Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
YouTube is Google's video-sharing platform used by millions of websites to embed video content. Standard YouTube embeds load tracking cookies from google.com and youtube.com before any viewer interaction, requiring prior consent under GDPR and the ePrivacy Directive. The privacy-enhanced embed (youtube-nocookie.com) reduces the cookie footprint and may allow embeds without upfront consent, though it still transfers data to Google in the US. A consent management platform should gate all standard YouTube embeds, or the cookieless embed variant should be used with appropriate disclosure.
YouTube, owned by Google LLC, is the world's largest video-sharing platform. Millions of websites embed YouTube videos using the YouTube IFrame API or a simple iframe tag. When a visitor lands on a page with a standard YouTube embed, the YouTube player loads immediately, setting cookies and sending requests to Google servers before the user has clicked anything. This automatic data collection is the core compliance challenge for European websites under GDPR and the ePrivacy Directive.
Standard YouTube embeds set several persistent cookies including VISITOR_INFO1_LIVE (visitor identification, 6 months), YSC (session tracking), PREF (user preferences, 2 years), and CONSENT (Google consent state, 2 years). When ads are enabled on embedded videos, DoubleClick cookies are also set. Beyond cookies, YouTube collects IP address, device information, video interaction events (play, pause, seek, duration watched), and referrer data. All this data flows to Google infrastructure in the United States.
Under the ePrivacy Directive (implemented in national cookie laws across EU member states), storing or accessing cookies on a user's device requires prior informed consent unless those cookies are strictly necessary. YouTube tracking cookies are not strictly necessary for the operation of the website, so consent is required before a standard YouTube embed loads. The GDPR additionally requires a valid legal basis for processing personal data, which for YouTube analytics and advertising cookies is consent (Art. 6(1)(a)). Supervisory authorities across Europe, including the French CNIL and the German DSK, have published guidance confirming that YouTube embeds without prior consent violate applicable law.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Google provides a privacy-enhanced mode via youtube-nocookie.com. When embedding via this domain, YouTube does not set tracking cookies until the user clicks play. This significantly reduces the cookie footprint and data collection at page load. Many DPAs and legal commentators accept the nocookie embed as compatible with a legitimate interest basis, provided the website operator discloses the data transfer and provides an objection mechanism. However, youtube-nocookie.com still contacts Google servers when the page loads, transferring the visitor's IP address to the US, so complete elimination of data transfer is not achieved. Organisations in heavily regulated sectors or those serving sensitive audiences should still consider a consent-gate approach even for nocookie embeds.
All YouTube data processing occurs on Google infrastructure in the United States. Google relies on Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers under GDPR Chapter V. Google publishes a GDPR-compliant Data Processing Agreement (DPA) and Transfer Impact Assessment (TIA). Publishers should accept Google's DPA and document the SCC reliance in their Record of Processing Activities (RoPA). The Schrems II ruling continues to require case-by-case assessment of US transfers, and publishers should note that US intelligence law (FISA 702) may allow access to data held by US entities.
To embed YouTube compliantly: (1) Switch all embeds to youtube-nocookie.com and document legitimate interest in your RoPA, or use a CMP to block embeds until consent is given. (2) If using a CMP, configure YouTube under the advertising or functional cookie category as appropriate. (3) Accept Google's DPA and reference it in your privacy policy. (4) Disclose YouTube embeds, the cookies they set, and the US data transfer in your cookie policy. (5) Implement Google Consent Mode v2 if using YouTube alongside Google Ads to pass consent signals correctly. (6) For sites with high EU traffic, consider a DPIA to document the residual risks of Google data collection.
Websites using YouTube must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for websites embedding YouTube at scale where viewer behaviour data is systematically collected and combined with other user data. Large media publishers and platforms with significant EU traffic should document the privacy risks of Google data collection via embeds.
Sample consent text
This website embeds videos from YouTube. When you play a video, YouTube may set cookies and collect data about your viewing behaviour, even using the privacy-enhanced embed. Data is transferred to Google in the US. You can block YouTube embeds in your cookie preferences.
Third-party domains contacted
www.youtube.comyoutube-nocookie.coms.ytimg.comgooglevideo.comdoubleclick.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| VISITOR_INFO1_LIVE | persistent | 6 months | YouTube visitor identification and ad personalisation |
| YSC | session | Session | YouTube session identifier to track video views within a session |
| PREF | persistent | 2 years | Stores YouTube user preferences such as playback quality and volume |
| CONSENT | persistent | 2 years | Stores Google consent state across Google services |
| IDE | persistent | 13 months | Google DoubleClick advertising cookie for ad targeting and conversion measurement on videos with ads |
YouTube uses cookies for user preferences — inform visitors with a consent banner.
A standard YouTube embed sets several cookies before any user interaction: VISITOR_INFO1_LIVE (persistent, 6 months, visitor identification and ad targeting), YSC (session, tracks video views), PREF (persistent, 2 years, user preferences), and CONSENT (persistent, 2 years, stores Google consent state). When videos include ads, DoubleClick cookies such as IDE (persistent, 13 months) are also set. Using the youtube-nocookie.com embed domain prevents cookies from being set until the user clicks play.
Yes, for standard YouTube embeds. Under the ePrivacy Directive and national cookie laws, placing non-essential cookies requires prior consent. Standard YouTube embeds fire tracking cookies on page load before any user action, which is not permitted without consent. You have two compliant options: (1) use a CMP to block the embed entirely until the user accepts analytics or advertising cookies, or (2) switch to the youtube-nocookie.com embed, which is widely accepted as compatible with a legitimate interest basis if disclosed properly in your privacy policy.
Largely yes, for most EU jurisdictions. The youtube-nocookie.com embed does not set cookies until the user clicks play, which removes the upfront cookie consent requirement. However, it still contacts Google servers when the page loads, transferring the visitor IP address to Google in the US. For this reason, you still need to: disclose YouTube embeds and the US data transfer in your privacy policy, document your legitimate interest assessment, and provide an opt-out mechanism. Some stricter interpretations (particularly in Germany and France) may still require consent even for the nocookie embed, so check local DPA guidance.
YouTube collects: (1) IP address and approximate geolocation; (2) device and browser information (user agent, screen resolution, language); (3) video interaction events including play, pause, seek, volume changes, and watch time; (4) referrer URL showing which page the embed is on; (5) Google Account data if the viewer is signed into Google; (6) advertising identifiers for ad targeting if ads are enabled. All this data is associated with YouTube viewer profiles and used for personalised advertising across Google's ad network.
Yes. YouTube is operated by Google LLC, a US company, and all data processing occurs on Google infrastructure in the United States. Google transfers EU personal data to the US under Standard Contractual Clauses (SCCs, 2021 edition) as the legal mechanism under GDPR Chapter V. Google also maintains a Transfer Impact Assessment (TIA). Website operators who embed YouTube should: (1) accept Google's Data Processing Agreement (DPA) via their Google account, (2) reference the Google DPA and SCCs in their privacy policy and Records of Processing Activities, (3) document their own TIA for the YouTube embed use case.
A formal DPIA is not automatically required for all YouTube embeds, but it is recommended in these scenarios: (1) your website has large-scale EU audience and embeds YouTube extensively; (2) you combine YouTube viewer data with other personal data from your platform; (3) you use YouTube embeds alongside personalised advertising. A DPIA documents the risks of transferring viewing behaviour data to Google in the US and the measures taken to mitigate them. Even where a full DPIA is not required, a lightweight legitimate interest assessment (LIA) should be completed if relying on the nocookie embed.
The most compliant implementations are: (1) Cookieless embed: replace youtube.com with youtube-nocookie.com in all embed URLs, disclose this in your privacy policy, and document a legitimate interest assessment. (2) Consent-gated embed: use your CMP to block the iframe from loading until the user accepts the relevant cookie category. Display a placeholder image with a consent notice until cookies are accepted. (3) Facade technique: show a static thumbnail with a play button. Only load the actual YouTube iframe when the user clicks the play button, triggering a consent prompt first. Always accept Google's DPA and reference YouTube in your cookie policy and privacy policy.
Your privacy policy should include: (1) a description of YouTube embeds and their purpose (e.g., displaying product demos or tutorials); (2) the cookies YouTube sets and their duration; (3) the data transferred to Google in the US and the SCC legal basis; (4) a link to Google's privacy policy and the YouTube Terms of Service; (5) your contact for data requests. Your cookie notice should list VISITOR_INFO1_LIVE, YSC, PREF, and CONSENT under the appropriate category (functional or advertising) with accurate durations. If using youtube-nocookie.com, document this in the privacy policy as a privacy-enhancing measure and explain that an IP transfer to Google still occurs.