Embedding YouTube videos without breaking GDPR rules

How to Embed YouTube Videos Without Breaking GDPR Rules

Embedding YouTube videos without breaking GDPR rules

In order to add value to your blog post, sometimes you may want to embed a YouTube video. Usually using YouTube’s default settings.

But there’s a problem many website owners may not be aware of …

The visitors of that blog post will get third-party non-essential cookies unless they previously set their browser to block cookies.

Here’s what I got in my browser after embedding such a video:

  • 1 advertising cookie stored by Google under the domain doubleclick.net (IDE)
  • 4 cookies from youtube.com (GPS, PREF, VISITOR_INFO1_LIVE, YSC)
What’s the problem with these cookies? EU visitors get YouTube cookies in their browser before having the chance to accept or refuse them, and actually they won’t get the chance to refuse them. The result: the blog owner breaks GDPR rules.

Now let’s see what you can do to solve (or not!) this issue …

Unsafe Solutions: Ignoring GDPR; Implicit Consent

For various reasons, you may consider ignoring GDPR requirements.

Lack of jurisdiction, hard or even impossible to enforce GDPR, etc.

But you’re not 100% on the safe side, are you?

Another option is to interpret the law as some bloggers, companies, and other organizations did:

There’s no need for visitors’ explicit consent and a notice similar to “By using this site, you agree to its use of cookies” – linked to a Privacy and Cookie Policy – is enough. Anyway, the visitors can change their browser settings to block cookies, so they are in total control.

You aren’t a lawyer, are you? Neither am I.

What if all those guys (who think that implicit consent is enough) are wrong, and the others (who think that explicit consent is required) are right?

(Update: If you don’t know what the difference between implicit consent and explicit consent is, please read this comment.)

You’re not safe. You cannot defend yourself by saying that many other people do what you do. That’s not an acceptable legal defense.

Bad Marketing Solutions: Banning EU IPs; Removing Videos

These days when some law makers think that they are the masters of the Universe, I don’t know anymore whether something is still legal or not. But I guess that banning EU IPs is legal.

However, such an extreme solution is bad for your marketing. It’s obvious. You don’t need me to explain why it’s that bad, do you?

Let’s move on to the next solution …

I’ve seen some bloggers removing YouTube videos from their blogs or replacing these videos with simple links to the original YouTube videos.

Sending the visitors away from your site doesn’t look like the best solution though. Both you and your visitors don’t gain anything from such outbound links.

The Best Solution: Not Using YouTube Default Settings

At the bottom of this blog post, there is a YouTube video.

Here’s how I stopped it from sending to your browser the five cookies mentioned above …

  • Case 1 – If the video is already embedded on your website, go to that blog post where the video is embedded and change the code that renders the video as follows: instead of src="https://www.youtube.com/embed/your video code?rel=0", use src="https://www.youtube-nocookie.com/embed/your video code?rel=0"

    Basically you replace the domain name youtube.com by youtube-nocookie.com

  • Case 2 – If you’d like to embed now a video, right before copying the code from YouTube’s site go to “Embed Options” and check the box “Enable privacy-enhanced mode.” This setting changes the domain name from the default code the same as shown in the previous case.


When it comes to embedding YouTube videos on your website, it doesn’t pay to ignore GDPR, argue about explicit or implicit consent, ban certain visitors, or remove the videos from your site.

Simply use the safe solution posted under the previous sub-headline and everyone will be happy.

To Your Blogging Success!
Adrian Jock

P.S. A note addressed to any doubting voice: what’s easier and cheaper? Changing settings or hiring a lawyer in order to defend yourself and prove that your interpretation of EU laws (“My Privacy Policy covers everything, explicit consent isn’t required, I don’t have to give my visitors any kind of control because they can block cookies before visiting my site,” etc) is right?

Time & Action-Based Autoresponders. Landing Pages. Webinars
GetResponse is head and shoulders above the rest. I call it my email marketing secret weapon!” – Neil Patel, Kissmetrics
Start your GetResponse free trial now!
Adrian Jock's
Internet Marketing
Tips & News
Wanna improve your internet marketing skills in order to make more money online? Subscribe to my newsletter. Period!
Bonus: my list of free tools and resources that I use in order to run this blog and all related activities ;)

19 thoughts on “How to Embed YouTube Videos Without Breaking GDPR Rules

  1. Ok, you have a point. But wouldn’t having an agreement to accept cookies on your sites already cover anything else that is on your sites?

    1. The article already responds to that question: the problem is that the visitors get YouTube cookies (= third-party non-essential cookies) in their browser before having the chance to accept or refuse them, and actually they won’t get the chance to refuse them.

      That’s an implicit consent. Kind of “Our privacy policy assumes that by visiting this site you already agreed with the policy – even if you didn’t have the chance to read it yet – and therefore the cookies were already sent to your browser without you being aware, and without you having the chance to refuse them.”

      The explicit consent is like this: the visitors land on the site and no non-essential cookies are sent to their browsers. The visitors are prompted to accept or decline the cookies. The cookies that are non-essential will be sent to the browsers only if the visitors accept them.

      1. The wording on the checkbox on YouTube says, “When you turn on privacy-enhanced mode, YouTube won’t store information about visitors on your website unless they play the video”.

        So if they choose to play the video, do they get some other prompt to accept cookies from YouTube BEFORE the video will play?

        1. Playing the video from this page won’t send any YouTube cookie to your browser. Here’s how to check it:

          1) Open your Chrome.
          2) Go to Content Settings >> Cookies >> See all cookies and site data. Now click “Remove all” in order to delete all cookies. Don’t close this tab.
          3) Open a new tab and make sure that the tab is empty (otherwise the content from that tab may send cookies). If the new tab isn’t empty, refresh the first tab and then delete the cookies again.
          4) On that new tab from 3 above, load this page, but don’t play the video.
          5) In order to check the cookies sent by this page, refresh the initial tab where you have “See all cookies and site data”. You’ll see two cookies, one from statcounter.com, another one from adrianjock.com
          6) Play the video from this page.
          7) Refresh the first tab where you have “See all cookies and site data” in order to see whether the action of playing the video added new cookies or not. You won’t see any cookie sent by YouTube.

  2. Adrian: Do you have to manually change the settings on embedded videos, for blog posts before May 25? What if you have hundreds of videos on a blog that been have around for 10+ years?

    1. Thank you for your comment, Martin.

      First of all, it doesn’t matter when a certain blog post was published (before or after May 25, 2018). On this very day, the bloggers and their blogs (not part of their blogs!) have to comply with the laws that are in force today.

      If EU citizens visit today a blog post, irrespective whether that post is old or new, today the blogger has to respect visitors’ rights that are in force today.

      I don’t think that you can relate to the legal concept of no-retroactivity.

      You are asked by the law to protect visitors’ rights that are in force today, and you can do it by modifying the old blog posts.

      The question is whether explicit consent is required or not for non-essential cookies. I think explicit consent is required, but I’m not a lawyer and I cannot provide any professional legal advice.

      If I’m right, then the answer to your question is this: in order to comply with the law, yes, you have to take action irrespective of the number of videos. Their number and the amount of work needed for fixing the things are irrelevant from a legal perspective.


      1) If the number of videos isn’t significant, then changing the settings is the safest and cheapest option.

      2) If the number of videos is significant, then … You change the settings, or you ask a lawyer and then change the settings (!) or not, based on lawyer’s advice.

      1. Adrian: Thanks for your response. I have talked with my webmaker for my new and future sites. For my old blogs, I will go through the posts the videos and change the settings over a period of time.

  3. While the method discussed here is an improvement over doing nothing, I doubt it’s enough. I mean, do Google log the visit and store IP addresses for God knows how long? You have to ensure that Google don’t log, store data, use that data for anything else, etc.

    1. Hi Daniel,

      Thank you for your comment! Are you sure that Google/YouTube stores the IP and other information when privacy-enhanced mode is enabled? I don’t think these data are stored, but assuming that they are…

      I doubt that EU visitors’ privacy is affected in any way when Google or someone else collects the type of browser or the operating system they use. These pieces of information aren’t personally identifiable information.

      The only discussion point may be the IP.

      The Court of Justice of the EU has held (Case 582/14 – Patrick Breyer vs Germany) that IP addresses are personal data only in certain circumstances, i.e. when the web site operator (or Google in our particular case) has a legal means of obtaining access to the information held by the ISP in order to identify the individual.

      While I think that the IP is personal data only in the hands of visitors’ ISP, I’m not a lawyer and I don’t know whether my assessment is correct or not, or whether CJ’s decision mentioned above is applicable to any other cases.

  4. This explanation is brilliant in its simplicity. Love it. Thanks so much for sharing. You tell us the simple fix for links that are already embedded in our blog posts. And you give us the proper way to embed the links into our newer blog posts in the future. And you give a good explanation as to why we should do that. The solution is so simple, that it’s so much easier to be “safe than sorry”.

    Thanks again,
    Jupiter Jim

  5. I read your whole article and I understand the concept of GDPR very well but I have a doubt. I am running a YouTube channel and it has several videos but I didn’t place any ads on my videos. So, is it necessary for me to make changes in my YouTube channel according to GDPR?

    1. Hi Rajkumar,

      1) This article is about embedding YouTube videos on your blog (or any other type of website). It’s not about your YouTube channel.

      2) When it comes to your YouTube channel or any YouTube channel, such a channel is part of YouTube’s site and that site isn’t yours. In case YouTube’s site doesn’t comply with GDPR, the owner of the site (that’s not you!) has to make the necessary changes.

  6. Hey Adrian, I’m putting my foot in the sand on this one; not you, but this stupid GDPR nonsense. I’ve decided that I’m not doing any of it except maybe updating my privacy notification. I’m not doing it because I’m American, I don’t have almost any European traffic (if England doesn’t count I have none at all), I don’t have an email list, I’m not marketing anything to Europeans, and frankly, if someone decides to comment it’s on them to know what they’re doing. I don’t ask anyone to leave a single comment, so if they do they need to understand the “implied consent” you mentioned above.

    All that and let’s face it, there’s nothing the European Union can do to me. They can try to sue but they won’t get anything. If they find a way to take my domain then they can have it. If personal responsibility can’t be taken by consenting adults, then I don’t have time for any of them. Phooey; I’m not playing their game anymore.

    1. Hi Mitch. Thank you for sharing your view on GDPR. There are two recent law trends that I find very questionable:

      – issuing laws that apply in the online world to persons you have no offline jurisdiction; btw, it’s not the EU the one who started it! ;)

      – issuing over-protecting laws that force honest people to spend their resources and money in order to offset the lack of knowledge or sometimes the stupidity of other people. Kind of “Some people are stupid or lazy, you’re not. You have to pay for the privilege of not being stupid and lazy.”

      1. Almost everything I’ve read has led me to believe this was an EU thing; even above you reference EU users, so it seems they’re the ones responsible for this travesty. If it’s not them then who are the weasels I can blame for it? lol

        1. EU laws protect EU citizens (whether EU citizens needed or asked for such a protection or not), US bills protect US citizens (whether US citizens needed or asked for such a protection or not). So you can blame EU users for GDPR to the same extent as I can blame you for any US bill that I don’t like :)

Comments are closed.