Embedding a YouTube video on your own (WordPress) website seems so simple: copy the video embed code from YouTube and paste it into the website – that’s it. Unfortunately, it sounds too good to be true, because it’s not quite that simple. At least if you care about the data protection compliance of your website and want to avoid fines.
Therefore, in this article we explain how you can integrate any YouTube video into your website in a GDPR-compliant way. And it’s quick and easy!
What is YouTube?
The question of what YouTube actually is is one that is probably not asked very often in the age of social networks. After all, the video portal founded in 2005 is still one of the most used social networks today (as of January 2022) – despite being founded later than its competitor Vimeo.
YouTube is owned by the US company YouTube, LLC, which is now a subsidiary of the tech giant Google LLC.
The Californian video portal can be enjoyed both as a consumer and as a producer. In other words, you can watch videos or produce them. In the meantime, there is even the possibility of carrying out live streams on YouTube in order to interact even more intensively with viewers.
In addition to the entertainment factor, which has made YouTube the star in the social media sky that it is today, a second incentive – the monetary one – was added for producers (creators). Because with the help of YouTube, both creators and companies can generate high revenues through targeted advertising placements.
Thus, the income from YouTube videos can quickly run into the thousands – provided you play high up in the league.
Is YouTube compliant with the GDPR?
As already explained, YouTube belongs to Google. And the fact that Google is a data octopus is nothing new. But even if YouTube did not belong to Google, integrating a YouTube video into your website would be problematic without further precautions. That’s because the company is based in sunny California, in the US. And this is where it starts to get problematic…
Since the overturning of the Privacy Shield, the USA has been regarded by the ECJ as an insecure third country with an inadequate level of data protection.
This means that special care must be taken when transferring personal data to US countries. Last but not least, a website operator was convicted in court due to the use of Google Fonts and had to pay damages to the plaintiff.
YouTube videos are embedded by default using an iFrame. The video platform provides you with an individual embed code for each video. This can be copied and placed on the website. As a result, a preview image with a play button is displayed, which the website visitor can click on.
The problem here is that even before the button is clicked – when the page is loaded – Google’s DoubleKlick tracking tool is automatically loaded. The tool not only collects personal data of your website visitors, but can also track them across websites.
DoubleKlick helps Google, for example, to analyse the click behaviour and views of your visitors. This can then be used to display targeted advertising (on YouTube).
This is anything but in the spirit of data protection.
YouTube and data protection (legal basis within the EU)
If you want to integrate a YouTube video into your website, you should not do this without further ado. As already explained, personal data is transferred and cookies are set when the page is loaded – without the video even being clicked on. Google can then use the data collected in this way for its own advertising purposes and/or pass it on to third parties.
At least from the EU’s point of view, this is a serious breach of data protection, because the collection, storage and processing of personal data is normally only permitted with the opt-in consent of the person concerned. And it gets even juicier when the USA is involved as the recipient country of the data.
Such opt-in consent is always required if the service or cookie is not essential. Brief clarification: If your website functions without this service or cookie, then it is not essential. If the basic functionality of your website would be negatively affected without it, then it is essential.
- Essential: Cookie of the login area of a website
- Non-essential: Google Maps, Vimeo, Google Fonts, Google Analytics
YouTube sometimes sets cookies for marketing purposes. Consequently, YouTube is not an essential service, as your website would function without the integration of a YouTube video. You therefore need the consent of your visitors.
If you do not comply with this, you could face heavy fines in the worst case.
How to embed a YouTube video in a GDPR-compliant way
If you’re looking for ways to integrate a YouTube video into your WordPress website in the most privacy-compliant way possible, rather than simply linking to it, you’re likely to come across a number of ways. We will take a closer look at two of them below.
Advanced privacy settings in YouTube
YouTube itself allows you to make privacy-friendly settings in the YouTube integration. To do this, proceed as follows:
- Open the YouTube video you want to include on your website.
- Click on Share > Embed.
- Now you will see the embed code. Scroll down a little to Enable privacy-enhanced mode. Here you set a check mark so that these settings are applied. According to YouTube, this setting does not store any information about visitors unless they watch the video.
If you now embed the YouTube video in your website, instead of a connection to youtube.com, one to the domain youtube-nocookies.com is established. As the name suggests, the new domain does not set a cookie when the corresponding page is loaded. Instead, YouTube uses local storage in the visitor’s browser to store the device identifier.
- Personal data such as the IP address will continue to be transmitted, for which you require consent in accordance with the GDPR.
- Whether HTTP cookies or local storage entries, both require consent in terms of the ePrivacy Directive.
- Data can still be transferred to the Google server – albeit less.
A far more beginner- and privacy-friendly alternative is the Consent Plugin Real Cookie Banner.
To enable you to embed YouTube videos in your WordPress website in a GDPR-compliant manner, Real Cookie Banner provides you with a content blocker function linked to opt-in consent. The content blockers contained in Real Cookie Banner ensure that content (such as YouTube videos), iFrames and scripts are blocked until the website visitor has given their consent for the display/playout. This can be done when the website is first accessed and separately for each video.
This could then look like this:
Text Content Blocker
You can change the description text of your content blocker as you wish, for example, to give your visitors even more information about the content blocked until they give their consent. Of course, this does not change the functionality of the content blocker 😉 .
Hero Content Blocker
The Hero Content Blocker looks almost like a real YouTube video, but it neither transmits personal data to YouTube nor sets cookies. When you click on the play button, the visitor to your website is asked whether he or she wants to allow the YouTube video to load and thus consents to the necessary data processing.
You can easily find the content blockers in the templates that have already been created. You can use these and don’t have to worry about legal and technical research work.
Another advantage of Real Cookie Banner is that, in contrast to e.g. WP YouTube Lyte, the plugin can block not only YouTube but also other services, e.g. embedded content from Vimeo or Instagram via iFrame. So you kill several birds with one stone 😉
In addition, you can document all the consents of your visitors in Real Cookie Banner to be able to prove them in case of a legal dispute.