStorage, not as HTTP cookies. The cookies attributed to Plyr in a typical deployment actually come from the wrapped provider: YouTube sets VISITOR_INFO1_LIVE, YSC and PREF; Vimeo sets vuid and player cookies. To eliminate even those, do not wrap third-party providers, or use facade patterns that defer iframe loading until consent.
Plyr itself does not transfer personal data anywhere. The library is fetched from cdn.plyr.io (served by Cloudflare), which means CDN edge nodes may temporarily process the visitor IP. Personal-data transfers to the US occur when Plyr is configured to embed YouTube or Vimeo: those iframes share IP, User-Agent and viewing behaviour with Google or Vimeo in the United States. A lawful transfer mechanism (SCCs plus the EU-US Data Privacy Framework) is then required.
Plyr is a UI library that runs entirely in the visitors browser; it is not a data processor and does not need a DPA. YouTube and Vimeo, when wrapped by Plyr, are independent controllers (or joint controllers, depending on configuration) that determine the purposes and means of processing for their tracking. The publisher remains responsible for obtaining consent for those third-party cookies and for informing visitors about the transfer to the United States.
First, switch the embed URL from youtube.com to youtube-nocookie.com, which Plyr supports natively; this delays YouTube cookie placement. Second, implement a facade or click-to-load pattern: render a thumbnail and play button, and only call Plyr.setup() after the visitor accepts marketing cookies. Third, list YouTube in your cookie banner with a granular toggle, document the legal basis (Article 6(1)(a) GDPR), and reference the EU-US Data Privacy Framework as the transfer mechanism.
No. The privacy-enhanced mode delays cookie placement until playback starts, but cookies and tracking still occur once the user clicks play, and the IP address is still shared with Google before that. EU data protection authorities (CNIL, Garante, datenschutzkonferenz.de) consider that youtube-nocookie.com reduces but does not eliminate the consent obligation. Consent must still be requested before the YouTube iframe is loaded if it would set cookies.
dnt stands for Do Not Track. Adding dnt=1 to a Vimeo embed URL instructs Vimeo to disable its analytics cookies and tracking pixels for that session. Plyr passes through query parameters, so you can configure Vimeo embeds as https://player.vimeo.com/video/123?dnt=1. The visitor IP is still transmitted to Vimeo for video delivery, and consent may still be required in strict jurisdictions, but the cookie footprint is significantly reduced.
Yes. Plyr is open source under the MIT licence and the JavaScript and CSS bundles can be downloaded from npm or GitHub and served from your own origin. Self-hosting removes the only third-party network call that the library otherwise makes (to cdn.plyr.io) and is recommended for organisations that want to demonstrate full data minimisation. Self-hosting does not change anything about wrapped YouTube or Vimeo embeds, which still load from their respective providers.