Many companies, media outlets and bloggers enjoy sharing YouTube videos on their sites. The problem is that YouTube sets a tracking cookie (for marketing purposes) by default. This poses all kinds of problems when it comes to GDPR – because generally people have not consented to this tracker when they visit a website that is not YouTube itself. But there is also a YouTube setting that seemingly allows you to avoid this cookie.
Let’s say I want to share this video with Shoshana Zuboff talking about surveillance capitalism on Channel 4.
When I click “Share” and then “Embed”, YouTube provides me with en embed code. It’s easy enough to copy this code and be done with it. What many still have not discovered is that if you scroll down, there is an option to “Enable privacy-enhanced mode”. This changes the embed code and that’s the code you should be using, at least in theory. Note: this will send a message of your intent, but it won’t stop people from being tracked.
Here’s a video of how this is done on the YouTube website:
If you’re alert, you may notice that the only thing that changed is actually the URL-embed. That URL changed from
It turns out that YouTube’s official URL for embedding videos that do not set a HTML cookie immediately is youtube-nocookie.com. What this means is that if you are not using YouTube’s own embed code for YouTube videos, then you can just change the primary domain of all domain URLs.
Here’s how YouTube describes Privacy-Enhanced Mode:
Privacy-enhanced mode allows you to embed YouTube videos without using cookies that track viewing behaviour. This means that no activity is collected to personalise the viewing experience. Instead, video recommendations are contextual and related to the current video. Videos playing in privacy-enhanced mode won’t influence the viewer’s browsing experience on YouTube.
Here is where it gets tricky, because this talks about “viewing experience” and says nothing about using the information to build on the User Profile – the data about that Google uses to deliver personalised ads, at the core of Google’s business model. Embedding YouTube videos and staying within the law is a more difficult endeavour than you might imagine.
How YouTube is disregarding your intent (and GDPR)
I was alerted on Twitter by Joey Kant about how gravely misleading the nocookie “privacy-enhanced” setting is on YouTube. As it turns out this is what is happening as you try to embed YouTube videos without cookies:
- If you use the youtube-nocookie.com domain, there is no cookie set when the page with the YouTube embed loads.
- Instead, YouTube utilizes something called Local Storage in your browser to store a unique device identifier. Note that this is done without anyone’s consent and GDPR is violated already in this step. GDPR is not only about cookies.
- As soon as a user presses Play on the video, a cookie from YouTube is set. Whether or not consent has been given from the viewer. The second violation of GDPR in the same embed.
This is how a report from CookieBot describes what is going on:
“Privacy-Enhanced Mode” currently stores an identifier named “yt-remote-device-id” in the web browser’s “Local Storage”. This allows tracking to continue regardless of whether users click, watch, or in any other way interact with a video – contrary to Google’s claims. Rather than disabling tracking, “privacyenhanced mode” seems to cover it up.
So in giving the appearance of caring for user privacy, the act of using “Privacy-enhanced mode” is actually exacerbating the tracking problem.
This is how W3Schools describes Local Storage:
The localStorage and sessionStorage properties allow to save key/value pairs in a web browser.
The localStorage object stores data with no expiration date. The data will not be deleted when the browser is closed, and will be available the next day, week, or year.
Here is the screendump from Local Storage that Joey Kant shared. Note how it is tied to the “youtube-nocookie.com” domain.
And if you want more to worry about, Samy Kamkar – once famous for the 2005 MySpace worm – has created a demo called EverCookie which shows how to exploit at least 10 storage spaces on a computer (including Local Storage) to store information on a user even when they have cookies turned off. Applied here can also be a variant of respawning, which is a way to restore http cookies by reading Flash cookies, ETag or HTML5 local storage. This Carnegie Mellon study from 2010 looks at this behavior, if you want to go deeper (Flash used to be the goto technology for persistent tracking).
How can I embed YouTube videos legally?
First, have a think about if you need to embed YouTube videos, or if having a picture of them and linking to the website works as well. To be fair, this doesn’t really protect users, or make them more informed, it just pushes it away from being your problem to manage.
For a video embed to go down properly, this is what would have to happen:
- The page with the video loads, but the embed is blocked from the start (for the tech-savvy: it can not be part of the DOM on page load)
- In place of where the video should appear, you need a message that explains to the visitor what happens should they want to play the video.
- When the user clicks, the consent is logged and the video embed is loaded (for the first time).
Now formally, you would only have to ask this once and have it apply for all YouTube embeds on your website. I would prefer it to ask every time, to make users more conscious of the practice, but certainly I would not assume consent for YouTube marketing cookies to last more than a few weeks for a website. Ask again.
Here’s an example on en EU site, The European Data Protection Supervisor, where you can see how this would work. I’ve initiated the process of implementing it on all my sites as well. Here’s an image of that consent window, which is blocking a YouTube video:
To make this type of consent happen, you may have some people on your staff with the competence to build it, or you can use a third-party service such as CookieBot to implement and manage consent on a site-wide basis. It’s a compulsory investment either way if you can’t avoid YouTube embeds.
My call to action
- Sit down with your team and have a discussion about how you’re going to manage YouTube embeds, both going forward and all the embeds you already have. Bring in providers of content management systems, and tech advisors as needed. It’s almost certain that you are breaking the law today, by not asking consent for YouTube’s trackers.
- Make some noise. How YouTube is in violation of GDPR and still making it immensely difficult for website owners to comply with GDPR as well, is a thing to be questioned and investigated.
Thank you for caring about privacy on behalf of your visitors. ❤️
Also, if you want to watch that video Shoshana Zuboff, it’s right here. It uses the youtube-nocookie domain, but if you press play, YouTube will still set a marketing cookie. I am now blocking the content using Borlabs Cookie plugin for WordPress. This means that this block, requiring consent, is applied across all of my websites in an instant.