youtube-nocookie.com: What It Actually Does

"Just use youtube-nocookie.com" is the advice you will find on dozens of GDPR guides. But what does it actually do? Does it live up to its name? And is it enough for compliance?

This article gives you the technical reality rather than the marketing claim.

If you want to check whether your site currently loads YouTube without consent, scan your website for free. The scanner flags third-party embeds that fire before any user interaction.

The Name Is Misleading

"youtube-nocookie.com" does not mean no cookies. It means cookies are not placed before the visitor plays the video. When someone clicks play, cookies are placed exactly as they would be with a standard youtube.com embed.

YouTube's own documentation calls this "privacy-enhanced mode", which is a more accurate description.

What Happens With Each Embed Type

Standard youtube.com embed

<iframe src="https://www.youtube.com/embed/VIDEO_ID"></iframe>

On page load (immediately):

• Browser connects to www.youtube.com
• YouTube sets cookies: VISITOR_INFO1_LIVE, YSC, GPS
• Visitor's IP address is sent to Google
• Tracking begins before any interaction

When visitor clicks play:

• Additional tracking data is sent
• View history is recorded to the visitor's profile (if logged into Google)

youtube-nocookie.com embed

<iframe src="https://www.youtube-nocookie.com/embed/VIDEO_ID"></iframe>

On page load:

• Browser connects to www.youtube-nocookie.com (a different endpoint)
• No tracking cookies are placed
• The visitor's IP address is still sent to Google's server (to load the video player interface)
• No VISITOR_INFO1_LIVE, YSC, or GPS cookies

When visitor clicks play:

• YouTube sets cookies: VISITOR_INFO1_LIVE, YSC, GPS (same as standard embed)
• Viewing data is sent to Google
• Behaviour is tracked as normal from this point forward

The Thumbnail Problem

Even with youtube-nocookie.com, standard implementations load the video thumbnail from YouTube's servers:

<!-- Thumbnail URL format -->
<img src="https://i.ytimg.com/vi/VIDEO_ID/hqdefault.jpg">

Loading this image sends the visitor's IP address to i.ytimg.com (a Google-owned domain) before any interaction with the video. For maximum privacy, download and host thumbnails yourself.

Technical Analysis: What Gets Sent on Page Load

To test what happens on page load, open developer tools (F12 → Network tab) before loading a page with each embed type.

Standard youtube.com embed (before clicking play):

• Requests to: www.youtube.com, static.doubleclick.net, www.google.com
• Cookies set: VISITOR_INFO1_LIVE, YSC, GPS, NID, CONSENT

youtube-nocookie.com embed (before clicking play):

• Requests to: www.youtube-nocookie.com, i.ytimg.com (thumbnail)
• Cookies set: None (or only functional, non-tracking cookies)

The difference is significant, but not absolute. Some data (IP address, User-Agent) is still sent to Google to load the player interface, even without cookies.

What Data YouTube Actually Collects

It's worth being specific about what Google receives, because the categories matter for your GDPR legal basis analysis.

Data sent on page load (nocookie mode)

When a visitor lands on a page with a youtube-nocookie.com embed, Google's servers receive:

• The visitor's IP address (sent in the HTTP request header to load the player interface)
• Browser User-Agent string (browser type, version, operating system)
• The referring page URL (which page the embed is on)

These arrive before any click. IP addresses are personal data under GDPR Article 4(1), so processing them requires a valid legal basis under GDPR Article 6.

Local storage identifiers

Research has shown that YouTube's player writes a value called yt-remote-device-id to the browser's local storage. Local storage entries are not cookies, but they function as persistent identifiers. The Telecom Act (Telecommunicatiewet) in the Netherlands covers storage on the user's device broadly, so this can trigger the same consent requirement as a cookie.

Data sent when the visitor plays the video

Once the visitor clicks play, the full range of YouTube tracking kicks in:

• Cookies VISITOR_INFO1_LIVE, YSC and GPS are placed
• Viewing behaviour is sent to Google
• If the visitor is signed into a Google account, the view is added to their history

Cross-border transfer

Google's infrastructure may process data outside the EU. The EU-US Data Privacy Framework (in force since July 2023) covers this transfer if Google participates as a certified organisation. Embedding YouTube therefore introduces a third-country transfer that needs to appear in your privacy policy.

The Myth of "No Data Transfer"

Some resources claim youtube-nocookie.com means "no data is sent to Google." This is not correct. To load the video player, the browser makes HTTP requests to Google's servers. Google receives the visitor's IP address, User-Agent and referrer even in nocookie mode. They just do not set persistent tracking cookies in the visitor's browser on page load.

Whether IP address transfer without cookie placement satisfies GDPR depends on:

• Whether the IP address transfer constitutes personal data processing (yes, per GDPR Article 4(1))
• Whether there is a valid legal basis for this processing (GDPR Article 6)
• Whether the third-country transfer is documented in your privacy policy

Strictly interpreted, even the IP transfer to Google requires either consent or a legitimate interest assessment. In practice, most GDPR practitioners treat youtube-nocookie.com as a reasonable pragmatic approach for non-essential videos, combined with a clear privacy policy note.

What the AP Expects

The Autoriteit Persoonsgegevens (the Dutch data protection authority) has published guidance stating that tracking cookies require prior consent, without exceptions for third-party embeds. Their position is that consent must be freely given, specific and informed before tracking scripts fire.

The AP has sent warning letters to organisations that used tracking scripts without valid consent, and it actively scans websites to detect cookie banners that fail to meet requirements. A YouTube embed that fires tracking before consent is the kind of issue the AP's automated tooling is designed to catch.

For embedded third-party content, the AP's guidance points to two acceptable approaches:

1. Block the embed entirely until the visitor gives consent (click-to-load or a cookie barrier)
2. Use a privacy-enhanced embed and document the residual data transfer in your privacy policy, with a clear explanation that clicking play sends data to Google

The first option is the strongest. The second is a pragmatic middle ground that many Dutch businesses use for incidental video content.

How to Get Consent Before Loading the Embed

The cleanest way to handle YouTube embeds is a click-to-load facade. Instead of an iframe, you show a placeholder with the video thumbnail and a play button. The iframe only loads when the visitor clicks that button.

Here is a minimal example:

<!-- Click-to-load facade -->
<div class="video-facade" data-video-id="VIDEO_ID">
  <img
    src="/thumbnails/VIDEO_ID.jpg"
    alt="Video: [your title here]"
    loading="lazy"
  />
  <button type="button" onclick="loadVideo(this)">
    Play video (loads YouTube, sends data to Google)
  </button>
</div>

<script>
function loadVideo(btn) {
  var wrapper = btn.closest('.video-facade');
  var id = wrapper.dataset.videoId;
  var iframe = document.createElement('iframe');
  iframe.src = 'https://www.youtube-nocookie.com/embed/' + id + '?autoplay=1';
  iframe.allow = 'autoplay; encrypted-media';
  iframe.allowFullscreen = true;
  wrapper.replaceWith(iframe);
}
</script>

A few details to get right:

• Host the thumbnail yourself (download it from i.ytimg.com and serve it from your domain). This prevents the IP address transfer that happens when the browser fetches i.ytimg.com on page load.
• Use a self-hosted thumbnail so the button label can explain what happens when the visitor clicks ("loads YouTube, sends data to Google"). This meets the transparency requirement.
• Still point the iframe to youtube-nocookie.com, not youtube.com, so cookies are deferred until playback starts.

If you prefer a pre-built library, Paul Irish's lite-youtube-embed component implements this pattern and is widely used. It ships as a web component with no dependencies.

When youtube-nocookie.com Is Sufficient

In practice, youtube-nocookie.com is widely accepted as a reasonable approach for embedding videos when:

1. You use it alongside a privacy policy note explaining that YouTube is used and that clicking play sends data to Google
2. Your cookie banner handles the case where the visitor plays a video
3. The video is supplementary content, not the primary service your website provides

It is less defensible when:

• Video playback is core to your service (a video platform or training site)
• You serve audiences who have explicitly opted out of Google tracking
• You want zero data transfer to Google before any user action

Comparison: All YouTube Embedding Approaches

Practical Recommendation

For most Dutch business websites, the fastest improvement is to switch from standard youtube.com embeds to youtube-nocookie.com. This removes cookies on page load with a one-line change to each embed URL. Then add a note to your privacy policy explaining that YouTube is used and that playing a video sends data to Google.

If you're building a new site or rebuilding an existing one, implement click-to-load from the start. It's a slightly bigger investment but gives you a much cleaner compliance story: no data leaves the browser until the visitor makes an informed choice.

For more on Dutch cookie banner requirements, see our cookie banner rules guide.

If your website already has a compliant cookie banner that blocks tracking until consent, you can load standard YouTube embeds after the visitor consents to marketing or social cookies. But youtube-nocookie.com with click-to-load is still better practice, because it works correctly even when a visitor declines.

Not sure whether your site currently loads YouTube without consent? Run a free scan to find out.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.