ConsentMark
Free Scan
Y
Social EmbedHigh complexity

YouTube Embed

by Google

All product names, logos, and trademarks are the property of their respective owners. Their inclusion here is for identification purposes only and does not imply endorsement by Obscurity Ltd.

Sets cookies
No
Sends PII
No
Cross-site tracking
Yes
Consent required
Functional
Transfer mechanism
EU-US Data Privacy Framework

Overview

YouTube video embeds loaded via iframe on third-party websites. Standard embeds (youtube.com/embed/) set cookies and transmit data to Google's infrastructure on page load. The privacy-enhanced mode (youtube-nocookie.com/embed/) is widely misunderstood - despite the name, it still sets cookies when the user plays the video, and in some configurations sets cookies on page load. Multiple European DPAs have confirmed that YouTube embeds require consent under the ePrivacy Directive.

Detection capabilities

Signature count
2
Detection methods
network
Property types
hostnamepathname

Performance impact

Performance Impact

Requests per page
1

Common mistakes

  • 1Assuming youtube-nocookie.com eliminates all tracking - despite the name, it still sets cookies and transmits data to Google servers when the video is played, and may set cookies on embed load in some configurations
  • 2Embedding YouTube videos without consent because video content is considered essential editorial content, when the tracking bundled with the embed requires consent
  • 3Not using a facade pattern (static thumbnail with play button) to defer iframe loading until the user actively chooses to play the video
  • 4Failing to include YouTube embed cookies in the cookie declaration because they are loaded via iframe rather than directly by the site
  • 5Not recognising that YouTube embeds feed data into Google's advertising network even when the video itself is not monetised

Compliance considerations

YouTube embeds load iframes from youtube.com or youtube-nocookie.com and transmit viewing data to Google servers.

youtube-nocookie.com: Despite the name, this domain still sets cookies. The privacy-enhanced mode defers some cookie setting to playback rather than page load, but does not eliminate tracking. Organisations should not rely on youtube-nocookie.com as a substitute for proper consent management.

Consent: Consent required under ePrivacy Art 5(3). Multiple European DPAs (including the Austrian DSB and German state DPAs) have confirmed that YouTube embeds require prior consent before loading the iframe.

Facade pattern: Best practice for regulated organisations is to display a static thumbnail image with a play button that only loads the YouTube iframe after the user explicitly clicks to play and has granted consent.

International transfers: Google is certified under the EU-US Data Privacy Framework. Verify Google's current self-certification status.

CMP configuration: Categorise under functional or media consent. Block the YouTube iframe from loading until consent is granted, using a facade placeholder.

Related services

AddThis

Oracle (AddThis)

Social EmbedLow risk

1 detection signature

Co-Buying

co-buying

Social EmbedLow risk

1 detection signature

Ekoo

ekoo

Social EmbedLow risk

1 detection signature

Feedbackify

feedbackify

Social EmbedLow risk

2 detection signatures

Scan your site for Google

Run a free Consentmark scan to see how Google is loading on your site, whether it respects consent, and where governance gaps exist across your wider tag estate.

Start a free scan