Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
YouTube nocookie is Google's privacy enhanced embed mode that serves videos from youtube-nocookie.com without setting tracking cookies on initial page load. Cookies activate only when the visitor clicks to play the video, making it the preferred GDPR friendly alternative to standard YouTube embeds. The iframe still transmits the visitor IP address to Google, so most data protection authorities recommend obtaining consent before loading the player. Many publishers combine youtube-nocookie with a two click solution or click to play wrapper to achieve full compliance with the ePrivacy Directive and national transpositions.
YouTube nocookie is the privacy enhanced embed mode operated by Google LLC on the dedicated host youtube-nocookie.com. When a publisher swaps the standard www.youtube.com iframe source for the youtube-nocookie.com variant, the player loads identical video content but suppresses the long lived advertising and personalisation cookies that the regular embed would set on first paint. The service is offered free of charge to any site that embeds YouTube videos and is documented in the official YouTube help centre as the recommended option for sites that want to limit cookie deposit. It is widely deployed across newsrooms, public sector portals, schools, and corporate sites that face strict expectations from European regulators.
A standard YouTube embed served from www.youtube.com sets advertising cookies such as VISITOR_INFO1_LIVE, YSC, and PREF the moment the iframe paints. YouTube nocookie suppresses those cookies on initial load, so a visitor who arrives on a page and never clicks the play button leaves no tracking footprint in the YouTube domain. The video thumbnail, the play button overlay, and the responsive sizing all behave identically, which makes the migration almost transparent for editorial teams. The host change is the only required code modification and most content management systems expose it as a single configuration toggle.
The privacy claim of YouTube nocookie applies strictly to the moment before interaction. As soon as the visitor clicks the play button or any control inside the player, Google sets the same cookie family used by the regular embed, including VISITOR_INFO1_LIVE, YSC, __Secure_YEC, LOGIN_INFO, and the PREF preference cookie on the .youtube.com domain. The visitor IP address is also transmitted to Google in every case, even before any click, because the browser must establish the TLS connection to fetch the iframe HTML, the player JavaScript, and the video stream from googlevideo.com. The Munich Regional Court Google Fonts ruling and similar decisions remind controllers that an IP address alone is personal data, which is why most data protection authorities recommend treating youtube-nocookie as a service that still requires consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The German two click solution, often called Zwei Klick Lösung, is the most defensible pattern for embedding YouTube nocookie. The page first displays a static thumbnail and a clear notice that the video is delivered by Google. The actual iframe is created only after the visitor explicitly accepts. Modern Consent Management Platforms ship dedicated YouTube blockers that replace the iframe with a custom placeholder, store the choice in a granular cookie purpose, and replay the interaction inside the embedded player so users do not have to click twice on the play button. Combining the no cookie host with deferred iframe injection delivers the best of both worlds, a clean default state with zero data flow and a smooth experience once consent has been granted.
Although youtube-nocookie is less intrusive than the standard embed, it still triggers an international transfer to Google LLC in the United States. Controllers should rely on the EU US Data Privacy Framework, complemented by Standard Contractual Clauses for any subsequent transfer, and document a transfer impact assessment in their records of processing activities. A full DPIA is appropriate when videos are embedded on health, finance, religion, or children oriented pages, when the volume of embedded views is high, or when the service is combined with Google Analytics and Google Tag Manager. The DPIA should describe the cookies set on interaction, the recipients in the Google ecosystem, the retention durations, and the technical safeguards such as referrer policy, sandboxing attributes, and Content Security Policy directives.
Positions diverge across European supervisory authorities. The French CNIL, the German Datenschutzkonferenz, and the Spanish AEPD generally consider that any embed referencing Google requires prior consent because of the IP transfer and the high probability of interaction. The Italian Garante and several Austrian decisions accept the no cookie variant as a lower risk option but still expect a clear information notice. The UK ICO under the post Brexit regime applies a similar pragmatic approach. The safe default for pan European deployments is to obtain consent before the iframe is created, document the legal basis in the privacy policy, and offer a fallback link to the public YouTube page for visitors who refuse, so editorial content remains accessible without compromising compliance.
Websites using YouTube nocookie must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when youtube-nocookie is used at scale, on pages targeting minors, or alongside other Google services. Key risks include IP transmission to Google LLC on iframe load, cookie activation after interaction, and onward data flows to the United States under the EU US Data Privacy Framework. Mitigation includes deploying a two click solution that delays iframe creation until consent, configuring a Consent Management Platform, documenting the international transfer assessment, and providing transparent information about Google as joint processor for the embed.
Sample consent text
This page contains videos delivered through YouTube in privacy enhanced mode (youtube-nocookie.com), a service operated by Google LLC. When you click play, Google will receive your IP address and set cookies on your device to deliver the video, measure performance, and personalise recommendations. By clicking accept, you consent to this processing and to the transfer of your data to the United States under the EU US Data Privacy Framework.
Third-party domains contacted
youtube-nocookie.comwww.youtube-nocookie.coms.ytimg.comgooglevideo.comi.ytimg.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| VISITOR_INFO1_LIVE | third_party | 6 months | Set on the .youtube.com domain only after the visitor interacts with the player. Estimates the visitor bandwidth on pages with integrated YouTube videos and contributes to ad measurement. Not present before the first click on the youtube-nocookie embed. |
| YSC | third_party | session | Set on the .youtube.com domain after interaction. Used by YouTube to keep statistics on viewed videos for the current session. Acts as a session identifier inside the embedded player and is required for playback continuity. Not present before user interaction. |
| __Secure_YEC | third_party | 1 year | Set on the .youtube.com domain after interaction. Used for experiment grouping and the rollout of new player features. Marked Secure and SameSite to limit transmission to HTTPS contexts. Fires only once the visitor has engaged with the player. |
| LOGIN_INFO | third_party | 2 years | Set on the .youtube.com domain when the visitor is signed in to a Google account and interacts with the player. Carries authenticated session tokens for personalised features such as resume playback and watch history. Persistent identifier used across the Google ecosystem. |
| PREF | third_party | 2 years | Set on the .youtube.com domain when the visitor interacts with the player. Stores user preferences such as preferred playback quality, captions language, and player size. Considered a non strictly necessary cookie under the ePrivacy Directive, so consent is required. |
| GPS | third_party | 30 minutes | Set on the .youtube.com domain after interaction on mobile devices. Registers a unique identifier on mobile to track geographical location based on GPS data. Not present before the first user engagement with the youtube-nocookie embed. |
YouTube nocookie uses cookies for user preferences — inform visitors with a consent banner.
On initial page load the youtube-nocookie.com iframe does not set any tracking cookies, which is the entire point of the privacy enhanced mode. Once the visitor clicks play or interacts with the player, Google sets the same cookies as the regular YouTube embed on the .youtube.com domain, including VISITOR_INFO1_LIVE for visitor identification, YSC for session metrics, __Secure_YEC for experiment tracking, LOGIN_INFO for signed in users, and PREF for preference storage. Cookies have lifetimes that range from session duration up to two years, so the post interaction footprint is significant.
In most European jurisdictions the safe answer is yes, even though Google labels the mode privacy enhanced. The iframe transmits the visitor IP address to Google in the United States as soon as it loads, which the CNIL, the German DSK, and the AEPD treat as personal data processing that requires either consent or another valid legal basis. Cookies are set on interaction, which independently triggers Article 5(3) of the ePrivacy Directive. The defensive default is to obtain prior opt in consent before the iframe is created, typically through a two click solution paired with a Consent Management Platform.
The recommended legal basis under the GDPR is consent under Article 6(1)(a), aligned with Article 5(3) of the ePrivacy Directive for the cookies set after interaction. Some controllers argue legitimate interest under Article 6(1)(f) for the no cookie iframe load alone, on the basis that no identifier is dropped at that stage. That argument is weakened by the IP transfer to Google LLC and by the high probability of click through, so most legal advisors recommend treating the embed as a consent based processing from the outset. Whatever basis is chosen must be documented in the records of processing activities and disclosed in the privacy notice.
Yes. The youtube-nocookie.com host is operated by Google LLC and the video stream is delivered from googlevideo.com servers in the United States and other regions through Google's global content delivery network. The transfer relies on the EU US Data Privacy Framework adequacy decision adopted by the European Commission in July 2023, complemented by Standard Contractual Clauses for any further transfers. Controllers should perform a transfer impact assessment that documents the safeguards applied by Google, including encryption in transit, access controls, and the redress mechanism available to EU data subjects under the Framework.
A DPIA is not automatically required for every site that embeds youtube-nocookie, but it is strongly advised in several scenarios. These include embedding videos on pages targeted at minors, on health, finance, or religion related content, on sites with very high traffic, or where the service is combined with other Google products such as Analytics, Ads, or Tag Manager. The DPIA should describe the cookies activated on interaction, the international transfer to Google LLC, the categories of data subjects, the retention durations, and the mitigation measures such as the two click solution, sandbox attributes, and a strict Content Security Policy.
Replace the iframe source from www.youtube.com to www.youtube-nocookie.com, then block the iframe injection until the visitor explicitly grants consent. The two click solution first renders a static thumbnail and a notice that explains Google's role and the IP transfer. The first click loads the actual iframe, the second click starts the video. Modern Consent Management Platforms automate this pattern through dedicated YouTube blockers that integrate with the consent state, so editors do not have to write custom JavaScript. Add referrerpolicy, sandbox, and loading attributes on the iframe to harden the integration, and document the chosen pattern in the privacy notice.
Several alternatives exist depending on the use case. PeerTube is a self hosted federated video platform built on ActivityPub that keeps all data on infrastructure controlled by the publisher. Vimeo offers a Do Not Track mode and an enterprise plan that disables third party advertising trackers. Native HTML5 video served from your own CDN gives full control over hosting, cookies, and transfers but requires more bandwidth and transcoding work. For audio heavy content a self hosted player or services like Spreaker can replace YouTube entirely. The right choice depends on traffic volume, editorial workflow, and the level of analytics required.
Add a dedicated section in the cookie policy that names Google LLC as the operator, lists the cookies set on interaction with their durations and purposes, describes the IP transmission that occurs on iframe load, and explains the legal basis chosen for the processing. Mention the international transfer to the United States under the EU US Data Privacy Framework and link to Google's privacy policy. Provide instructions for revoking consent through the Consent Management Platform and a link to the YouTube public page as a fallback for visitors who refuse. Update the records of processing activities accordingly and review the policy whenever Google changes the cookie inventory.