ConsentMark
Free Scan
YouTube logo
AdvertisingHigh complexity

YouTube

by youtube

All product names, logos, and trademarks are the property of their respective owners. Their inclusion here is for identification purposes only and does not imply endorsement by Obscurity Ltd.

Sets cookies
Yes
Sends PII
No
Cross-site tracking
No
Consent required
Advertising / Marketing
Cookies
VISITOR_INFO1_LIVEYSCGPSPREF

Overview

Among the most common third-party tracking findings in tag governance audits. Standard YouTube embeds set cookies and transmit data to Google's advertising infrastructure even when the visitor does not interact with the video. The privacy-enhanced mode (youtube-nocookie.com) defers some cookie setting but does not eliminate data collection, and is frequently misunderstood as a complete privacy solution. Multiple European DPAs have confirmed that standard YouTube embeds require consent under the ePrivacy Directive.

Detection capabilities

Signature count
2
Detection methods
network
Property types
hostnamepathname

Performance impact

Performance Impact

Requests per page
2

Common mistakes

  • 1Embedding YouTube videos using the standard embed URL (youtube.com) instead of the privacy-enhanced mode (youtube-nocookie.com), which causes cookies to be set on page load before the user interacts with the video
  • 2Assuming that youtube-nocookie.com eliminates all tracking - it defers cookie setting until playback but still makes network requests to Google servers that transmit IP addresses and other data
  • 3Not blocking YouTube embeds behind consent because video content is considered essential, when the tracking functionality bundled with the embed clearly requires advertising consent
  • 4Using a facade or placeholder image approach but loading the full YouTube iframe in the background, which negates the privacy benefit
  • 5Failing to account for YouTube embeds in the cookie audit - the VISITOR_INFO1_LIVE, YSC, and GPS cookies set by YouTube are often missing from cookie declarations

Compliance considerations

YouTube embeds set third-party cookies (VISITOR_INFO1_LIVE, YSC, GPS) and transmit viewing data to Google servers in the United States. Under GDPR, this constitutes personal data processing requiring consent, particularly because YouTube embeds feed into Google's advertising network. Multiple European DPAs have confirmed that standard YouTube embeds require consent under the ePrivacy Directive. The privacy-enhanced mode (youtube-nocookie.com) reduces but does not eliminate data collection and is not a substitute for proper consent management. Best practice for regulated organisations is to use a facade pattern (static thumbnail with play button) that only loads the YouTube iframe after explicit consent is granted. The EU-US Data Privacy Framework covers Google's data transfers, but organisations should verify Google's self-certification status.

Related services

6sense

6sense

AdvertisingLow risk

2 detection signatures

Adjust

adjust

AdvertisingLow risk

3 detection signatures

Adobe Audience Manager

Adobe

AdvertisingLow risk

1 detection signature

Amazon Ads

amazon

AdvertisingLow risk

1 detection signature

Scan your site for youtube

Run a free Consentmark scan to see how youtube is loading on your site, whether it respects consent, and where governance gaps exist across your wider tag estate.

Start a free scan