Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Brightcove is an enterprise video hosting and streaming platform with adaptive bitrate delivery, native players, ad insertion (SSAI), DRM and detailed video analytics. The embedded player sets cookies and local storage tied to a visitor identifier; consent is required in the EU.
Brightcove is one of the leading enterprise online video platforms. The flagship product, Video Cloud, ingests, transcodes and stores video files, generates adaptive bitrate streams (HLS and DASH), serves them through a global CDN mix (Akamai, Fastly, CloudFront) and provides JavaScript and native mobile players. Brightcove Beacon extends the offering with OTT subscription apps, Brightcove Ad Cloud handles server side ad insertion (SSAI), and the Brightcove Audience suite delivers viewer analytics, recommendations and content rights management.
The Brightcove Player sets several first party cookies on the embed domain (bcVisitor, 1 year, persistent visitor identifier; bcSession, session, current playback session; bc_visitor, 1 year, fallback identifier; vjs_session, session, player state). Local storage and IndexedDB entries store the resume point, the volume preference, the playback speed, the selected caption track and the quality preference. The video analytics beacon posts events to metrics.brightcove.com containing the player ID, the video ID, the timestamp, the IP address and the user agent.
All cookies and local storage entries set by the Brightcove Player fall under ePrivacy art. 5(3): they are stored on the visitor device and are not strictly necessary for the playback itself. Prior consent under GDPR art. 6(1)(a) is required before the player loads. The CNIL has confirmed that video analytics and viewer identification go beyond strictly necessary delivery. For private video that requires a signed token, contractual necessity (art. 6(1)(b)) can cover the playback flow but not the analytics.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
By default the Brightcove control plane and analytics warehouse run in AWS US East. EU residency for video assets and analytics ingestion can be requested at contract signature, with primary storage in AWS Ireland and the option to pin video transcoding to Frankfurt. The Brightcove Ad Cloud and Beacon recommendations engine remain US based, with engineering teams in India and Eastern Europe holding contractual access. Brightcove is certified under the EU US Data Privacy Framework with the 2021 SCCs as fallback.
Use a click to load wrapper: show a static poster image until the visitor grants consent, then load the Brightcove embed code; configure the Brightcove Player with the analytics disabled until consent flips, integrate with your CMP via the IAB TCF v2.2 signal that Brightcove supports, list the cookies in the privacy notice, sign the DPA with the EU residency commitment, and document the legal basis for each Brightcove product activated.
Websites using Brightcove must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Brightcove Beacon, the personalisation engine, the SSAI ad insertion or the Audience product are activated, because these go beyond pure delivery. The DPIA should document the EU residency choice, the access from US support, the retention of viewer profiles, the integration with Brightcove Ad Cloud and any data exported to Google Ad Manager or programmatic SSPs.
Sample consent text
We use Brightcove to host and play our videos. The Brightcove Player sets cookies (vjs_session, bcVisitor, bcSession, bc_visitor) and local storage entries on your device to remember playback preferences and provide video analytics. Data may be processed by Brightcove in the United States under the EU US Data Privacy Framework, with EU residency available for assets and analytics on request. You can accept, refuse or withdraw at any time; refusing displays a static poster and a click to load button.
Third-party domains contacted
brightcove.combrightcove.netplayers.brightcove.netedge.api.brightcove.commetrics.brightcove.comedge.ec.brightcove.combcsecure01-a.akamaihd.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| bcVisitor | First party (Brightcove Player) | 1 year | Persistent visitor identifier set by the Brightcove Player to recognise returning viewers and tie analytics events to a single visitor |
| bcSession | First party (Brightcove Player) | Session | Tracks the current playback session for the Brightcove Player video analytics |
| bc_visitor | First party (Brightcove Player) | 1 year | Fallback visitor identifier used when third party cookies are blocked |
| vjs_session | First party (Brightcove Player, Video.js core) | Session | Stores the current Video.js player state (volume, current time, playback rate) |
| BCSI-CS-* | First party (Brightcove Beacon, optional) | 1 year | Beacon OTT identifier used when Brightcove Beacon subscription apps are active |
Brightcove uses cookies for user preferences — inform visitors with a consent banner.
The Brightcove Player sets bcVisitor (1 year, persistent visitor identifier), bcSession (session, current playback session), bc_visitor (1 year, fallback identifier) and vjs_session (session, player state). Local storage and IndexedDB store the resume point, volume, playback speed, captions and quality preferences. The analytics beacon posts events to metrics.brightcove.com.
Yes. All cookies and local storage set by the Brightcove Player fall under ePrivacy art. 5(3): they are not strictly necessary for the playback itself but track preferences and analytics. Prior consent under GDPR art. 6(1)(a) must be collected before the player loads in the EU.
Consent (GDPR art. 6(1)(a)) for the player cookies, the video analytics and any personalisation. Contractual necessity (art. 6(1)(b)) may apply to a signed token private video flow without analytics. Article 28 GDPR governs the processor relationship.
By default yes. Brightcove control plane and analytics warehouse run in AWS US East. EU residency for assets and analytics can be requested. Brightcove is certified under the EU US Data Privacy Framework; SCCs 2021 fallback and TIA are required.
Recommended when Brightcove Beacon, Audience, recommendations or SSAI ad insertion are activated. The DPIA should document EU residency choice, US support access, viewer profile retention, ad cloud flows and any export to programmatic SSPs.
Use a click to load wrapper, set Brightcove analytics off until consent, integrate with your CMP via IAB TCF v2.2, sign the DPA with EU residency, list player cookies in the privacy notice, configure the strictest retention for video analytics and document each Brightcove product in the record of processing.
EU friendly options: Bitmovin (Austria), JW Player (US but with EU CDN), Kaltura (Israel, EU hosting), Wistia (US with EU residency), Vidyard (Canada), Streamable, Mux (US), Cloudflare Stream and PeerTube for fully self hosted ActivityPub video. For pure delivery without analytics: native HTML5 video with a CDN like Bunny Stream.
List Brightcove as a sub processor with the cookies (bcVisitor, bcSession, bc_visitor, vjs_session) and the local storage entries, mention the metrics.brightcove.com beacon, disclose the US transfers under the Data Privacy Framework, link to the Brightcove Privacy Policy and provide a click to load explanation.