Skip to content
TrustYourWebsite
AVG & Privacy

YouTube Embeds and GDPR: Why Your Video Sends Data to Google

15 april 2026

You added a YouTube video to your website. Maybe a product demo, a testimonial or a short explainer. Looks good. Works fine.

But the moment someone loads that page, their browser connects to Google's servers. Google receives their IP address, sets tracking cookies and starts collecting data. This happens before the visitor presses play. Before they even scroll down to the video.

Under GDPR, that's a problem.

What happens when you embed a YouTube video

The standard YouTube embed code looks like this:

<iframe src="https://www.youtube.com/embed/VIDEO_ID" frameborder="0" allowfullscreen></iframe>

When a visitor's browser sees this iframe, it immediately loads content from youtube.com. Here's what gets sent to Google:

  • The visitor's IP address
  • Their browser fingerprint and user agent string
  • Any existing Google cookies on their device
  • The page URL where the video is embedded

Google uses this to track users across sites, build advertising profiles and serve targeted ads. All of this happens on page load, without any user interaction.

If the visitor is logged into their Google account, Google can tie this page visit directly to their identity.

You can check whether your own site has this problem with a free compliance scan. It takes about two minutes.

The youtube-nocookie.com myth

Google offers an alternative embed domain: youtube-nocookie.com. Many website builders and CMS plugins default to this. It sounds like it solves the cookie problem.

It doesn't.

When you use youtube-nocookie.com, Google still receives the visitor's IP address on page load. Google still collects browser data. The only difference is that Google claims it won't set certain advertising cookies until the user presses play. But the data transfer itself still happens without consent.

The European Data Protection Board and multiple national data protection authorities have made clear that IP addresses are personal data. Transferring personal data to Google's servers without consent violates GDPR, regardless of whether cookies are set.

The domain name is misleading. Don't rely on it.

Joint controller liability: the Fashion ID case

In July 2019, the Court of Justice of the European Union ruled in Fashion ID C-40/17 that a website operator who embeds a third-party plugin shares responsibility for the data collection that plugin performs.

The case involved a Facebook Like button, but the ruling applies to any third-party embed. YouTube iframes, Google Maps, social media widgets. If you put it on your page and it collects visitor data, you're a joint controller for that data collection alongside the third party.

This means you can't say "that's Google's responsibility." Under the Fashion ID ruling, you need to obtain valid consent before the embed loads and sends data to Google.

How to fix YouTube embeds on your site

There are three approaches, from simplest to most complete.

Option 1: Use a click-to-load facade

A facade replaces the YouTube iframe with a static thumbnail image. The visitor sees what looks like a video player. When they click on it, the actual YouTube embed loads.

Here's a basic version:

<div class="youtube-facade" data-video-id="VIDEO_ID">
  <img src="/images/video-thumbnail.webp" alt="Video title" loading="lazy">
  <button aria-label="Play video">▶</button>
</div>

<script>
document.querySelectorAll('.youtube-facade').forEach(function(el) {
  el.addEventListener('click', function() {
    var iframe = document.createElement('iframe');
    iframe.src = 'https://www.youtube.com/embed/' + el.dataset.videoId + '?autoplay=1';
    iframe.allow = 'autoplay';
    iframe.allowFullscreen = true;
    el.replaceWith(iframe);
  });
});
</script>

This approach has a bonus: it dramatically improves your page speed. YouTube embeds are heavy. They load multiple scripts and stylesheets. A facade loads a single image.

The downside: clicking the play button loads YouTube without explicit consent. It's better than auto-loading, but a proper consent management approach is safer.

Option 2: Gate the embed behind your cookie consent banner

If you already have a consent management platform, configure it to block YouTube iframes until the visitor accepts marketing or third-party cookies.

Most CMPs support this. The iframe src gets replaced with a data attribute, and the CMP swaps it back once consent is granted:

<iframe data-src="https://www.youtube.com/embed/VIDEO_ID"
        data-cookieconsent="marketing"
        class="cookieconsent-optin-marketing">
</iframe>

When the visitor hasn't given consent, they see a placeholder message explaining that a YouTube video is available and that loading it will send data to Google.

Option 3: Combine both approaches

The best solution uses a facade that also checks for consent. Show the thumbnail. When the visitor clicks play, check whether they've consented to third-party cookies. If yes, load the embed. If no, show a small consent prompt first.

This gives you fast page loads, proper consent handling and a good user experience.

How to check if your site has this issue

Open your browser's developer tools, go to the Network tab and load your page. If you see requests to youtube.com or youtube-nocookie.com firing immediately on page load, your embeds aren't consent-gated.

You can also run a compliance scan that checks for third-party data transfers including YouTube embeds.

What about self-hosting the video?

If the video is short and you control the content, consider hosting it yourself. HTML5 video elements don't send data to third parties:

<video controls preload="none" poster="/images/video-poster.webp">
  <source src="/videos/demo.mp4" type="video/mp4">
</video>

This works well for product demos or short clips under a few minutes. For longer content or when you need YouTube's streaming infrastructure, a consent-gated embed is the practical solution.

Common Questions

Does youtube-nocookie.com make my embed GDPR compliant?

No. It reduces some cookie tracking but still transfers the visitor's IP address and browser data to Google on page load. You still need consent before loading the embed.

Do I need consent if the video is my own content?

Yes. The GDPR issue isn't about the video content. It's about the data transfer to Google's servers. Even your own video embedded via YouTube sends visitor data to Google.

Can I use a YouTube thumbnail without embedding the video?

Yes. Showing a static image with a link to YouTube is fine. The visitor chooses to go to youtube.com themselves. No data gets sent from your site. Just make sure the thumbnail image itself isn't copyrighted by someone else.

What if only one page on my site has a YouTube video?

It still needs consent. GDPR applies per data processing operation, not per website. One page with one unconsented embed is one violation.

Does this apply to Vimeo embeds too?

Yes. Any third-party video embed that transfers visitor data needs consent. Vimeo, Dailymotion and other platforms all receive visitor IP addresses when their embeds load.

Check your website now Scan your website for GDPR issues including unconsented third-party embeds, free in 2 minutes. Scan your website

Check je website nu

Scan je website op AVG & Privacy-problemen en 30+ andere compliance checks.

Scan je website gratis

Compliance Handleidingen

Best Cookiebot Alternatives in 2026 (Cheaper + More Checks)

Cookiebot doubled its prices. Looking for an alternative? Compare cookie consent tools and multi-category compliance scanners. Free scan available.

Do I Need a Cookie Banner? A Simple Decision Guide

Not sure if your website needs a cookie banner? This simple guide helps you decide based on what your website actually does.

Dutch AP Cookie Warnings: What They Mean for Your Website

The Dutch Autoriteit Persoonsgegevens is warning websites about cookie violations. Here is what they check and how to fix your cookie setup.