Businesses, media outlets, and bloggers commonly embed YouTube videos into their websites. It’s the simplest way to incorporate video without drastically impacting site speed. While this simple strategy makes using video infinitely easier, it also comes with a downside when it comes to privacy regulations.
YouTube tracks user interactions with embedded videos using tracking cookies and other tracking technologies for recommendations, analytics, and marketing purposes. Cookies are set even if the user doesn’t interact with the video, unless privacy enhanced mode is enabled. In other words, when you embed a video, you are inviting third-party cookies on your site.
This can cause some complications when it comes to General Data Protection Regulation (GDPR) compliance. Generally, website users who click on the video from your website have not consented to this tracker like they would if they directly visited YouTube.
YouTube launched a GDPR-compliant solution to solve this issue, however, you have to enable the privacy mode when copying the YouTube video. This allows users to use imbedded YouTube videos with no cookies.
Read this blog to learn about how to use embedded YouTube videos withut cookies (using YouTube nocookie attribute) and how to get Cookie Consent for embedded YouTube videos.
How Embedded YouTube Videos Work?
Embedded YouTube videos allow websites to incorporate video into their site without slowing down site speed. Essentially, you are using a small snippet of code on your website that displays the video to users. It pulls the video from its source, allowing users to see the video without needing to host it on your site.
The functionality relies on HTML <iframe> elements and YouTube's infrastructure. When you embed a YouTube video, you include an HTML <iframe> tag on your webpage.
Embedded YouTube videos work in the following way:
- The <iframe> tag sends a request to YouTube servers using the video.
- YouTube's server responds with an HTML/JavaScript-based video player that renders inside the iframe.
- The video streams from YouTube servers to the user’s browser.
What does GDPR Say about YouTube Cookies?
YouTube uses tracking cookies to personalize the viewing experience for users. Embedded YouTube cookies are called third-party cookies. These cookies allow YouTube to tailor the next videos that users might want to see, related to previous searches or videos watched.
The GDPR regulates how personal data can be collected or used by organizations. According to the GDPR, if cookies can be used to identify a person, they are considered personal data.
GDPR requires companies and websites to inform website users about the usage of cookies and get cookie consent to use cookies.
Website users who click on the YouTube videos from your website have not consented to the usage of cookies like they would if they directly visited YouTube. This practice violates the European Union’s GDPR, that requires to get cookie consent for tracking cookies and any other trackers that are used.
Your company may be collecting and storing personal data through third-party cookies without even knowing it. Scan your website for free and see what cookies, including Third-Party Cookies, your website uses:
How to Add YouTube Videos Without Cookies?
It is possible to use embedded YouTube videos on your site without a Cookie Consent banner. There are several methods to embed YouTube videos without YouTube cookies, the simplest one is by using YouTube's privacy-enhanced mode. See the methods below about how to add YouTube videos on your site with no YouTube cookies.
Use YouTube privacy-enhanced mode
YouTube offers a privacy-enhanced mode that prevents user tracking and doesn't store cookies until the user interacts with the video. It's quite a simple option. When you go to imbed the video from YouTube, you just need to click on “Enable privacy-enhanced mode”.
To enable privacy-enhanced mode when adding YouTube videos, perform the following steps:
- Go to the YouTube video you want to embed.
- Click the Share button below the video.
- Click Embed.
- Check the checkbox Enable privacy-enhanced mode.
- Copy the generated <iframe> code and paste it into your website.
When you check the box, the code automatically adds the “no cookie” code to the domain, removing YouTube cookies and making the embed video GDPR-compliant. Below is an example of what the code might look like before and after.
Before privacy mode is enabled (embedded YouTube video that would set cookies):
<iframe
width="1440"
height="762"
src="https://www.youtube.com/embed/iDhi-1SYBTM?si=Ay73ApO0UT_rYOJ9"
frameborder="0"
allow="autoplay; encrypted-media"
allowfullscreen>
</iframe>
After privacy mode is enabled (embedded YouTube video without cookies):
<iframe
width="1440"
height="762"
src="https://www.youtube-nocookie.com/embed/iDhi-1SYBTM?si=qDADGV5rriaYy8jL"
frameborder="0"
allow="autoplay; encrypted-media"
allowfullscreen>
</iframe>
The “www.youtube-nocookie.com” section has been added to the privacy mode version. This addition is what is supposed to prevent the videos watched from your website from influencing users’ browsing experience on YouTube.
Note, that you don’t have to re-do all the code on the videos currently embedded into your site. Instead, you can go to the database, run a query, and replace the code with all the “no cookie” embed code. Large websites such as Kahn Academy are using this technique to remove the trackers.
If you have European visitors and use embed video on your website, it is necessary to use YouTube's a privacy-enhanced mode with no cookies to maintain GDPR compliance.
Note that the nocookie “privacy-enhanced” setting on YouTube is misleading. The embedded YouTube video does not set cookies when a user does not interact with the video. However, there are other activities of the YouTube nocookie iframe video, that violate the GDPR.
Let’s look at what is happening as you use embedded YouTube videos without cookies:
- If you use the youtube-nocookie.com domain, no cookies are set on users’ browsers when the web page with the embedded YouTube video loads.
- However, YouTube employs Local Storage in users’ browsers to store a unique device identifier, independent of wheather a nocookie YouTube video is loaded or not. This is done without Cookie Consent, so it does not comply with the GDPR. GDPR regulates not only the usage of cookies but also other trackers capable of collecting users’ personal information.
- As soon as a user starts playing the nocookie YouTube video, a cookie from YouTube is set. This also violates the GDPR since consent was not given from the viewer. Only informed user consent is valid consent — continuing using the content does not mean that the user has granted consent to collect his data.
Thus, rather than disabling user tracking entirely, the privacy-enhanced mode just covers it up.
To avoid tracking users at all on iframe videos, not just don’t use cookies, consider the methods listed below for setting iframe videos.
Host the video yourself
If you don't want to ask for YouTube embed Cookie Consent, don't embed YouTube videos on your site at all. To avoid using YouTube entirely, perform the following steps:
- Download the YouTube video (make sure you have the rights to do so).
- Convert it into a web-friendly format (e.g., MP4).
- Use the <video> HTML tag to embed it on your site:
<video controls>
<source src="/your-video.mp4" type="video/mp4">
</video>
Use a third-party service
Some platforms specialize in embedding videos without tracking, when no Third-Party Cookies are set on your website.
Use YouTube alternatives like Vimeo, Dailymotion, Wistia, or Twitch with privacy settings. These services or other private hosting solutions allow you to configure settings to avoid cookies set on your website.
You’d still need Cookie Consent for these sites though, but for statistics rather than marketing.
Lazy load video with a placeholder
Lazy loading is a technique that delays the loading of images and videos until certain conditions are met. You can use just a static image (a thumbnail of the video) and only load the YouTube <iframe> when the user clicks on the placeholder. So the video will be loade only after the user interacts with the Cookie Banner and gives or rejects Cookie Consent.
Example implementation of a lazy load video:
<div class="video-wrapper">
<a href="https://www.youtube.com/watch?v=VIDEO_ID" target="_blank">
<img src="/thumbnail.jpg" alt="Video Thumbnail">
</a>
</div>
For a more advanced lazy load implementation, load the YouTube <iframe> dynamically using JavaScript on user interaction.
How CookieScript Can Help?
Websites typically run about 20 cookies. You may or may not be aware of all the cookies running on your site, as many could come from a third party. It becomes exceedingly difficult to follow privacy regulations or any cookie laws when you are unaware of what is there.
CookieScript’s cookie scanner tool will scan your website, and alert you to all cookies that are running. This includes any lingering YouTube cookies from previously embedded videos. As mentioned above, those cookies can be removed by running a database inquiry to make large-scale changes. Try it here:
The tool is even capable of detecting the often-missed Javascript cookies, Local Storage, and Session Storage. You can also remove or modify these cookies and other trackers to maintain necessary compliance.
Frequently asked questions
Can you use YouTube without cookies?
YouTube nocookie is an alternative way to embed videos without placing cookies on users' devices. YouTube's privacy-enhanced mode is designed to limit cookie tracking. However, as soon as users start playing the video, YouTube cookies are set on users’ devices. In addition, even if users do not interact with the iframe video, Local Storage is still set on users’ devices. Use CookieScript CMP to fully comply with the GDPR.
How do I embed a YouTube video without cookies?
When you embed a YouTube video, you can simply click on “Enable privacy-enhanced mode” which automatically provides the “no cookie” code to the domain, making it GDPR compliant. Use CookieScript CMP to comply with the GDPR and other privacy laws.
What is YouTube no cookie?
Because YouTube sets a tracking cookie into all embedded videos by default, you are enabling Third-Party Cookies to track user data on your site and potentially violate GDPR standards. If you enable YouTube's privacy-enhanced mode, you can set an embedded iframe video that does not use cookies to track users unless they start playing the video.
How do I block YouTube cookies?
Once you enable privacy mode on iframe YouTube videos, the code for the embedded video will change from “www.youtube.com” to “www.youtube-nocookie.com”. This prevents placing YouTube videos on users' devices, used for marketing, analytics and video recommendations.
How do I enable embedding on YouTube?
YouTube videos can be embedded into websites without slowing down site speed by using a small amount of code to display the video to users. Go to the YouTube video you want to embed, click the Share button below the video, and click Embed. You can also click Enable privacy-enhanced mode prevent YouTube from placing cookies on users' devices. CookieScript CMP can help you to create a cookie banner, collect cookie consent, and comply with privacy laws.
What are cookies on YouTube?
YouTube places Tracking Cookies into their videos to monitor viewer habits and personalize future viewing experiences for users. These may violate GDPR regulations. To comply with the GDPR, you need to get user consent to use cookies or use a YouTube privacy-enhanced mode to prevent YouTube from placing cookies on users' devices. CookieScript CMP can help you to create a cookie banner, collect cookie consent, and comply with privacy laws.
