Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Embedding YouTube videos on websites causes Google's tracking code to load in visitors' browsers, setting advertising and analytics cookies that track viewing behaviour and build advertising profiles. This requires consent under the ePrivacy Directive. YouTube provides a privacy-enhanced embed domain (youtube-nocookie.com) that significantly reduces cookie placement. Alternatively, using a facade/thumbnail approach delays YouTube loading until users click play, reducing privacy impact.
YouTube is the video platform operated by Google Ireland Limited (controller of record for EU embedders) and Google LLC (sub processor in the United States). When a publisher embeds a YouTube video on its pages, the standard iframe is served from youtube.com and immediately loads JavaScript, fonts and player resources from ytimg.com, googlevideo.com and doubleclick.net. The player exchanges advertising signals with Google Marketing Platform, even when no advertising is displayed on the video.
The standard youtube.com embed sets the cookies VISITOR_INFO1_LIVE (visitor identifier, 6 months), YSC (session identifier, browser session), PREF (preferences, 8 months) and IDE on doubleclick.net (advertising id, 13 months) as soon as the iframe loads. The privacy enhanced mode youtube-nocookie.com sets the same cookies only after the user clicks play, instead of on iframe load. Both modes also write localStorage entries to remember playback position and quality settings.
Consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3) is required before loading any YouTube embed because the iframe drops advertising cookies on third party domains (doubleclick.net, google.com). The CJEU Fashion ID case (C 40/17, July 2019) confirms that the embedding website is joint controller for the data exchanged with the YouTube iframe. The CNIL has fined French organisations for loading YouTube content without consent (e.g. Carrefour 2020, Le Mans Université 2023). Even youtube-nocookie.com is not consent free because the lookup still discloses the visitor IP to Google.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Loading a YouTube embed transmits the visitor IP, user agent, referrer and cookies to Google LLC in the United States. Google LLC is certified under the EU US Data Privacy Framework since 10 July 2023 and the YouTube Terms incorporate the EU Standard Contractual Clauses (module 3). However, the EDPB binding decision against Google Analytics (1/2022) and several DPA fines confirm that the publisher must also implement supplementary measures, document a transfer impact assessment and inform users.
Replace the standard iframe with a click to load placeholder (poster image plus play button) that only loads the YouTube embed after consent. Use the youtube-nocookie.com domain instead of youtube.com to minimise cookie writes before play. Document Google Ireland Limited and Google LLC in your records of processing (GDPR art. 30) and in the privacy notice. List the cookies VISITOR_INFO1_LIVE, YSC, PREF and IDE in your cookie policy. Consider self hosting the most important videos with Plyr, Mux Video, Vimeo Pro or a Bunny.net stream for sensitive content. Refresh the consent every six months in line with CNIL deliberation 2020 091.
GDPR friendly alternatives include Vimeo Privacy Friendly Embed (US with EU residency), Cloudflare Stream, Mux Video (EU and US), Bunny Stream (Slovenia and global edge), PeerTube (open source self hostable), Dailymotion (France) and the self hosted Plyr or Video.js stack with HLS manifests on your own CDN.
Websites using YouTube Embed must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard YouTube video embedding with proper consent management. It may become relevant for large media platforms embedding many videos where Google's audience tracking creates systematic profiling of visitors.
Sample consent text
This page embeds YouTube videos provided by Google Ireland Limited (operator) and Google LLC (sub processor in the United States). When you click play, YouTube sets advertising cookies (VISITOR_INFO1_LIVE, YSC, PREF, IDE) and transmits your IP address, user agent and the video viewed to Google in the United States under the EU US Data Privacy Framework and the EU Standard Contractual Clauses. We load each YouTube embed only after you accept the marketing or video category in our cookie preferences, and we use the youtube-nocookie.com privacy enhanced mode whenever possible.
Third-party domains contacted
youtube.comwww.youtube-nocookie.comi.ytimg.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| YSC | session | Session | YouTube session identifier loaded on standard YouTube embed — tracks viewing session data |
| VISITOR_INFO1_LIVE | persistent | 6 months | YouTube visitor identifier for tracking viewing history and personalising recommendations |
YouTube Embed places tracking cookies for advertising — comply with GDPR using FlowConsent.
Standard YouTube embeds require consent as they set advertising cookies immediately on page load. Using youtube-nocookie.com reduces but may not fully eliminate consent requirements. The facade approach (thumbnail loading) is the most privacy-friendly and may not require a consent banner.
youtube-nocookie.com is YouTube's privacy-enhanced embed domain. According to Google, it does not set cookies until the user plays the video. Enable it by replacing "youtube.com/embed/" with "www.youtube-nocookie.com/embed/" in your iframe src URL. WordPress' built-in YouTube block uses this by default.
Standard YouTube embeds set VISITOR_INFO1_LIVE (YouTube visitor ID, 6 months), YSC (session, no expiry), and may set advertising cookies if the user is logged into Google. These require consent. The youtube-nocookie.com mode avoids setting these cookies until play.
Yes. All YouTube (Google) processing occurs on US infrastructure. SCCs are required as part of Google's standard terms. Accept Google's data processing terms and disclose the US transfer in your privacy policy when embedding YouTube videos.
Use the lite-youtube-embed library (available on npm and GitHub) which renders a thumbnail and loads the actual YouTube iframe only when clicked. This is semantic, accessible, dramatically faster, and privacy-respecting. Alternatively, use a custom implementation with a thumbnail image and onclick handler that replaces the image with the actual iframe.
Legal opinions differ. Google says no cookies are set until play. Some DPAs consider even IP address transmission on iframe load to be personal data transfer requiring consent. The safest approach: use youtube-nocookie.com AND the facade pattern, so the YouTube domain only receives a request when the user actively clicks play.
Vimeo (US-hosted but with dnt=1 privacy mode), Wistia (US-hosted), and Dailymotion (French company) are alternatives. For self-hosted video, PeerTube (open-source, EU-hostable) provides a YouTube-compatible embed without Google's data practices.
Yes. Disclose that the website embeds YouTube videos, that YouTube (Google) sets cookies when videos are loaded or played, that data is transferred to Google in the US, and provide a link to YouTube's Privacy Policy. If using youtube-nocookie.com, note that this reduces but may not eliminate data processing.