YouTube Embeds and GDPR: What Irish and Belgian Businesses Need to Know

You've embedded a YouTube video on your product page. Your visitors don't have to click play—the video is just sitting there, maybe with an autoplay thumbnail. What you might not realise is that YouTube is collecting data on your visitors before they watch a single second. Without consent, that's a GDPR violation. Both Irish and Belgian regulators agree: embedded YouTube videos require consent first.

Why YouTube Embeds Require Consent

When you embed a YouTube video on your website, YouTube's JavaScript runs on your page automatically. Even if the video isn't playing, YouTube collects:

• Device information (browser, OS, screen resolution)
• IP address
• Cookies (even if the visitor has never been to YouTube)
• Referrer (where the visitor came from)
• Whether and when the visitor watches your embedded video
• How far into the video they watch
• How many times they rewatch it

This happens the moment your page loads. The visitor doesn't have to interact with anything. YouTube is tracking them regardless.

In GDPR terms, this is personal data processing. Your website is responsible because you embedded YouTube. You need a legal basis under GDPR Article 6. Consent is the safest basis.

The Irish and Belgian Regulatory Position

Ireland: Data Protection Commission (DPC)

Ireland is Google's EU headquarters. The Irish Data Protection Commission is Google's lead supervisory authority under GDPR. The DPC has made clear that tracking by third-party services (including YouTube) requires prior consent.

The DPC's position:

• Embedded third-party scripts set cookies and collect tracking data
• GDPR Article 7(4) requires consent before the script runs
• "Legitimate interest" is a weaker basis for tracking
• Pre-checked consent boxes are invalid (consent must be affirmative)

In decisions about Google Analytics, Google Ads, and Meta Pixel, the DPC has consistently held that tracking requires explicit consent before the tracking code executes.

Belgium: Data Protection Authority (GBA/APD)

The Belgian Data Protection Authority has similar rules. They've taken a stricter line on consent because they rejected the industry standard consent framework (IAB TCF) as non-compliant.

The GBA's position:

• Embedded tracking requires prior consent
• Consent must be granular (not "accept all")
• Legitimate interest is insufficient for marketing and analytics tracking
• The reject button must be as prominent as the accept button

The youtube-nocookie.com Myth

You've probably heard that using youtube-nocookie.com instead of youtube.com avoids the tracking problem. This is wrong.

The nocookie domain does one thing: it doesn't set YouTube's ad cookies until the visitor interacts with the video. But it still:

• Logs the visitor's IP address
• Sets non-ad cookies for playback and analytics
• Sends data to YouTube's servers
• Processes personal data as defined by GDPR

The DPC and GBA don't accept youtube-nocookie as a compliance workaround. They've explicitly stated that both youtube.com and youtube-nocookie.com embeds require consent.

A YouTube support document may claim that nocookie is a GDPR solution. It's marketing. The regulators disagree.

Three Compliant Approaches

Option 1: Click-to-Load (Recommended)

Replace the YouTube embed with a static image or placeholder. When visitors click, then load the actual video—but only after they've consented.

How it works:

1. Display a thumbnail image of the video (or a generic play button)
2. Show a message: "This video uses YouTube, which tracks viewing data. Click to play and consent, or skip."
3. Only when they click do you load the YouTube iframe

This is compliant because:

• No YouTube tracking happens automatically
• Visitors make an active choice
• You've separated the content (image) from the tracker (iframe)
• They can choose not to watch at all

<div id="video-container" style="position: relative; cursor: pointer;">
  <img src="video-thumbnail.jpg" alt="Watch: How to use our product" 
       style="width: 100%; max-width: 600px;" />
  <div style="position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); 
              background: rgba(0,0,0,0.7); color: white; padding: 20px; border-radius: 5px; text-align: center;">
    <p style="margin: 0;">Click to play (YouTube tracking enabled)</p>
    <p style="margin: 10px 0 0 0; font-size: 12px;">See our <a href="/privacy" style="color: #0ff;">privacy policy</a></p>
  </div>
</div>

<script>
document.getElementById('video-container').addEventListener('click', function() {
  if (hasUserConsentedToMarketing) {
    this.innerHTML = '<iframe width="100%" height="400" src="https://www.youtube.com/embed/dQw4w9WgXcQ" ' +
                     'title="YouTube video player" frameborder="0" allowfullscreen></iframe>';
  } else {
    alert('Please consent to marketing cookies to watch this video.');
  }
});
</script>

Advantages:

• Fully compliant
• Minimal friction (one click)
• Improves page load speed (no iframe auto-load)
• Users still see your content

Disadvantages:

• Slightly less seamless than auto-embedded video
• Requires JavaScript
• Fewer users may click through to watch

Option 2: Remove YouTube, Use Vimeo Instead

Vimeo offers a GDPR-friendly option. You can embed Vimeo videos without tracking cookies using Vimeo's privacy mode.

With Vimeo's privacy mode, Vimeo doesn't set cookies or track viewers unless the viewer clicks play. After they click, Vimeo uses cookies for playback and analytics.

Embed code:

<iframe src="https://player.vimeo.com/video/123456?dnt=1" 
        width="100%" height="400" 
        frameborder="0" allow="autoplay; fullscreen" allowfullscreen></iframe>

The dnt=1 parameter means "Do Not Track"—Vimeo won't set cookies until the visitor interacts.

However, note: Vimeo still processes some data (IP address, interaction data). It's less aggressive than YouTube, but you should still disclose it. Some regulators view Vimeo with dnt=1 as acceptable without prior consent, but the safest approach is still to ask.

Advantages:

• Less invasive tracking than YouTube
• Direct embed possible without click-to-load
• Better video quality than YouTube
• Supports privacy mode

Disadvantages:

• Requires Vimeo account and upload
• Less ubiquitous than YouTube
• Vimeo's paid plans may be needed for branding options

Option 3: Static Image with a Link

The simplest option: show a video thumbnail and link to the YouTube video.

<div style="text-align: center;">
  <img src="thumbnail.jpg" alt="Product demo video" style="max-width: 100%; cursor: pointer;" 
       onclick="window.open('https://www.youtube.com/watch?v=dQw4w9WgXcQ', '_blank')" />
  <p><a href="https://www.youtube.com/watch?v=dQw4w9WgXcQ" target="_blank">
    Watch on YouTube (opens in new tab)</a></p>
</div>

Advantages:

• No tracking on your site
• Simple to implement
• YouTube's privacy policy covers their site
• No consent needed

Disadvantages:

• Users leave your site
• Less engagement
• Doesn't work well for multiple videos
• Breaks page flow

How to Add Consent to YouTube in Your Cookie Banner

If you choose to keep YouTube embedded and require consent:

Step 1: Add to Cookie Categories

Update your cookie banner to explicitly mention YouTube:

Video Content: We embed YouTube videos to show product demos 
and educational content. YouTube sets cookies to track video 
viewing, measure engagement, and serve personalised ads. YouTube 
processes data in the United States under Standard Contractual 
Clauses. You can withdraw this consent anytime in our 
Cookie Settings.

For both Irish and Belgian sites, be explicit: say YouTube is a U.S. company processing data outside the EU.

Step 2: Don't Load Until Consent

Write a script that checks consent before loading the embed:

// Simple example
function loadYouTube(videoId) {
  var hasMarketing = localStorage.getItem('consent_marketing') === 'true';
  var hasFunctional = localStorage.getItem('consent_functional') === 'true';
  
  if (hasMarketing || hasFunctional) {
    document.getElementById('video-' + videoId).innerHTML = 
      '<iframe width="100%" height="400" src="https://www.youtube.com/embed/' + videoId + 
      '" frameborder="0" allowfullscreen></iframe>';
  } else {
    document.getElementById('video-' + videoId).innerHTML = 
      '<p>Please consent to marketing cookies to watch this video. ' +
      '<a href="/cookie-settings">Manage cookie settings</a></p>';
  }
}

Step 3: Update Your Privacy Policy

Mention YouTube data processing:

• YouTube is a Google subsidiary
• Data is processed in the US and other countries
• You use Standard Contractual Clauses
• Visitors can contact YouTube for data rights (GDPR Articles 15-22)

Step 4: Document Consent

Keep a log of when visitors consented to YouTube. This isn't required by GDPR, but it's good practice if the DPC or GBA asks.

Differences Between Irish and Belgian Approaches

Both regulators have the same core position on YouTube: consent required, no dark patterns, easy to withdraw. But there are nuances:

Ireland (DPC):

• Focuses on data transfer safety to the US
• Emphasises that consent must be active (no pre-checks)
• Accepts "legitimate interest" more readily (but still prefers consent for tracking)
• May investigate based on visitor complaints

Belgium (GBA):

• Enforces stricter equal prominence between consent and reject
• Rejects pre-ticked boxes entirely
• Sceptical of "legitimate interest" for marketing
• Has fined companies for dark patterns and consent walls

For maximum compliance in both markets, use the strictest standard: click-to-load or Vimeo with dnt=1, explicit consent, equal reject buttons, and clear disclosure.

Practical Implementation Steps

For Irish Sites (ie/en)

1. Audit: Check all YouTube embeds on your site
2. Choose: Click-to-load, Vimeo, or link-only
3. Update banner: Add "Video Content" category with YouTube disclosure
4. Test: Verify YouTube iframe doesn't load until consent is recorded
5. Document: Note YouTube's US data processing in your privacy policy

For Belgian Sites (be/en)

Same steps, plus:

1. Ensure reject button is equal to accept in size/color
2. Provide Dutch and French translations of YouTube disclosure
3. Make preference centre accessible for changing video consent later
4. Test with developer tools to confirm no YouTube pixels fire until consent

For Sites Serving Both Markets

1. Use click-to-load or Vimeo (works for both)
2. Add explicit YouTube disclosure to banner in both languages
3. Ensure equal button prominence (for GBA)
4. Test thoroughly in both English and local languages

Common Mistakes to Avoid

1. "I use youtube-nocookie, so I don't need consent" — False. Both regulators say nocookie still requires consent.
2. Pre-ticking "analytics" includes YouTube — If YouTube is pre-ticked, that's an invalid consent.
3. Autoplay without consent — Especially bad. You're forcing tracking on users who don't want it.
4. Assuming affiliate disclosure replaces consent — Some creators link YouTube videos with affiliate disclaimers. This isn't GDPR consent.
5. "The visitor clicked play, so they consented" — Clicking play is not the same as consenting to data processing. You need explicit upfront consent.

Penalties for Non-Compliance

Ireland: The DPC can fine up to €20 million or 4% of global annual revenue. Belgium: The GBA can fine up to €1.2 million or 2% of revenue (4% for repeat violations).

More likely than a regulator-imposed fine: a visitor complains to the DPC or GBA. They investigate. If your YouTube embed runs without consent, you're in violation. Regulators in both countries have shown they will pursue these cases.

Summary and Checklist

Before your YouTube video goes live, confirm:

• I've chosen click-to-load, Vimeo, or link-only approach
• YouTube iframe doesn't load automatically (if still embedding)
• Cookie banner discloses YouTube tracking and US data processing
• Consent is not pre-checked or pre-ticked
• Reject button is equally prominent as accept (especially for Belgian sites)
• Privacy policy explains YouTube data processing
• Preference centre allows withdrawing video consent later
• Site tested with developer tools to verify no tracking until consent

For Irish and Belgian businesses, YouTube embedding without consent is increasingly risky. The easiest compliance path is click-to-load: show a thumbnail, let visitors choose to watch, and load the tracking iframe only after consent. This satisfies the DPC and GBA while keeping your content accessible.

For specific guidance:

• Ireland: Data Protection Commission at www.dataprotection.ie
• Belgium: Gegevensbeschermingsautoriteit (GBA) at www.autoriteprotectiondonnees.be