What Happens When You Embed a YouTube Video
A standard YouTube iframe loads resources from youtube.com the moment a visitor opens your page. Before anyone presses play, Google sets several cookies - including VISITOR_INFO1_LIVE, YSC, and GPS - and transmits data such as the visitor's IP address, browser fingerprint, and viewing context back to its servers.
Under the ePrivacy Directive, Article 5(3) requires consent before storing or accessing information on a user's device. That obligation covers HTTP cookies, local storage, session storage, and IndexedDB alike. A YouTube embed that fires on page load without prior consent breaches this rule in every EU and EEA member state.
YouTube is embedded on millions of websites. Each unguarded embed creates a compliance gap that data protection authorities have shown increasing willingness to pursue.
How Privacy-Enhanced Mode Works
YouTube offers a feature called privacy-enhanced mode. When sharing a video, selecting this option changes the embed domain from youtube.com to youtube-nocookie.com. Google states that this domain delays cookie storage until the visitor actually clicks play.
To enable it, click Share on any YouTube video, select Embed, and tick the checkbox labelled "Enable privacy-enhanced mode." The generated iframe code will use https://www.youtube-nocookie.com/embed/VIDEO_ID instead of the standard domain. You can also swap the domain manually in existing embed code.
What Privacy-Enhanced Mode Actually Does
The mode prevents HTTP cookies from being set on initial page load. That is a genuine improvement over the standard embed.
It does not, however, prevent YouTube from writing to local storage. When the iframe loads, YouTube stores identifiers including yt-remote-device-id and ytidb::LAST_RESULT_ENTRY_KEY in the browser's local storage under the youtube-nocookie.com origin. These persist across sessions and can track the device regardless of interaction.
Once a visitor presses play, standard YouTube cookies are set. At that point, the behaviour is identical to a regular embed - data flows to Google, and tracking begins in full.
Why Privacy-Enhanced Mode Is Not Enough for GDPR Compliance
Article 5(3) of the ePrivacy Directive does not distinguish between cookies and other storage mechanisms. Local storage access requires the same prior consent as cookie placement. Because privacy-enhanced mode writes to local storage on page load, it still falls short of GDPR consent requirements.
The CNIL has been particularly clear on this point. Its guidance treats any technology that reads from or writes to a user's terminal equipment as subject to consent obligations, with narrow exceptions for strictly necessary operations. A YouTube embed does not qualify as strictly necessary for the functioning of a website.
| Behaviour | Standard Embed | Privacy-Enhanced Mode | Placeholder with Consent |
|---|---|---|---|
| Cookies on page load | Yes | No | No |
| Local storage on page load | Yes | Yes | No |
| Data sent to Google on load | Yes | Yes | No |
| Cookies on play | Yes | Yes | Yes (after consent) |
| Requires cookie consent | Yes | Yes | Consent built in |
| GDPR compliant by default | No | No | Yes |
The Placeholder Approach: Block First, Load After Consent
The most robust method is the two-click solution, sometimes called the placeholder approach. Instead of loading an iframe immediately, you display a static preview image of the video with an overlay explaining that clicking will load content from YouTube and set cookies.
Only after the visitor clicks does the iframe load. No data reaches Google until the visitor has given informed permission.
How to Implement a Placeholder
The basic pattern uses a data-src attribute instead of src on the iframe. A small script listens for the consent event from your cookie banner or from a click on the placeholder, then copies data-src to src, which triggers the iframe to load.
Here is a simplified HTML structure:
<div class="youtube-placeholder" data-video="VIDEO_ID"><img src="/images/yt-placeholder-VIDEO_ID.jpg" alt="Video thumbnail"><button>Load video (sets YouTube cookies)</button></div>
The thumbnail image should be hosted locally rather than fetched from YouTube's image servers, since requesting img.youtube.com also transmits visitor data to Google before consent. Cache the thumbnail on your own server or CDN during development.
Integrating with Your Cookie Banner
If your site already uses a consent management platform, tie YouTube loading to the marketing or media cookie category. When a visitor accepts that category, the CMP fires a callback that activates all blocked iframes.
Kukie.io supports conditional script loading through its callback API, which can trigger iframe activation when the relevant consent category is granted. The GTM blocking approach works similarly if your embeds are managed through Google Tag Manager.
What About Other Video Platforms?
YouTube is the most common embed, but Vimeo, Dailymotion, and other platforms raise the same questions. Vimeo offers a dnt=1 parameter that reduces tracking, though it does not eliminate all data transfers. The same placeholder logic applies to any third-party embed that sets cookies or accesses device storage.
Social media embeds from Twitter, Instagram, and Facebook carry similar risks. Each loads third-party resources and sets tracking cookies. The principle remains consistent: block the embed, show a placeholder, and load only after consent.
Common Mistakes with YouTube Embeds and Consent
Assuming privacy-enhanced mode is sufficient is the most frequent error. Switching to youtube-nocookie.com without additional blocking leaves local storage writes unaddressed.
Loading thumbnails directly from img.youtube.com is another oversight. Even a thumbnail request sends the visitor's IP address and user agent to Google, which constitutes personal data processing under the GDPR.
Some sites block the iframe but forget to block other YouTube-related scripts loaded through Google Tag Manager or embedded in page templates. A thorough audit with a cookie scanner will reveal any scripts that slip through.
Failing to update the cookie policy is a subtler problem. If your cookie policy does not mention YouTube cookies by name - VISITOR_INFO1_LIVE, YSC, IDE - it lacks the specificity that regulators expect.
Regulatory Enforcement and YouTube Cookies
The CNIL has been active in enforcing cookie consent rules, with fines against organisations that loaded tracking technologies without prior consent. Its cookie guidelines explicitly cover scenarios where third-party content sets cookies or equivalent trackers.
German data protection authorities hold the same position. Under the DSGVO and the TTDSG (Telecommunications Telemedia Data Protection Act), embedding YouTube without consent is a clear violation.
For sites serving UK visitors, the ICO's guidance under the UK GDPR and PECR applies the same logic: storage of information on a user's device requires consent unless strictly necessary for the requested service.
Frequently Asked Questions
Does youtube-nocookie.com set cookies?
It does not set HTTP cookies on page load, but it writes identifiers to local storage immediately. Once a visitor clicks play, standard YouTube cookies are set. Both local storage and cookies require prior consent under the ePrivacy Directive.
Is YouTube privacy-enhanced mode GDPR compliant?
Not on its own. Privacy-enhanced mode reduces cookie exposure on page load but still writes to local storage and sends data to Google. Full GDPR compliance requires blocking the iframe entirely until the visitor grants consent.
How do I embed YouTube videos without cookies?
Use a placeholder approach: display a locally hosted thumbnail image with a consent notice. Only load the YouTube iframe after the visitor clicks to accept. This prevents any data transfer to Google before consent is given.
Do I need consent for YouTube thumbnails loaded from img.youtube.com?
Yes. Requesting a thumbnail from YouTube's servers sends the visitor's IP address and user agent to Google, which constitutes personal data processing. Host thumbnails locally to avoid this.
Can I use Google Tag Manager to block YouTube embeds?
Yes. You can configure GTM to load YouTube iframes only after a consent signal fires. Use a consent initialisation trigger to hold all YouTube-related tags until the visitor accepts the relevant cookie category.
What YouTube cookies should I list in my cookie policy?
Common YouTube cookies include VISITOR_INFO1_LIVE, YSC, GPS, IDE, and PREF. Also disclose the use of local storage identifiers such as yt-remote-device-id under the youtube-nocookie.com domain.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
