Ready for the new Google Consent Mode v2? Learn more »
Legal

YouTube and GDPR – Tips for using the video channel in accordance with data protection regulations


Many companies have recognized the importance of social media for the effectiveness of their online marketing. According to the motto “a picture (or a video) says more than 1000 words”, Instagram and YouTube in particular are used alongside the classic Facebook. If you also use YouTube as a company channel and perhaps want to collect data from users, you should be careful: YouTube cookies and GDPR do not necessarily have the same intersection. This means that you should pay attention to a few things so that the integration of videos from YouTube is GDPR-compliant. Otherwise warnings and, under certain circumstances, severe penalties are threatened.

This overview summarizes the most important things about YouTube and the GDPR – in particular about the topic of YouTube cookies and consent . If you have any questions, a specialized consent management provider such as consentmanager is the right contact person.

Consent solution for Smart TVs

What does the GDPR regulate?

GDPR is the abbreviation for General Data Protection Regulation. This is a set of rules of the European Union that has been in effect since May 25, 2018 and supplements the Federal Data Protection Act (BDSG) in Germany. The purpose of the regulations is the protection of personal data . This includes not only the classics such as name and date of birth. The IP address of a computer or mobile phone also counts, because this data is in principle suitable for finding out the person behind the user.

The GDPR consists of introductory principles and many complex regulations that are difficult for the layperson to classify. The regulation applies to all companies or institutions, associations or clubs that collect, store and process data from people – offline or online. There are a whole range of rights that prospects or customers have under the GDPR – such as the right to information, the right to consent to certain data processing or the right to erasure. In particular, the consent (consent) is discussed in more detail, because the consent of the user is something that must be observed when it comes to the YouTube cookie.

What does a video platform have to do with data protection?

There are still many people who think that YouTube is GDPR compliant since they can view the platform’s videos without being logged into Google. But even that is a mistake. For example, if you use one of the many software solutions with which you can detect and switch off tracking cookies, you will quickly discover that – similar to other websites – the inconspicuous cookies are still bustling around to collect data. So there are definitely cookies available even when you are not logged in to YouTube . In addition to the YouTube cookies, data collection for the Google account is particularly relevant from a data protection perspective.

What does YouTube have to do with Google?

Google is mentioned again and again in connection with YouTube and GDPR or YouTube and cookie consent. The reason for this is simple: YouTube belongs to Google – and when you register or log in to YouTube, you do this with your Google account. And that is exactly what makes the privacy advocates suspicious of YouTube cookies.

Ist Ihre Webseite konform? Finden Sie es heraus mit unserer Checkliste

Checkliste herunterladen

Cookies under the magnifying glass

What exactly are cookies, what do the “cookies” do on YouTube and what makes them so critical? Cookies are small text files that are stored on the computer or smartphone when surfing in the browser. Of course, they serve a very specific purpose for the operator of websites: tracking. Tracking is the tracking of users on the web in order to develop suitable marketing strategies. For example, the online shop will save the shopping cart and clicked products and the ID of the session of the respective computer. In this way, visitors receive suitable offers while surfing – whether they like it or not. Perhaps you have already surfed through the offers of large online giants with your stationary computer and then later received similar advertisements on your smartphone? This is exactly the result of the virtual biscuits. Many people perceive this as “spying”, which is why cookies have come under the scrutiny of data protection officers.

Privacy and Google Account

If you open a Google account, data will also be collected and stored for its use (including, for example, recovering passwords and preventing misuse). This information isn’t overly comprehensive—name, date of birth, email address, and phone number are required. That seems pretty unproblematic. But – and this is an important factor when it comes to YouTube and data protection – anyone surfing in the open Google account will be tracked with all their data. This automatically makes it necessary for the user to declare their consent – the YouTube Cookie Consent .

GDPR – consent as an important criterion

The be-all and end-all of the GDPR regulations is the protection of personal data. In this context, a core element of the General Data Protection Regulation is that users must give their consent to data collection . This regulates Article 6 GDPR, which has the heading “Lawfulness of processing” :

“(1) Processing is lawful only if at least one of the following conditions is met:
a) the data subject has given their consent to the processing of their personal data for one or more specific purposes;
[…]”

DSGVO § 6

This means – also for the integration of YouTube videos into your website – that the user’s consent is mandatory. This can be implemented via the classic cookie banner or a specific pop-up. In doing so, you enable the user to select the cookies they allow. This allowing is called consent. When it comes to selection, you should ideally offer the user who is viewing a linked YouTube video on your website three options to choose from:

  • the consent to a collection of cookies that you as the operator of the website propose
  • Consent only to those cookies that are necessary for the use of the website for legal and technical reasons or are mandatory
  • the consent to cookies, which the user compiles in a user-defined manner

No matter which of the three variants the users of your website and the embedded YouTube videos choose: The YouTube cookies are legally secure and you have comprehensively observed the GDPR with the videos from YouTube.

 

Stay up to date!

Subscribe to Newsletter

Use video content – without consent?

Not a good idea! Legally, this is a gray area that puts you, as a provider of YouTube videos, at risk of GDPR. You could display a cookie banner giving a general notice of cookie collection and then let users decide whether to continue browsing or not. However, such use of YouTube cookies is not legally compliant. It is important to get active consent from the user . And you should ensure this activity by requiring your website visitor to click a check mark in order to be able to use certain content. This is how you make your YouTube offer compliant with the GDPR and protect yourself from warnings from the lawyers of the competition and consumer protection groups as well as from the unpleasant penalties of the data protection authorities if the GDPR and BDSG/TTDSG are disregarded.

Many website operators also believe that watching videos from YouTube is GDPR compliant if users log out of their Google Account. But even that is anything but a recommended strategy for making YouTube GDPR compatible. Firstly, the operator of the website cannot force the user to close the account. And secondly, enough YouTube cookies will still be collected. So logically opt for a clean strategy and a watertight YouTube cookie consent by users.

Consent to data storage is absolutely necessary, especially if you combine tracking by cookies with so-called extended data comparison .

Advanced data reconciliation – what is it exactly?

When it comes to YouTube and GDPR, the distinction between classic cookie collection and the use of YouTube cookies for a possible extended data comparison is particularly important. Advanced data matching means that website operators supplement the data collected by the YouTube cookies with data that they have already stored themselves, such as lists of customers. The data protection officers take a particularly critical view of this, because the more data is collected, the easier it is to draw conclusions about the people behind it . And that is exactly what the data protection regulations do not allow without consent when tracking with YouTube cookies. So: If you use YouTube cookies as part of an extended data comparison, the YouTube cookie consent must be implemented by the user, otherwise the use of YouTube will not be GDPR-compliant.

Google Double Click – what is it and what does it mean for YouTube and GDPR?

YouTube belongs to Google LLC. and is therefore also subject to the data protection conditions of the US group. This also applies to its advertising platform. Double Click is Google’s advertising product and it involves extensive tracking of user data. In concrete terms, this means: If you use YouTube services by embedding YouTube videos in websites, the service from the USA combines this with comprehensive tracking of the users who use such offers . Of course, you also have to implement the data protection regulations if you use Facebook Pixel, for example. But if you use YouTube and thus indirectly also Google, data protection measures are particularly relevant. So: Make the integration of videos from YouTube GDPR compliant!

Below you will find some tips on how to implement YouTube Cookie Consent professionally and how to make YouTube GDPR compliant. Specialists for YouTube and GDPR are consent management providers like consentmanager.

1. Privacy Policy and Data Protection Officer

The solid data protection declaration is the be-all and end-all of a professional and data protection-compliant website. In this context, you can also refer to the services of Google and its link to the tracking of embedded YouTube videos. You can also describe that every user can make their own contribution to their own data protection, for example by objecting to Google’s tracking measures or by making the appropriate settings in their Google account. Also name the data protection officer who is responsible for your company’s website. You can name this internally or order it externally.

2. Obtain consent from users

The user’s consent to data-sensitive actions is also indispensable for the data protection-compliant website and its use. Use cookie banners that allow users to choose different options. This selection, i.e. deliberately clicking on an option, makes the decisive difference as to whether a YouTube cookie consent is given or not. In plain language: If the user decides for a certain tick and thus a special option for the cookies, this means a traceable and verifiable activity that the provisions on YouTube and DSGVO have been fully complied with by you. You thus create the basis that your website cannot be attacked by data protection officers and competitors.

3. Use extensible data protection mode

Embedding a YouTube video in your website is easy, even for the layperson. Thats how it works:

  1. select appropriate video
  2. press the “Share” button
  3. select the “Embed” option
  4. Use the “Show more” option
  5. select the “extended data protection” mode
  6. Check the generated link
Enable enhanced privacy mode option when embedding a YouTube video

In contrast to the classic link for embedding, a special link is generated: If the link appears with the URL www.youtube-nocookie.com, you can be sure that YouTube cookies are used in accordance with the GDPR and that you are acting in accordance with data protection regulations. (Important: Consent to embed YouTube is still required!)

4. Use consentmanager Dynamic Content Blocking

If you use consentmanager as a cookie banner on your website, we can automatically block the YouTube video and display a preview image instead. If the user has not yet approved YouTube, he is protected and at the same time sees what he could see at this point (ie a preview of the YouTube video) together with the possibility to explicitly activate this video.

Do the test: If you have not yet consented to YouTube on our website, you should now see the preview here:

If you have already consented to YouTube on our website, proceed as follows: Click on the consentmanager icon at the bottom left to call up the cookie settings, deselect YouTube and save. Then let the page reload.

5. Check alternatives

Sometimes it is not absolutely necessary that it is a YouTube video that needs to be embedded in a website. Videos can also be entered with classic HTML

frequently asked Questions

Not sure if you need a CMP?

To help you with things like GDPR, CMP and consent, we’ve rounded up the most common questions here.

We are very familiar with YouTube and cookies, or YouTube and GDPR, both technically and legally. We are the partner with whom you can legally integrate videos from YouTube into your website with Cookie Consent.

Not necessarily, because they have the same data protection problems . Methods that improve data protection on Vimeo are usually also suitable for more data protection on YouTube.

Some companies have this consideration because they do not want to violate data protection. But YouTube videos are efficient : integrated into the website, they offer users attractive added value, and the integration of YouTube can be implemented in a GDPR-compatible manner.

YouTube cookies are a form of tracking. However, not all tracking is prohibited. There is also tracking that is acceptable under data protection law with the consent of the user concerned – the so-called YouTube Cookie Consent. With this consent, data collection through tracking when using YouTube videos is implemented in compliance with the GDPR.

The European Union’s General Data Protection Regulation applies to anyone who collects, stores and processes the data of individuals. It applies to companies as well as to all other institutions that do this. In particular, the regulations of the GDPR are relevant for the automatic data collection and tracking of users in the modern online area.

Please note that we cannot provide legal advice. Some points of this FAQ may also change over time or be interpreted differently by courts. That’s why you should always consult your lawyer!


more comments

EDPB opinion on pay or consent model
Legal, News

The latest decision of the EDPB on “consent or pay” models for online platforms

The Dutch, Norwegian and German (Hamburg) regulators asked the European Data Protection Board (EDPB) for guidance on whether large online platforms can implement ‘consent or pay’ models for behavioural advertising based on valid and freely given consent. This was prompted by Meta’s introduction of a subscription model in October 2023, where users were given the […]
New regulations US 2024
Legal

New US data protection laws come into force in 2024: Update your US-specific privacy settings

In the United States, new data privacy laws will take effect in the second half of 2024 – in Florida, Texas, Oregon and Montana . Companies that operate in these states or have customers in these states will need to review their data privacy practices to ensure compliance with the new data privacy laws. To […]