Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Embedding YouTube videos on websites causes Google's tracking code to load in visitors' browsers, setting advertising and analytics cookies that track viewing behaviour and build advertising profiles. This requires consent under the ePrivacy Directive. YouTube provides a privacy-enhanced embed domain (youtube-nocookie.com) that significantly reduces cookie placement. Alternatively, using a facade/thumbnail approach delays YouTube loading until users click play, reducing privacy impact.
Embedding YouTube videos on websites is done via an iframe element pointing to youtube.com or youtube-nocookie.com. When a standard YouTube iframe loads, it immediately executes Google''s JavaScript, which sets tracking cookies, reads existing Google cookies (including Google account session cookies), and sends data about the page visit and visitor to Google''s servers. This happens even if the visitor never plays the video.
YouTube''s privacy-enhanced mode uses the domain youtube-nocookie.com instead of youtube.com. According to Google, this mode does not set cookies until the user actually plays the video. However, Google may still process IP addresses and technical data for content delivery even in no-cookie mode. The no-cookie mode significantly reduces privacy risk and may be sufficient for many implementations, but legal teams differ on whether it fully resolves GDPR consent requirements.
The facade approach shows a static thumbnail image with a play button instead of loading the YouTube iframe on page load. The actual YouTube iframe only loads when the user explicitly clicks the play button. This approach: eliminates page-load tracking entirely, improves page performance significantly (YouTube iframes are heavy), and only transfers data when the user actively requests the video. Libraries like lite-youtube-embed implement this pattern easily.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Use youtube-nocookie.com embeds as a minimum. Implement the facade pattern for best practice. If using standard embeds, block via CMP until media consent is given. Disclose YouTube embeds in your cookie policy and privacy policy. Sign the Google DPA. For large media sites, consider self-hosting key video content or using a GDPR-compliant EU video host.
Websites using YouTube Embed must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard YouTube video embedding with proper consent management. It may become relevant for large media platforms embedding many videos where Google's audience tracking creates systematic profiling of visitors.
Sample consent text
This page contains an embedded YouTube video. Loading it will allow YouTube (Google) to set cookies and track your viewing behaviour for advertising purposes. Data is transferred to Google in the US. Accept media cookies below to load the video, or watch it directly on youtube.com.
Third-party domains contacted
youtube.comwww.youtube-nocookie.comi.ytimg.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| YSC | session | Session | YouTube session identifier loaded on standard YouTube embed — tracks viewing session data |
| VISITOR_INFO1_LIVE | persistent | 6 months | YouTube visitor identifier for tracking viewing history and personalising recommendations |
YouTube Embed places tracking cookies for advertising — comply with GDPR using FlowConsent.
Standard YouTube embeds require consent as they set advertising cookies immediately on page load. Using youtube-nocookie.com reduces but may not fully eliminate consent requirements. The facade approach (thumbnail loading) is the most privacy-friendly and may not require a consent banner.
youtube-nocookie.com is YouTube's privacy-enhanced embed domain. According to Google, it does not set cookies until the user plays the video. Enable it by replacing "youtube.com/embed/" with "www.youtube-nocookie.com/embed/" in your iframe src URL. WordPress' built-in YouTube block uses this by default.
Standard YouTube embeds set VISITOR_INFO1_LIVE (YouTube visitor ID, 6 months), YSC (session, no expiry), and may set advertising cookies if the user is logged into Google. These require consent. The youtube-nocookie.com mode avoids setting these cookies until play.
Yes. All YouTube (Google) processing occurs on US infrastructure. SCCs are required as part of Google's standard terms. Accept Google's data processing terms and disclose the US transfer in your privacy policy when embedding YouTube videos.
Use the lite-youtube-embed library (available on npm and GitHub) which renders a thumbnail and loads the actual YouTube iframe only when clicked. This is semantic, accessible, dramatically faster, and privacy-respecting. Alternatively, use a custom implementation with a thumbnail image and onclick handler that replaces the image with the actual iframe.
Legal opinions differ. Google says no cookies are set until play. Some DPAs consider even IP address transmission on iframe load to be personal data transfer requiring consent. The safest approach: use youtube-nocookie.com AND the facade pattern, so the YouTube domain only receives a request when the user actively clicks play.
Vimeo (US-hosted but with dnt=1 privacy mode), Wistia (US-hosted), and Dailymotion (French company) are alternatives. For self-hosted video, PeerTube (open-source, EU-hostable) provides a YouTube-compatible embed without Google's data practices.
Yes. Disclose that the website embeds YouTube videos, that YouTube (Google) sets cookies when videos are loaded or played, that data is transferred to Google in the US, and provide a link to YouTube's Privacy Policy. If using youtube-nocookie.com, note that this reduces but may not eliminate data processing.