TrustYourWebsite
GDPR & Privacy

YouTube Embed and GDPR: The Cookie-Free Approach

Steven | TrustYourWebsite · 6 April 2026

Embedding a YouTube video on your website seems simple — copy the iframe code from YouTube and paste it into your page. But a standard YouTube embed places tracking cookies the moment your page loads, before your visitor has given any consent.

This article explains exactly what happens, the difference between standard and nocookie embeds, and how to implement a compliant solution with copy-paste code.

What a Standard YouTube Embed Does

When a browser encounters <iframe src="https://www.youtube.com/embed/VIDEO_ID">, it immediately makes a connection to YouTube's servers. YouTube responds by setting these cookies:

CookieDurationPurpose
VISITOR_INFO1_LIVE6 monthsUnique visitor identifier — tracks watching behaviour
YSCSessionSession ID for YouTube
GPS30 minutesLocation data tracking

These cookies are placed immediately on page load — before the visitor interacts with the video in any way. They are used to track viewing behaviour, build advertising profiles, and personalise YouTube content.

Under Dutch law (Telecommunications Act Art. 11.7a), cookies that are not strictly necessary for the requested service require consent. A YouTube video is not strictly necessary — it is embedded content that the visitor did not request by visiting your page. Consent must be obtained first.

Of 499 Dutch restaurant websites scanned, multiple sites had YouTube embeds loading before consent was obtained.

The youtube-nocookie.com Approach

YouTube provides an "Enhanced Privacy Mode" by changing the embed URL from youtube.com to youtube-nocookie.com:

<!-- Standard embed (places cookies immediately) -->
<iframe src="https://www.youtube.com/embed/VIDEO_ID"></iframe>

<!-- Privacy-enhanced mode -->
<iframe src="https://www.youtube-nocookie.com/embed/VIDEO_ID"></iframe>

What youtube-nocookie.com does:

  • Does NOT place cookies when the page loads
  • Does NOT send visitor data to Google on page load
  • DOES place cookies when the visitor clicks play
  • DOES send viewing data to Google once playing begins

The result: No cookies on page load — but cookies once the video is played. For a fully strict interpretation of Dutch law, this means you still need a cookie banner (the visitor should be able to choose not to have cookies placed, even if they play the video).

Practical view: youtube-nocookie.com significantly reduces the tracking footprint. Many legal experts and GDPR practitioners consider it a reasonable compromise — the visitor's act of clicking play is an affirmative action that implies acceptance of cookies for playing the video. The AP has not specifically ruled on this scenario.

The Click-to-Load Facade (Most Compliant)

The most GDPR-compliant approach is to show a thumbnail image with a play button overlay. No YouTube code loads at all until the visitor clicks to watch.

How it works:

  1. Show a static image (the video thumbnail) with a play button overlay
  2. When the visitor clicks, replace the image with the actual YouTube iframe
  3. No cookies until the visitor explicitly clicks to play

Implementation (vanilla JavaScript):

<!-- Add to your CSS: -->
<style>
.yt-facade {
  position: relative;
  cursor: pointer;
  display: block;
  padding-top: 56.25%; /* 16:9 aspect ratio */
  background: #000;
  overflow: hidden;
}
.yt-facade img {
  position: absolute;
  inset: 0;
  width: 100%;
  height: 100%;
  object-fit: cover;
  opacity: 0.7;
}
.yt-facade .play-btn {
  position: absolute;
  top: 50%;
  left: 50%;
  transform: translate(-50%, -50%);
  width: 68px;
  height: 48px;
  background: rgba(255,0,0,0.9);
  border-radius: 12px;
  display: flex;
  align-items: center;
  justify-content: center;
}
.yt-facade .play-btn::after {
  content: '';
  border-style: solid;
  border-width: 10px 0 10px 20px;
  border-color: transparent transparent transparent white;
  margin-left: 4px;
}
</style>

<!-- HTML for each video: -->
<div class="yt-facade" 
     data-video-id="VIDEO_ID_HERE"
     onclick="loadYouTube(this)"
     role="button"
     tabindex="0"
     aria-label="Play video: [Video title here]"
     onkeypress="if(event.key==='Enter')loadYouTube(this)">
  <img src="https://i.ytimg.com/vi/VIDEO_ID_HERE/hqdefault.jpg" 
       alt="[Video thumbnail description]"
       loading="lazy">
  <div class="play-btn" aria-hidden="true"></div>
</div>

<!-- JavaScript (add once, near bottom of page): -->
<script>
function loadYouTube(facade) {
  const videoId = facade.dataset.videoId;
  const iframe = document.createElement('iframe');
  iframe.src = 'https://www.youtube-nocookie.com/embed/' + videoId + '?autoplay=1';
  iframe.style.cssText = 'position:absolute;inset:0;width:100%;height:100%;border:0';
  iframe.allow = 'accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture';
  iframe.allowFullscreen = true;
  facade.style.cssText = 'position:relative;padding-top:56.25%;';
  facade.innerHTML = '';
  facade.appendChild(iframe);
}
</script>

What to change:

  • Replace VIDEO_ID_HERE with your YouTube video ID (the part after ?v= in the YouTube URL)
  • Update the alt text and aria-label with descriptive text for each video
  • The thumbnail loads from YouTube's CDN — this does send an HTTP request to Google for the thumbnail image. To avoid even this: download the thumbnail and host it yourself.

Fully Self-Hosted Thumbnails (Zero Google Contact on Load)

To avoid even the thumbnail request to YouTube, download and host thumbnails yourself:

  1. Go to https://i.ytimg.com/vi/VIDEO_ID/hqdefault.jpg
  2. Download the image
  3. Host it on your own server (e.g., /images/video-thumbnail.jpg)
  4. Update the src in the facade: src="/images/video-thumbnail.jpg"

With this approach, Google receives zero data from your website until a visitor clicks to play a video.

WordPress Implementation

If you use WordPress, these plugins implement similar functionality:

  • WP YouTube Lyte — replaces YouTube iframes with lightweight facades
  • Embed Privacy — wraps all external embeds with click-to-load functionality for YouTube, Google Maps, and other services
  • Complianz — integrates with consent management and conditionally loads embeds after consent

These plugins are typically installed and configured in minutes, without coding.

Which Approach to Choose?

ApproachCookies on page loadCookies when playedTechnical complexity
Standard youtube.com embedYesYesNone
youtube-nocookie.com embedNoYesVery low
Click-to-load (youtube-nocookie)NoYes (after click)Low
Click-to-load (self-hosted thumbnail)NoYes (after click)Low-medium

For most websites: the click-to-load with youtube-nocookie.com approach is the right balance. It requires minimal code, eliminates cookies on page load, and is clearly more privacy-respecting than a standard embed.

Updating Your Privacy Policy

Whichever approach you use, update your privacy policy:

  • If you use youtube-nocookie.com: mention that YouTube is used for video content and that cookies are placed when a video is played
  • Describe what data YouTube receives when a video is played
  • Link to YouTube's privacy policy

For visitors who never click to play, no cookies are placed and no disclosure is required — the facade approach means most visitors never interact with YouTube's tracking.

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your site free

Website Guides

GDPR Compliance Checklist for Dutch Businesses (2026)

A practical 35-point GDPR checklist for small businesses in the Netherlands. Privacy policy, cookie consent, data processors, breach reporting, and more.