Embedding YouTube videos without breaking GDPR rules

How to Embed YouTube Videos Without Breaking GDPR Rules

Embedding YouTube videos without breaking GDPR rules

In order to add value to your blog post, sometimes you may want to embed a YouTube video. Usually using YouTube’s default settings.

But there’s a problem many website owners may not be aware of …

The visitors of that blog post will get third-party non-essential cookies unless they previously set their browser to block cookies.

Here’s what I got in my browser after embedding such a video:

  • 1 advertising cookie stored by Google under the domain doubleclick.net (IDE)
  • 4 cookies from youtube.com (GPS, PREF, VISITOR_INFO1_LIVE, YSC)
What’s the problem with these cookies? EU visitors get YouTube cookies in their browser before having the chance to accept or refuse them, and actually they won’t get the chance to refuse them. The result: the blog owner breaks GDPR rules.

Now let’s see what you can do to solve (or not!) this issue …

Unsafe Solutions: Ignoring GDPR; Implicit Consent

For various reasons, you may consider ignoring GDPR requirements.

Lack of jurisdiction, hard or even impossible to enforce GDPR, etc.

But you’re not 100% on the safe side, are you?

Another option is to interpret the law as some bloggers, companies, and other organizations did:

There’s no need for visitors’ explicit consent and a notice similar to “By using this site, you agree to its use of cookies” – linked to a Privacy and Cookie Policy – is enough. Anyway, the visitors can change their browser settings to block cookies, so they are in total control.

You aren’t a lawyer, are you? Neither am I.

What if all those guys (who think that implicit consent is enough) are wrong, and the others (who think that explicit consent is required) are right?

(Update: If you don’t know what the difference between implicit consent and explicit consent is, please read this comment.)

You’re not safe. You cannot defend yourself by saying that many other people do what you do. That’s not an acceptable legal defense.

Bad Marketing Solutions: Banning EU IPs; Removing Videos

These days when some law makers think that they are the masters of the Universe, I don’t know anymore whether something is still legal or not. But I guess that banning EU IPs is legal.

However, such an extreme solution is bad for your marketing. It’s obvious. You don’t need me to explain why it’s that bad, do you?

Let’s move on to the next solution …

I’ve seen some bloggers removing YouTube videos from their blogs or replacing these videos with simple links to the original YouTube videos.

Sending the visitors away from your site doesn’t look like the best solution though. Both you and your visitors don’t gain anything from such outbound links.

The Best Solution: Not Using YouTube Default Settings

At the bottom of this blog post, there is a YouTube video.

Here’s how I stopped it from sending to your browser the five cookies mentioned above …

  • Case 1 – If the video is already embedded on your website, go to that blog post where the video is embedded and change the code that renders the video as follows: instead of src="https://www.youtube.com/embed/your video code?rel=0", use src="https://www.youtube-nocookie.com/embed/your video code?rel=0"

    Basically you replace the domain name youtube.com by youtube-nocookie.com

  • Case 2 – If you’d like to embed now a video, right before copying the code from YouTube’s site go to “Embed Options” and check the box “Enable privacy-enhanced mode.” This setting changes the domain name from the default code the same as shown in the previous case.

Conclusion

When it comes to embedding YouTube videos on your website, it doesn’t pay to ignore GDPR, argue about explicit or implicit consent, ban certain visitors, or remove the videos from your site.

Simply use the safe solution posted under the previous sub-headline and everyone will be happy.

To Your Blogging Success!
Adrian Jock

P.S. A note addressed to any doubting voice: what’s easier and cheaper? Changing settings or hiring a lawyer in order to defend yourself and prove that your interpretation of EU laws (“My Privacy Policy covers everything, explicit consent isn’t required, I don’t have to give my visitors any kind of control because they can block cookies before visiting my site,” etc) is right?

Time & Action-Based Autoresponders. Landing Pages. Webinars
GetResponse is head and shoulders above the rest. I call it my email marketing secret weapon!” – Neil Patel, Kissmetrics
Start your GetResponse free trial now!
Adrian Jock's
Internet Marketing
Tips & News
Wanna improve your internet marketing skills in order to make more money online? Subscribe to my newsletter. Period!
Bonus: my list of free tools and resources that I use in order to run this blog and all related activities ;)

11 thoughts on “How to Embed YouTube Videos Without Breaking GDPR Rules

    1. The article already responds to that question: the problem is that the visitors get YouTube cookies (= third-party non-essential cookies) in their browser before having the chance to accept or refuse them, and actually they won’t get the chance to refuse them.

      That’s an implicit consent. Kind of “Our privacy policy assumes that by visiting this site you already agreed with the policy – even if you didn’t have the chance to read it yet – and therefore the cookies were already sent to your browser without you being aware, and without you having the chance to refuse them.”

      The explicit consent is like this: the visitors land on the site and no non-essential cookies are sent to their browsers. The visitors are prompted to accept or decline the cookies. The cookies that are non-essential will be sent to the browsers only if the visitors accept them.

        1. Playing the video from this page won’t send any YouTube cookie to your browser. Here’s how to check it:

          1) Open your Chrome.
          2) Go to Content Settings >> Cookies >> See all cookies and site data. Now click “Remove all” in order to delete all cookies. Don’t close this tab.
          3) Open a new tab and make sure that the tab is empty (otherwise the content from that tab may send cookies). If the new tab isn’t empty, refresh the first tab and then delete the cookies again.
          4) On that new tab from 3 above, load this page, but don’t play the video.
          5) In order to check the cookies sent by this page, refresh the initial tab where you have “See all cookies and site data”. You’ll see two cookies, one from statcounter.com, another one from adrianjock.com
          6) Play the video from this page.
          7) Refresh the first tab where you have “See all cookies and site data” in order to see whether the action of playing the video added new cookies or not. You won’t see any cookie sent by YouTube.

    1. Thank you for your comment, Martin.

      First of all, it doesn’t matter when a certain blog post was published (before or after May 25, 2018). On this very day, the bloggers and their blogs (not part of their blogs!) have to comply with the laws that are in force today.

      If EU citizens visit today a blog post, irrespective whether that post is old or new, today the blogger has to respect visitors’ rights that are in force today.

      I don’t think that you can relate to the legal concept of no-retroactivity.

      You are asked by the law to protect visitors’ rights that are in force today, and you can do it by modifying the old blog posts.

      The question is whether explicit consent is required or not for non-essential cookies. I think explicit consent is required, but I’m not a lawyer and I cannot provide any professional legal advice.

      If I’m right, then the answer to your question is this: in order to comply with the law, yes, you have to take action irrespective of the number of videos. Their number and the amount of work needed for fixing the things are irrelevant from a legal perspective.

      Conclusions:

      1) If the number of videos isn’t significant, then changing the settings is the safest and cheapest option.

      2) If the number of videos is significant, then … You change the settings, or you ask a lawyer and then change the settings (!) or not, based on lawyer’s advice.

      1. Adrian: Thanks for your response. I have talked with my webmaker for my new and future sites. For my old blogs, I will go through the posts the videos and change the settings over a period of time.
        Martin Lindeskog recently posted: High Tech Tea

  1. While the method discussed here is an improvement over doing nothing, I doubt it’s enough. I mean, do Google log the visit and store IP addresses for God knows how long? You have to ensure that Google don’t log, store data, use that data for anything else, etc.

    1. Hi Daniel,

      Thank you for your comment! Are you sure that Google/YouTube stores the IP and other information when privacy-enhanced mode is enabled? I don’t think these data are stored, but assuming that they are…

      I doubt that EU visitors’ privacy is affected in any way when Google or someone else collects the type of browser or the operating system they use. These pieces of information aren’t personally identifiable information.

      The only discussion point may be the IP.

      The Court of Justice of the EU has held (Case 582/14 – Patrick Breyer vs Germany) that IP addresses are personal data only in certain circumstances, i.e. when the web site operator (or Google in our particular case) has a legal means of obtaining access to the information held by the ISP in order to identify the individual.

      While I think that the IP is personal data only in the hands of visitors’ ISP, I’m not a lawyer and I don’t know whether my assessment is correct or not, or whether CJ’s decision mentioned above is applicable to any other cases.

Your thoughts or questions are welcome. Leave a comment...

Your email address will not be published. Required fields are marked *

Note: Whether you read the Comment Policy or not, it still applies to your comments.
 

Tick the box to enable CommentLuv