Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Vimeo Player is a widely used video hosting and embedding platform that allows website owners to serve high-quality video content via an iframe embed. With default settings it sets analytics cookies and transfers viewer data to Vimeo servers in the United States, triggering GDPR and ePrivacy compliance obligations. Vimeo offers a do-not-track parameter (dnt=1) that disables cookies and reduces data collection. Consent-gated loading is the recommended approach for full compliance.
Vimeo Player is the embeddable video player component of Vimeo, a video hosting and streaming platform operated by Vimeo Inc., headquartered in New York. Website owners embed Vimeo videos using an iframe pointing to player.vimeo.com, which loads the Vimeo player, its JavaScript SDK, and serves the video content via Vimeo's global CDN. Vimeo supports adaptive bitrate streaming, customisable players, chapter markers, password protection, and detailed video analytics including heatmaps and engagement graphs.
When embedded with default settings, Vimeo Player sets the vuid cookie (unique visitor identifier, 2 years) and the player cookie (player preferences, 1 year). It also collects viewer IP addresses, device type, browser type, the page URL where the embed is hosted, video playback events (play, pause, watch percentage), and referrer data. This data is used for video analytics, delivery optimisation, and may be used for Vimeo advertising if the viewer has a Vimeo account. The dnt=1 URL parameter disables the vuid tracking cookie and limits data collection to delivery-only metrics.
Embedding Vimeo Player with default settings triggers third-party cookie placement and data transmission to US-based servers. Under the ePrivacy Directive, the vuid and player cookies require prior consent because they are not strictly necessary for the website's own functionality. Several EU data protection authorities have investigated video embed services and concluded that website operators are joint controllers for the initial data transmission triggered by the embed loading. This means website operators share responsibility for the lawfulness of the data collection, even though Vimeo controls what happens to data on its end.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Two main compliance approaches exist. The first is consent-gated loading: show a video placeholder by default, and only load the Vimeo iframe after the visitor grants consent to functional or analytics cookies. The second is using the dnt=1 parameter (e.g. player.vimeo.com/video/ID?dnt=1) which disables the vuid tracking cookie and limits data collection. Using dnt=1 may allow loading the embed under legitimate interest or without consent for strictly functional purposes, though the IP address transfer still occurs and legal opinions vary by jurisdiction. Consent-gated loading with dnt=1 provides the strongest compliance position.
Vimeo Inc. is headquartered in New York and processes viewer data in the United States. Vimeo uses Standard Contractual Clauses for EU-US data transfers and maintains a GDPR-compliant data processing addendum for business customers. The video CDN requests and analytics data are transmitted to US-based infrastructure. Website operators embedding Vimeo should execute Vimeo's Data Processing Addendum and document the SCC transfer mechanism in their Records of Processing Activities under GDPR Article 30.
Use a consent management platform to block Vimeo iframes by default. Replace embeds with a static thumbnail and play button that only loads the iframe after consent is granted. Add the dnt=1 parameter to all Vimeo embed URLs to disable tracking cookies even after consent, or use it as a no-consent fallback. Sign Vimeo's Data Processing Addendum in your Vimeo account settings. Update your cookie policy to list the vuid and player cookies along with their purpose, duration, and the US data transfer. Consider self-hosting critical videos using HTML5 video or an EU-based hosting alternative.
Websites using Vimeo Player must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA should assess: (1) whether dnt=1 sufficiently limits data collection for legitimate interest, or whether consent remains required, (2) transfer of viewer IP addresses and engagement data to Vimeo (US), (3) adequacy of Vimeo's Standard Contractual Clauses, (4) whether self-hosted HTML5 video eliminates the third-party risk, (5) data retention policies for video analytics.
Sample consent text
I consent to Vimeo Player loading and tracking my video viewing activity on this site. This may transfer my data to Vimeo Inc. in the United States. I can withdraw consent at any time via the cookie settings.
Third-party domains contacted
player.vimeo.complayer.vimeo.comvimeo.comvimeo.comf.vimeocdn.comvimeocdn.comfresnel.vimeo.comfresnel.vimeo.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| vuid | analytics | 2 years | Vimeo visitor and usage identifier used for analytics, content personalisation, and usage statistics |
| vuid | Analytics | 2 years | Vimeo unique visitor identifier used for video analytics, view counts and performance statistics |
| player | functional | 1 year | Stores user player preferences such as volume level, quality settings, and playback behaviour |
| player | Functional | 1 year | Stores Vimeo player preferences including volume level and playback quality settings |
Vimeo Player uses cookies for user preferences — inform visitors with a consent banner.
The Vimeo Player typically sets two cookies: vuid (analytics identifier, 2 years) and player (functional preferences, 1 year). Additional tracking cookies may be set if the viewer is logged into Vimeo. These cookies are placed when the embedded player loads, not only when playback begins.
Yes. Because the Vimeo Player sets analytics cookies and transmits the visitor's IP address to Vimeo's servers the moment it loads, consent is required under the ePrivacy Directive and GDPR. You must block the iframe from loading until the visitor accepts the relevant cookie categories.
When a Vimeo video is embedded and loads, Vimeo receives the visitor's IP address, browser and device information, page URL, referrer, and playback interactions. If the visitor is logged into Vimeo, this data can be linked to their account. This data is used for analytics, content delivery, and ad targeting.
Yes. Vimeo is headquartered in New York and processes data in the United States. Every embed loads assets from Vimeo servers, constituting an international data transfer. Vimeo relies on Standard Contractual Clauses and the EU-US Data Privacy Framework to legitimise transfers to the US.
No. Adding dnt=1 to the embed URL disables some analytics and prevents the vuid cookie in certain configurations, but the player still contacts Vimeo servers and transmits IP addresses. Consent is still required before loading the player in most EU/EEA contexts.
Configure your CMP to block the Vimeo iframe from rendering until the visitor consents to the media or analytics category. A common approach is to replace the embed with a thumbnail and consent notice. When consent is granted, the CMP triggers the iframe to load. Ensure consent records are stored and reconsent flows correctly.
Using dnt=1 reduces but does not completely prevent data transmission. For a genuinely cookie-free embed, block the iframe entirely until consent is given. Some CMP platforms offer a facade approach where a static thumbnail is shown until the user clicks to load the actual player, triggering a consent prompt first.
Yes. Your cookie policy must list all cookies set by the Vimeo Player embed, including vuid and player, along with their purpose, duration, and the data transfer to the United States. Categorise the player under media or analytics, specify the legal basis (consent), and provide a link to Vimeo's privacy policy.