Table of Contents
If you embed YouTube videos on your own website, personal data of the user is automatically passed on to YouTube and its parent company Google as soon as the user reaches your website. The extent to which this happens depends on whether the integration was carried out in the so-called "privacy enhanced mode" or not. In neither case, however, is the integration compliant with the GDPR. In this article, we explain what the data protection problem with Youtube is all about and how you can still embed videos on a website in a data protection-compliant manner.
Embed Youtube videos into web pages
Youtube offers an easy-to-use dialog for embedding videos. You just have to click on "Share" below the video on the Youtube website to be able to copy the so-called "embed code".
As you can see in the screenshot below, there is a checkbox "Enable privacy-enhanced mode" here. This is unchecked by default, so normally the enhanced privacy mode is not active. Whether it has advantages to activate it, we describe further down in the article.
Download: Your complete data protection technology guide
How to reliably identify privacy gaps on your customers' websites using free tools.Download now
Which external services are loaded by Youtube?
These calls not only lead to the domain of Youtube (www.youtube.com), but there are also always the domains doubleclick.net and fonts.gstatic.com among them, which means that the Youtube embed code is reloading the external services Doubleclick and Google Fonts, among others. If you monitor the browser's loading behavior with Chrome Developer Tools (see below for instructions on how to do that) you can see these calls and their domains:
Google "DoubleClick" is used to analyze user behavior and is part of the Google Marketing Platform (GMP) established in 2018. "DoubleClick" enables Google to serve personalized advertisements to users by collecting personal data and said user behavior.
When and how exactly personal data is processed by DoubleClick is difficult to determine; Google's information on this is rather opaque. However, the consensus is that DoubleClick creates user profiles and transfers data to the USA, which is not permitted without safeguards according to the European Court of Justice, as the so-called "Privacy Shield" (a guarantee measure intended to ensure that data of EU citizens is also processed securely in the USA) was overturned in the "Schrems II" ruling.
Google Fonts is used by Youtube to display text elements in the user interface. Although Google Fonts is not known for creating user profiles with it, its use is nevertheless problematic (at least in Germany): the Munich Regional Court has prohibited its use without consent, as Google Fonts transfers data to the USA. In this case, it is only the IP address of the user's computer or smartphone that is transmitted with each network call. But even this information is, in the opinion of the European Court of Justice, a personal data and thus worthy of protection.
What cookies does YouTube set when embedding videos?
When the video loads, several cookies are set, originating from the youtube.com and google.com domains. The following screenshot was created for the same video and shows the cookies set:
According to Google's technical notes, these cookies serve purposes such as personalized display and cybersecurity.
What should be considered when embedding Youtube in terms of data protection?
If a Youtube video is embedded in a page as described here, problematic services are loaded when the page is opened (DoubleClick and Google Fonts), which transfer data to the USA. This is only allowed with consent. In addition, cookies are set that are clearly not technically necessary for the operation of the website. This is also only possible with consent in most European countries. This type of integration is therefore not data protection compliant!
Embedding videos with the Youtube Nocookie Code
To enable extended privacy, simply check the "Enable privacy-emhanced mode" box in the embed code dialog. Then the embed code will be changed automatically, it will no longer contain the domain www.youtube.com but www.youtube-nocookie.com.
Google itself writes about the extended privacy mode:
This means that the view of a video shown in the Privacy Enhanced Mode of the embedded player will not be used to personalize the YouTube browsing experience, either within your Privacy Enhanced Mode embedded player or in the viewer’s subsequent YouTube viewing experience.
Whether this also means that profiling is waived, however, remains unclear.
When a video embedded in this way is opened, no more network calls are actually made in the direction of www.youtube.com and doubleclick.net.
We also could not determine that cookies are still set in this mode. However, this does not completely match with reports that can be found on the web. At least, it cannot be ruled out that cookies are occasionally set in this mode as well.
In addition: Youtube also writes data to the browser's so-called "local storage", also called web storage, in this mode. These are not cookies, but this technology is in some european countries (e.g. Germany) treated as equivalent to cookies and therefore requires consent.
Furthermore, when the video is played, a large number of network calls are made, which may contain information about user behavio
As soon as one is logged into Youtube with a Google account in another browser tab, the privacy enhanced mode no longer works either. Now, when playing, network calls are transmitted to Google, which contain cookies, and thus presumably fill the user profile:
And in addition to this rather half-baked implementation of the extended privacy mode, there is an additional problem: Even in the nocookie variant, the video uses the Google Fonts service. Consent is required for this as well.
In summary, it must be stated that the privacy enhanced mode is preferable to the normal mode - but even with this, the embedding is not privacy-compliant!
How to embed YouTube videos on the website in a privacy-compliant way?
A privacy-compliant embedding of Youtube is done by generating the embed code of the video in privacy-enhanced mode as described above, and by using an additional tool to ensure that the video is only loaded after consent by the user.
There are quite a few tools that can be used to obtain consent. In the following, we present three WordPress plugins with which this is possible.
WP YouTube Lyte
The WordPress plugin "WP YouTube Lyte" allows to manage and embed Youtube videos in a comfortable way. In addition, it offers the function to cache the preview image of the video on the local server - in this case, a connection to the Youtube server is established only when the user clicks on the image. In this way, you can obtain consent for loading.
Advantage: Since "YouTube Lyte" no longer pulls external data from YouTube, saving thumbnails greatly improves website loading time.
Disadvantage: Caching thumbnails on your own server or website could possibly lead to copyright issues, as you are not the owner of the image. Therefore, we recommend using this plugin or feature only for your own YouTube videos.
Borlabs Cookie" is also a WordPress plugin. However, unlike "WP YouTube Lyte", "Borlabs Cookie" is a full-fledged consent tool and is subject to a fee. This plugin from WordPress gives you the option to include YouTube videos and the associated cookies on your website by means of an opt-in procedure. Only after the user has agreed to these cookies, the cookies may also be set.
With "Borlabs Cookie" you can customize your cookie banner on your website and give users the chance to agree to only isolated cookies or to reject them as well.
Advantages: "Borlabs Cookie" is compatible with any wordpress theme and other wordpress plugins. Not only YouTube, but also Vimeo videos, social media posts or Google Maps ads are blocked with this plugin until the user actively clicks on load video/post/ad. Moreover, it is 100% GDPR compliant.
Disadvantage: "Borlabs Cookie" can only be used with WordPress websites.
Real Cookie Banner
Another suitable solution to integrate YouTube videos on your own website according to the GDPR is "Real Cookie Banner". This plugin from WordPress gives your visitors the option to agree to the sharing of personal data with YouTube, social networks or Google, or even to prevent it.
Users can use the cookie banner to determine which content is blocked and which they want to see. When arriving at your website, thanks to "Real Cookie Banner", visitors will be shown a detailed cookie banner that lists cookies and the reasons why personal data is collected.
Pros: Users can object to the agreed cookies at any time; each individual cookie consent is recorded in the WordPress database; individual design customization of the cookie banner is possible; also compatible with Vimeo videos, Google Maps and other social networks.
Cons: Just like "Borlabs Cookie", the "Real Cookie Banner" can only be used with WordPress websites.
The most data-saving variant is to simply insert a YouTube link, whereby you also don't need to install any additional software or plugins. This can even be implemented in a way that looks halfway decent, and that is by uploading the thumbnail to your own server, embedding it as a simple image on the page, and linking it to YouTube.
Disadvantage: When users press or copy a link, they leave your website with this method and you don't know if they will come back.
How to run a website check to verify if Youtube is embedded GDPR compliant?
There is a simple and free way to reliably test the privacy-compliant use of Youtube: every web browser has built-in "developer tools" that enable this test. We show you here in a step-by-step guide how to use the developer tools of the Chrome browser.
- Close all browser windows and tabs, and leave only the page with the embedded YouTube video open.
- Clear the entire browser history, i.e. all cookies and website data.
- Reload the page with the Youtube video. You should see the consent banner (as shown in the screenshot below).
- Right-click into the content and select "Inspect".
- The developer tools will open. Click the "Network" tab. The checkbox "Disable Cache" should be selected. The checkbox "Third-party requests" should not be selected (as shown in the screenshot below). Reload the page, then you can observe how the network calls come in:
- No calls from domains such as youtube.com, youtube-nocookie.com, doubleclick.com or google.com should now appear in the table, otherwise the consent banner would not be configured correctly.
- Click the "Application" tab in the developer tools, it will open the view for stored data, such as cookies. Make sure there is no section for youtube.com or youtube-nocookie.com domain in the left navigation under "Cookies".
- If all this is given, the video will indeed be loaded only after consent. Now switch back to the "Network" tab and check the "Third-party requests" checkbox (then only the interesting calls from the external domains are displayed). Then click the button to grant consent. Now probably calls to the domains of Youtube or Google will be visible.
- Make sure that only the domain youtube-nocookie.com is visible here, and not youtube.com. Also, no calls to the doubleclick.net domain must be visible.
If all these checks were successful, then you are using Youtube in privacy-enhanced mode and have configured consent correctly!
To have this check automated you can also use a software like decareto Compliance Monitoring.
- The recipient, i.e. the contact details of Youtube or Google.
- The purpose of the integration, e.g. "display of relevant video content".
- Overview of the data processed. This is not unproblematic, because it is difficult to determine what data Youtube / Google really processes. One should point out that in any case the IP address is transmitted to Youtube / Google, and processing of data in local storage and possibly cookies cannot be ruled out.
- Note on the legal basis for the processing: the video is loaded only after consent ((Art. 6 para 1 lit. a DSGVO), and the consent can be revoked at any time.
- Profiling information. It should be noted that profiling may occur if the user is logged in with a Google account in parallel. In this case, actions are merged with the profile.
- Note on data processing in third countries. When watching the video, data may be transferred to the servers of Youtube and Google in the USA, and the level of data protection there is considered insufficient.
Strictly speaking, information about the storage period of the data would also have to be provided, but unfortunately there is no clear statement from Google on this.
To make the embedding of Youtube DSGVO compliant please pay attention to the following points:
- You need to enable the privacy-enhanced mode
- You must additionally obtain consent to load.
- Check with the Chrome developer tools or a tool like decareto if the integration is done correctly
Do you have questions about how to embed videos from YouTube in a GDPR compliant way or do you need help with GDPR specific questions? Feel free to contact us and we will answer you as soon as possible!
Author: Eckhard Schneider