Overview
YouTube video embeds loaded via iframe on third-party websites. Standard embeds set cookies and transmit data to Google's infrastructure on page load. The privacy-enhanced mode (youtube-nocookie.com) defers some cookie setting to playback rather than page load, but does not eliminate tracking. Multiple European DPAs have confirmed that YouTube embeds require consent under the ePrivacy Directive. Although rendered as a visible social-embed widget, YouTube feeds viewing data into Google's advertising network - treat as tracking.
Detection capabilities
- Signature count
- 4
- Detection methods
- network
- Property types
- hostnamepathname
Performance impact
Performance Impact
- Requests per page
- 2
Common mistakes
- 1Embedding YouTube videos using the standard embed URL (youtube.com) instead of the privacy-enhanced mode (youtube-nocookie.com), which causes cookies to be set on page load before the user interacts with the video
- 2Assuming that youtube-nocookie.com eliminates all tracking - it defers cookie setting until playback but still makes network requests to Google servers that transmit IP addresses and other data
- 3Not blocking YouTube embeds behind consent because video content is considered essential, when the tracking functionality bundled with the embed clearly requires advertising consent
- 4Using a facade or placeholder image approach but loading the full YouTube iframe in the background, which negates the privacy benefit
- 5Failing to account for YouTube embeds in the cookie audit - the VISITOR_INFO1_LIVE, YSC, and GPS cookies set by YouTube are often missing from cookie declarations
- 6Not recognising that YouTube embeds feed data into Google's advertising network even when the video itself is not monetised
Compliance considerations
YouTube embeds load iframes from youtube.com or youtube-nocookie.com and transmit viewing data to Google servers in the United States. Under GDPR, this constitutes personal data processing requiring consent, particularly because YouTube embeds feed into Google's advertising network even when the video itself is not monetised.
youtube-nocookie.com: Despite the name, this domain still sets cookies. The privacy-enhanced mode defers some cookie setting to playback rather than page load, but does not eliminate tracking. Organisations should not rely on youtube-nocookie.com as a substitute for proper consent management.
Consent: Consent required under ePrivacy Art 5(3). Multiple European DPAs (including the Austrian DSB and German state DPAs) have confirmed that YouTube embeds require prior consent before loading the iframe.
Facade pattern: Best practice for regulated organisations is to display a static thumbnail image with a play button that only loads the YouTube iframe after the user explicitly clicks to play and has granted consent.
International transfers: Google is certified under the EU-US Data Privacy Framework. Verify Google's current self-certification status.
CMP configuration: Categorise under functional or media consent. Block the YouTube iframe from loading until consent is granted, using a facade placeholder.
Related services
Scan your site for Google
Run a free ConsentMark scan to see how Google is loading on your site, whether it respects consent, and where governance gaps exist across your wider tag estate.
Start a free scan