Many companies have recognized the importance of social media for the effectiveness of their online marketing. According to the motto “a picture (or a video) says more than 1000 words”, Instagram and YouTube in particular are used alongside the classic Facebook. If you also use YouTube as a corporate channel and perhaps want to collect data from users, you should be careful: YouTube cookies and GDPR do not necessarily have the same overlap. This means that you should pay attention to a few things to ensure that the integration of videos from YouTube is GDPR compliant. Otherwise warnings and, under certain circumstances, severe penalties are threatened.
This overview summarizes the most important things about YouTube and GDPR – especially on the topic of YouTube cookies and consent . If you have any questions, a specialized consent management provider such as consentmanager is the right contact person.
What does the GDPR regulate?
GDPR is the abbreviation for General Data Protection Regulation. This is a set of rules of the European Union that has been in force since May 25, 2018 and which supplements the Federal Data Protection Act (BDSG) in Germany. The purpose of the regulations is the protection of personal data . This includes not only the classics such as name and date of birth. The IP address of a computer or mobile phone also counts, because this data is in principle suitable for finding out the person behind the user.
The GDPR consists of introductory principles and many complex regulations that are difficult for laypeople to understand. The regulation applies to all companies or institutions, associations or clubs that collect, store and process data from people – offline or online. There are a whole range of rights that interested parties or customers have under the GDPR – such as the right to information, the right to consent to certain data processing or the right to erasure. In particular, the consent (consent) is discussed in more detail, because the consent of the user is something that must be observed when it comes to the YouTube cookie.
What does a video platform have to do with data protection?
There are still many people who believe that YouTube is GDPR compliant because they can watch the platform’s videos without being logged into Google. But even that is a mistake. For example, if you use one of the many software solutions with which you can detect and switch off tracking cookies, you will quickly discover that – similar to other websites – the inconspicuous cookies are still bustling around to collect data. So there are definitely cookies available even when you are not logged in to YouTube . In addition to the YouTube cookies, data collection for the Google account is particularly relevant from a data protection perspective.
What does YouTube have to do with Google?
In connection with YouTube and GDPR or YouTube and cookie consent, Google is often mentioned. The reason for this is simple: YouTube belongs to Google – and when you register or log in to YouTube, you do this with your Google account. And that is exactly what makes the privacy advocates suspicious of YouTube cookies.
Ist Ihre Webseite konform? Finden Sie es heraus mit unserer Checkliste
Cookies under the magnifying glass
What exactly are cookies, what do the “cookies” do on YouTube and what makes them so critical? Cookies are small text files that are stored on the computer or smartphone when surfing in the browser. Of course, they serve a very specific purpose for the operator of websites: tracking. Tracking is the tracking of users on the web in order to develop suitable marketing strategies. For example, the online shop will save the shopping cart and clicked products and the ID of the session of the respective computer. In this way, visitors receive suitable offers while surfing – whether they like it or not. Perhaps you have already surfed through the offers of large online giants with your stationary computer and then later received similar advertisements on your smartphone? This is exactly the result of the virtual biscuits. Many people perceive this as “spying”, which is why cookies have come under the scrutiny of data protection officers.
Privacy and Google Account
If you open a Google account, data will also be collected and stored for its use (including, for example, recovering passwords and preventing misuse). This information isn’t overly comprehensive—name, date of birth, email address, and phone number are required. That seems pretty unproblematic. But – and this is an important factor when it comes to YouTube and data protection – anyone surfing in the open Google account will be tracked with all their data. This automatically makes it necessary for the user to declare their consent – the YouTube Cookie Consent .
GDPR – consent as an important criterion
The be-all and end-all of the GDPR regulations is the protection of personal data. In this context, a core element of the General Data Protection Regulation is that users must give their consent to data collection . This is regulated by Article 6 of the GDPR, which is entitled “Lawfulness of processing” :
“(1) Processing is lawful only if at least one of the following conditions is met:
GDPR § 6
a) the data subject has given their consent to the processing of their personal data for one or more specific purposes;
[…]”
This means – also for the integration of YouTube videos into your website – that the user’s consent is mandatory. This can be implemented via the classic cookie banner or a specific pop-up. In doing so, you enable the user to select the cookies they allow. This allowing is called consent. When it comes to selection, you should ideally offer the user who is viewing a linked YouTube video on your website three options to choose from:
- the consent to a collection of cookies that you as the operator of the website propose
- Consent only to those cookies that are necessary for the use of the website for legal and technical reasons or are mandatory
- the consent to cookies, which the user compiles in a user-defined manner
No matter which of the three variants the users of your website and the embedded YouTube videos choose: The YouTube cookies are legally secure and you have fully complied with the GDPR with the YouTube videos.
Stay up to date!
Subscribe to NewsletterUse video content – without consent?
Not a good idea! Legally, this is a grey area that puts you, as a provider of YouTube videos, at GDPR risk. You could display a cookie banner giving a general notice of cookie collection and then let users decide whether to continue browsing or not. However, such use of YouTube cookies is not legally compliant. It is important to get active consent from the user . And you should ensure this activity by requiring your website visitor to click a check mark in order to be able to use certain content. This is how you can make your YouTube offering GDPR compliant and protect yourself from warnings from competitors’ lawyers and consumer advocates as well as from the unpleasant penalties imposed by data protection authorities if you disregard the GDPR and BDSG/TDDDG (previously: TTDSG).
Many website operators also believe that using YouTube videos is GDPR compliant if users log out of their Google account. But this is anything but a recommendable strategy to make YouTube GDPR compliant. Firstly, the operator of the website cannot force the user to close the account. And secondly, enough YouTube cookies will still be collected. So logically opt for a clean strategy and a watertight YouTube cookie consent by users.
Consent to data storage is absolutely necessary, especially if you combine tracking by cookies with so-called extended data comparison .
Advanced data reconciliation – what is it exactly?
When it comes to the topic of YouTube and GDPR, the distinction between classic cookie collection and the use of YouTube cookies for a possible extended data comparison is particularly important. Advanced data matching means that website operators supplement the data collected by the YouTube cookies with data that they have already stored themselves, such as lists of customers. The data protection officers take a particularly critical view of this, because the more data is collected, the easier it is to draw conclusions about the people behind it . And that is exactly what the data protection regulations do not allow without consent when tracking with YouTube cookies. So: If you use YouTube cookies as part of an extended data comparison, the YouTube cookie consent must be implemented by the user, otherwise the use of YouTube will not be GDPR-compliant.
Double Click from Google – what is it and what does it mean for YouTube and GDPR?
YouTube belongs to Google LLC. and is therefore also subject to the data protection conditions of the US group. This also applies to its advertising platform. Double Click is Google’s advertising product and it involves extensive tracking of user data. In concrete terms, this means: If you use YouTube services by embedding YouTube videos in websites, the service from the USA combines this with comprehensive tracking of the users who use such offers . Of course, you also have to implement the data protection regulations if you use Facebook Pixel, for example. But if you use YouTube and thus indirectly also Google, data protection measures are particularly relevant. So: Make the integration of videos from YouTube GDPR compliant!
Below you will find some tips on how to professionally implement YouTube Cookie Consent and make YouTube GDPR compliant. Specialists for YouTube and GDPR are consent management providers such as consentmanager .
1. Privacy Policy and Data Protection Officer
The solid data protection declaration is the be-all and end-all of a professional and data protection-compliant website. In this context, you can also refer to the services of Google and its link to the tracking of embedded YouTube videos. You can also describe that every user can make their own contribution to their own data protection, for example by objecting to Google’s tracking measures or by making the appropriate settings in their Google account. Also name the data protection officer who is responsible for your company’s website. You can name this internally or order it externally.
2. Obtain consent from users
The user’s consent to data-sensitive actions is also indispensable for the data protection-compliant website and its use. Use cookie banners that allow users to choose different options. This selection, i.e. deliberately clicking on an option, makes the decisive difference as to whether a YouTube cookie consent is given or not. In plain language: If the user decides to tick a certain box and thus select a special option for the cookies, this means a traceable and verifiable activity that the provisions on YouTube and GDPR have been fully complied with by you. You thus create the basis that your website cannot be attacked by data protection officers and competitors.
3. Use extensible data protection mode
Embedding a YouTube video in your website is easy, even for the layperson. Thats how it works:
- select appropriate video
- press the “Share” button
- select the “Embed” option
- Use the “Show more” option
- select the “extended data protection” mode
- Check the generated link
In contrast to the classic link for embedding, a special link is created: If the link appears with the URL www.youtube-nocookie.com, you can be more certain that YouTube cookies are used in accordance with the GDPR and that you are acting legally in accordance with data protection regulations. (Important: Consent to embed YouTube is still required!)
4. Use consentmanager Dynamic Content Blocking
If you use consentmanager as a cookie banner on your website, we can automatically block the YouTube video and display a preview image instead. If the user has not yet approved YouTube, he is protected and at the same time sees what he could see at this point (ie a preview of the YouTube video) together with the possibility to explicitly activate this video.
Do the test: If you have not yet consented to YouTube on our website, you should now see the preview here:
If you have already agreed to YouTube on our website, proceed as follows: Click on the consentmanager icon at the bottom left to access the cookie settings, deselect YouTube and save. Then let the page reload.
5. Check alternatives
Sometimes it is not absolutely necessary that it is a YouTube video that needs to be embedded in a website. Videos can also be entered with classic HTML
frequently asked Questions
Not sure if you need a CMP?
To help you with things like GDPR, CMP and consent, we’ve rounded up the most common questions here.
We are very familiar with YouTube and cookies, or YouTube and GDPR, both technically and legally. We are the partner with whom you can legally integrate videos from YouTube into your website with Cookie Consent.
Not necessarily, because they have the same data protection problems . Methods that improve data protection on Vimeo are usually also suitable for more data protection on YouTube.
Some companies have this consideration because they do not want to violate data protection. But YouTube videos are efficient : integrated into the website, they offer users attractive added value, and the integration of YouTube can be implemented in a GDPR-compatible manner.
YouTube cookies are a form of tracking. However, not all tracking is prohibited. There is also tracking that is acceptable under data protection law with the consent of the user concerned – the so-called YouTube Cookie Consent. With this consent, data collection through tracking when using YouTube videos is implemented in compliance with the GDPR.
The European Union’s General Data Protection Regulation applies to anyone who collects, stores and processes the data of individuals. It applies to companies as well as to all other institutions that do this. In particular, the regulations of the GDPR are relevant for the automatic data collection and tracking of users in the modern online area.
Please note that we cannot provide legal advice. Some points of this FAQ may also change over time or be interpreted differently by courts. That’s why you should always consult your lawyer!