Are YouTube Embeds GDPR Compliant?

A standard YouTube embed sets tracking cookies and sends visitor IP to Google on page load. Learn why privacy-enhanced mode isn't a complete fix and how to embed YouTube compliantly.


by Billal Hossain • 1 July 2026


A standard YouTube embed is not GDPR compliant without prior consent. The iframe sets tracking cookies and sends the visitor's IP address to Google the moment the page loads. Switching to youtube-nocookie.com defers the cookies but still writes browser storage and transmits the IP on load. The compliant fix is to block the embed until the visitor consents.

This page covers what data a standard embed collects before anyone presses Play. It then explains where privacy-enhanced mode falls short, what the law requires, and how to embed YouTube without triggering a consent violation.

Are YouTube Embeds GDPR Compliant?

By default, a standard YouTube embed (youtube.com/embed) is not GDPR compliant. The iframe contacts Google's servers the moment the page renders. It sets tracking cookies and transmits personal data before the visitor clicks anything or gives valid cookie consent.

The path to compliance is one step: block the embed from loading until the visitor gives prior, specific, informed, and unambiguous consent. Without that step, every page view with a YouTube embed processes visitor data without a lawful basis under GDPR Art. 6(1)(a).

Many sites run unblocked YouTube embeds assuming "it's just a video." That assumption is wrong. The embed is a third-party data pipeline that activates on page load, not on Play.

What Data Does a Standard YouTube Embed Collect?

A standard youtube.com embed transmits data to Google before the visitor interacts with anything. On page load, the iframe fetches approximately 800KB of JavaScript from youtube.com, google.com, and googlevideo.com, triggering more than 20 HTTP requests per embed. Each request carries the visitor's IP address, browser user agent, screen resolution, language settings, and the URL of the page they are viewing.

Cookies a YouTube Embed Sets

A standard embed sets these cookies on page load, before any click:

CookiePurposeDuration
VISITOR_INFO1_LIVEEstimates bandwidth for video quality180 days
YSCTracks user interactions with the embedSession
PREFStores user preferences (quality, settings)Up to 240 months
GPSRegisters a unique ID on mobile for tracking30 minutes
IDEGoogle DoubleClick targeted advertising13 months
CONSENTStores cookie consent status for Google20 years

None of these are strictly necessary for the embedding site's service. VISITOR_INFO1_LIVE, YSC, GPS, and IDE are marketing and statistics cookies, which require prior consent under GDPR and the ePrivacy Directive.

What Loads Before the Visitor Presses Play

Before anyone presses Play, the standard embed has already contacted Google's servers. It sends the visitor's IP address, user agent, screen resolution, language settings, and page URL. Connections are established to doubleclick.net and googleadservices.com alongside the core YouTube domains.

This matters because GDPR classifies an IP address as personal data. Transmitting it to a third party (Google) is data processing that requires a lawful basis. For a website visitor who has not consented, no such basis exists.

Does Privacy-Enhanced Mode (youtube-nocookie.com) Fix It?

Switching to youtube-nocookie.com helps, but it is not a complete fix. Privacy-enhanced mode defers HTTP cookies (VISITOR_INFO1_LIVE, YSC, GPS, PREF, and DoubleClick's IDE) until the visitor presses Play. This deferral is confirmed in Google's own documentation.

Google states that YouTube "won't store information about visitors on your web page unless they play the video," which is true of HTTP cookies.

What Google's documentation does not mention is what the nocookie domain still does on page load:

  • IndexedDB write: The iframe writes a database named YtIdbMeta to the youtube-nocookie.com origin in the visitor's browser, before any Play event (confirmed by 2026 live testing).
  • localStorage write: A localStorage entry keyed ytidb::LAST_RESULT_ENTRY_KEY is written on page load, before any Play event.
  • IP transmission: Network requests to google.com, fonts.gstatic.com, and googleapis.com fire on load. Each request carries the visitor's IP address to Google's servers.

The ePrivacy Directive Art. 5(3) covers any storage on or access to a user's device by any method, not only HTTP cookies. The ICO confirms that "the same rules apply to any similar technologies." So the IndexedDB and localStorage writes by youtube-nocookie.com on page load require prior consent. That holds even though no HTTP cookies are set at that moment.

Switching to privacy-enhanced mode is a meaningful improvement. It is not a compliance solution on its own.

Standard Embed vs Privacy-Enhanced Mode: What Each One Stops

Privacy-enhanced mode stops the page-load cookies, and nothing else. The table below maps what each embed option does and does not block on load.

BehaviorStandard embed (youtube.com)Privacy-enhanced (youtube-nocookie.com)
Cookies on page loadYesNo
Cookies on PlayYesYes
IP sent to Google on loadYesYes
IndexedDB (YtIdbMeta) on loadYesYes
localStorage on loadYesYes
Personalized adsYesReduced
GDPR compliant without prior consentNoNo

Neither embed option is GDPR compliant when it loads on page render without prior consent. The bottom row does not change by switching domains.

Why Embedding YouTube Needs Consent (the Law and the Rulings)

Two separate legal frameworks require prior consent before a YouTube embed loads.

ePrivacy Directive / PECR (the "cookie law") applies first. Under Art. 5(3), you need the visitor's prior consent before storing or accessing any information on their device, by any method. This triggers before GDPR's lawful basis question even arises. The moment the embed writes IndexedDB, localStorage, or a cookie, ePrivacy requires prior consent.

GDPR Art. 6(1)(a) makes consent the required lawful basis for the data processing the embed triggers. Art. 4(11) defines consent as "freely given, specific, informed and unambiguous." Under Art. 7, you must be able to demonstrate that consent was given, and withdrawal must be as easy as giving consent. Clicking Play does not meet this standard: the visitor's intent is to watch a video, not to consent to data processing. France's CNIL has been explicit that clicking Play does not constitute valid GDPR consent.

The LG München I ruling (Az. 3 O 17493/20, 20 January 2022) provides the closest judicial precedent. A Munich court found that embedding Google Fonts, which transmitted the visitor's IP address to Google on page load without consent, violated GDPR Art. 6(1). The legal mechanism is identical to a YouTube embed. A third-party resource loads on page render and carries the visitor's IP to Google before any consent is given. The ruling confirmed that an IP address is personal data and that transmitting it to Google requires a lawful basis.

Controller responsibility: The website that embeds the video is the data controller responsible for ensuring consent is obtained. You cannot offload this duty to Google. When you place a YouTube iframe on your page, you control whether and when it loads. That control makes you responsible for the data processing it triggers. The embed is often one of several compliance gaps on a site. Check the whole stack by asking whether your website is GDPR compliant at the platform level.

How to Embed YouTube Compliantly: Block the Iframe Until Consent

The compliant approach stops the iframe from loading on page render. The embed only loads after the visitor gives prior, specific, informed, and unambiguous consent. Here are the steps:

  1. Categorize the YouTube embed as non-essential (marketing/statistics). YouTube cookies and the associated data transmission serve advertising and analytics purposes. No exemption for strictly necessary processing applies.
  2. Block the iframe before consent. Use a content blocker or CMP to block the iframe before consent so no scripts load, no cookies are set, and no network requests reach Google on page render. This is the step where most sites fail: a banner that asks for consent but does not actually prevent the embed from loading does not satisfy the law.
  3. Show a placeholder where the video would appear. Display a static preview image or a branded "click to load video" prompt in the embed's place. This is the click-to-load pattern (also called the facade or two-click pattern), which EU regulators and practitioners consistently identify as the standard compliant approach.
  4. Load the embed only after the visitor consents. When the visitor accepts the relevant category, the real iframe loads and the video becomes playable. Log the consent with a timestamp and the categories accepted.
  5. Optionally use youtube-nocookie.com as a secondary layer. Once the visitor has given consent and the embed loads, switching to the privacy-enhanced domain reduces ad personalization. It is a defense-in-depth measure, not a substitute for the blocking step above.

Lazy loading is not a substitute. Lazy loading delays when the iframe renders in the viewport, not whether it loads. A lazy-loaded YouTube embed still fires its cookies, storage writes, and IP transmission as soon as the iframe enters the viewport, without any consent.

On WordPress, a consent management plugin with a content blocking feature handles the iframe blocking and placeholder automatically. The same pattern applies to any platform that allows script injection in the page head.

Common YouTube Embed Compliance Mistakes

Website owners new to this topic run into the same five mistakes.

  • "youtube-nocookie.com makes it compliant." Privacy-enhanced mode defers HTTP cookies to Play, but the iframe still writes IndexedDB and localStorage on load and still sends the visitor's IP to Google. Switching domains without blocking the embed is not a compliance solution.
  • "It's Google's problem, not mine." The embedding site is the data controller for the processing the embed triggers. The responsibility to obtain consent belongs to the site owner, not only to Google. The same prior-consent rule applies to other Google tools on your site, including whether Google Analytics is GDPR compliant.
  • "Lazy loading fixes it." Lazy loading delays iframe rendering. It does not prevent the embed from firing cookies, storage writes, and network requests once it enters the viewport. No consent has been given; the same violation occurs, just slightly later in the page lifecycle.
  • "Everyone embeds YouTube without a banner, so it's fine." Widespread non-compliance is not a legal defense. Many sites are non-compliant; that is a risk they carry, not a precedent that protects you.
  • "A cookie banner alone covers it." A cookie banner that informs but does not block the embed is insufficient. The banner must stop the iframe from loading before the visitor accepts. If the embed fires before the banner is accepted, no lawful basis exists for the processing that already happened. The same principle applies to a Shopify store with embedded product videos.

How Consently Makes YouTube Embeds Compliant

Consently automatically blocks the YouTube iframe until the visitor gives consent, then loads the embed after acceptance and records the choice.

Its Iframe Blocking feature prevents YouTube (and other third-party embeds including Google Maps, Vimeo, Spotify, Facebook, Instagram, and Twitter/X) from loading before consent. The block applies to both youtube.com and youtube-nocookie.com embeds. This means no cookies are set, no IndexedDB or localStorage is written, and no network requests reach Google on page load.

In the visitor's browser, the Editable Iframe Placeholder shows a customizable "load video" prompt in place of the blocked embed. The prompt can carry the site's branding, a thumbnail, and an explanatory note about why the video is not yet loaded. When the visitor accepts the relevant cookie category, the embed loads and the video becomes playable. Consently records the consent in its log with a timestamp and the accepted categories.

Google Consent Mode v2 signals are sent alongside the consent record, so Google Analytics and Google Ads receive the correct consent state for the visitor. GDPR opt-in templates are available on all plans.

This is the click-to-load pattern regulators point to. You set it up once, and it applies automatically across every embed on the site without per-embed code changes.

Start free with Consently to block YouTube iframes, show a compliant placeholder, and keep a full consent log. Every plan includes it, with no credit card required.

FAQs

Are YouTube embeds GDPR compliant?

Not by default. A standard YouTube embed sets tracking cookies and transmits the visitor's IP to Google on page load, before any consent. You must block the embed until the visitor gives prior, specific, informed, and unambiguous consent.

Does youtube-nocookie.com make my embeds GDPR compliant?

No, not on its own. Privacy-enhanced mode defers HTTP cookies (VISITOR_INFO1_LIVE, YSC, and others) until the visitor presses Play. But the iframe still writes IndexedDB and localStorage on page load and still sends the visitor's IP to Google's servers before any Play event. Prior consent is still required.

Do I need consent before a YouTube video loads?

Yes. Under the ePrivacy Directive Art. 5(3) and GDPR Art. 6(1)(a), you need prior, freely given, specific, informed, and unambiguous consent before the embed loads non-essential content and transmits data to Google.

What cookies does an embedded YouTube video set?

A standard embed sets VISITOR_INFO1_LIVE (180 days), YSC (session), PREF (up to 240 months), GPS (30 minutes), and DoubleClick's IDE (13 months). It also writes browser storage entries. None are strictly necessary for the embedding site's service. With youtube-nocookie.com, HTTP cookies are deferred to Play, but IndexedDB and localStorage entries are still written on page load.

Who is responsible for consent, me or Google?

You are. The website that embeds the YouTube video is the data controller responsible for obtaining prior consent before the embed loads. You control whether and when the iframe fires, so you are responsible for the data processing it triggers. You cannot offload this obligation to Google.

How do I embed a YouTube video without a cookie banner?

You still need consent, but a click-to-load placeholder can serve as the consent mechanism. Show a static preview image or branded prompt in place of the blocked embed. When the visitor clicks it, they give consent and the embed loads. The click must be clearly labelled as a data-processing consent action, not just a Play button, so the visitor understands what they are agreeing to.

Does this apply to US websites or only the EU?

The strict prior-consent requirement is an EU and UK rule under GDPR and the ePrivacy Directive. US websites serving only US visitors have no federal law mandating a cookie banner for YouTube embeds specifically. That said, the YouTube embed still sends visitor data to Google regardless of the visitor's location. CCPA and US state privacy laws may apply depending on the visitor's state. If your site receives EU or UK visitors, the EU/UK rules apply to those sessions.

AUTHOR

Billal Hossain is a software engineer with hands-on experience building Consently from start to finish. His work gives him a practical understanding of consent management platforms, cookie consent, and how businesses can create more compliant, user-friendly websites.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.