YouTube

YouTube

YouTube is Google's video platform, widely used to embed video content on external websites. The YouTube iframe player loads JavaScript that communicates with Google's servers for video playback, quality control, and ad serving. Embedded players may set cookies tied to the viewer's Google account to track watch history and personalize recommendations.

Google
Part of Google
Back to Vendor Library

Overview

YouTube is Google's video platform, used by billions of users worldwide. On third-party websites, YouTube appears primarily through the embedded iframe player (youtube.com/embed/{videoId}), which loads JavaScript that communicates with Google's servers for video playback, recommendations, and advertising. Google uses YouTube embeds on third-party sites as a touchpoint for collecting behavioral data and matching it to Google Account profiles for advertising purposes.

What This Script Does

YouTube Iframe API

When the YouTube iframe player is embedded, it loads the YouTube IFrame Player API from www.youtube.com/iframe_api. This JavaScript library enables programmatic control of the player (play, pause, seek) and fires events (onReady, onStateChange) that host pages can subscribe to. Even without the IFrame API, the standard <iframe> embed triggers multiple network requests to YouTube and Google domains.

Privacy-Enhanced Mode

YouTube offers a privacy-enhanced embed domain (youtube-nocookie.com). This variant does not set cookies until the user actively interacts with the video. It is the recommended embed method for GDPR-compliant deployments where consent has not yet been obtained. Note: YouTube still makes network requests to Google's infrastructure even in privacy-enhanced mode.

Cookies Set

Standard YouTube embed (youtube.com):

  • VISITOR_INFO1_LIVE — Third-party persistent cookie on youtube.com. Stores a visitor identifier used to estimate audience size and track video interactions. Duration: 6 months.
  • YSC — Third-party session cookie on youtube.com. Tracks YouTube video interactions within a session. Duration: session.
  • PREF — Third-party persistent cookie on youtube.com. Stores preferences including video quality and playback speed. Duration: 2 years.
  • GPS — Third-party session cookie on youtube.com. Mobile device location-based recommendation data. Duration: 30 minutes.

Privacy-enhanced embed (youtube-nocookie.com): No cookies set until user interaction.

Domains Contacted

  • www.youtube.com / youtube-nocookie.com — Serves the player iframe and IFrame API.
  • i.ytimg.com — Thumbnail and image CDN.
  • yt3.ggpht.com — Channel artwork CDN.
  • googlevideo.com — Video stream delivery via adaptive bitrate.
  • doubleclick.net — Ad serving for monetized YouTube videos embedded on third-party sites.
  • google.com / google-analytics.com — Google's analytics infrastructure triggered by the embed.

Data Collected Per Interaction

  • Video ID watched and duration of watch time
  • Play, pause, seek, and completion events
  • Page URL where the video is embedded
  • Browser user-agent, screen resolution, and network type
  • IP address for geolocation
  • Google Account identity when the visitor is signed into a Google service
  • Ad impressions and ad interactions on monetized videos
  • Search and recommendation interaction if the player's suggested video feature is enabled

Consent & Compliance

GDPR / ePrivacy: Standard YouTube embeds set third-party cookies and transmit data to Google's advertising infrastructure (DoubleClick). Multiple EU DPAs have ruled that standard YouTube embeds require prior consent under the ePrivacy Directive. The German Conference of Independent Data Protection Authorities (DSK) published guidance that YouTube embeds constitute third-party tracking. Using the youtube-nocookie.com domain for embeds mitigates the cookie issue but does not fully eliminate network requests to Google. For full compliance, load YouTube iframes only after consent, or use a facade/poster that activates the embed on user click.

CCPA / CPRA: Google/YouTube's data collection across third-party sites through the player constitutes sharing of personal information for advertising. Operators must disclose YouTube in their CCPA privacy notice.

EU-US Data Privacy Framework: Google is certified under the EU-US DPF. Standard Contractual Clauses are also available via Google's DPA.

Consent Category: Functional (for video playback) / Marketing (for advertising tracking via DoubleClick when embedded on third-party sites).

Should You Block This Without Consent?

Conditional. Use youtube-nocookie.com for all embeds to minimize tracking before user interaction. Standard youtube.com embeds must be blocked until consent is obtained due to the third-party cookies set on page load. Even with the nocookie domain, a best practice is to show a video facade (thumbnail image with play button) and only load the actual iframe when the user clicks play, eliminating any pre-consent network requests to Google.

Visit website

Consent Categories

Functional

Also Known As

YouTube embedYouTube iframeYouTube cookie GDPRgoogle.com/recaptchaYouTube advertising cookieyoutube-nocookie.comYSC cookie

Industries

Computers Electronics and Technology

Tracked Domains (3)

youtube.comFunctional
youtube-nocookie.comFunctional
youtu.beFunctional

Frequently Asked Questions

Do I need consent to embed YouTube videos?

Conditional. Standard youtube.com embeds set third-party cookies on page load and require consent. Use youtube-nocookie.com to defer cookies until playback. Multiple EU DPAs have ruled standard YouTube embeds require prior consent.

What cookies does a YouTube embed set?

Standard embeds set VISITOR_INFO1_LIVE (6-month visitor ID), YSC (session tracking), PREF (2-year preferences), and GPS (30-min location). The youtube-nocookie.com domain defers all cookies until the visitor clicks play.

How does ConsentStack categorize YouTube?

ConsentStack classifies YouTube as functional. It recommends the youtube-nocookie.com embed domain and a click-to-load facade. Standard youtube.com iframes are blocked until functional consent is granted to prevent pre-consent cookie drops.

Other Google Products

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google Ads
Google Ads
Google Ads is Google's advertising platform for search, display, and remarketing campaigns. Conversion tracking scripts fire on advertiser landing pages to measure actions taken after ad clicks. The remarketing tag builds audience lists for retargeting users across Google's ad network.
Google Analytics
Google Analytics
Google Analytics is the world's most widely deployed web analytics platform. Scripts track page views, sessions, user demographics, traffic sources, and conversion events. Drops cookies to identify returning visitors and attribute user journeys across sessions.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
YouTube Player
YouTube Player
YouTube Player embeds YouTube videos on external websites via iframe. Scripts load from Google's servers and set cookies for video playback preferences, watch history, and ad targeting. Cookies are dropped even when visitors only view the embed without interacting with the player.

Related Vendors

Google Maps
Google Maps
Google Maps is the dominant web mapping service used for embedded maps and location features on websites. Scripts load interactive map tiles, geocoding, and Places API functionality through the Maps JavaScript API. May set cookies to remember map preferences and manage API quota.
Google Search
Google Search
Google Search appears on websites through the Programmable Search Engine, enabling custom site-specific search functionality. Scripts load the search widget from Google's servers to render search bars and display results within the host website. Sends search queries to Google's index and may set cookies for search personalization and query history.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Microsoft Teams
Microsoft Teams
Microsoft Teams is a workplace communication and collaboration platform that can be embedded on websites for chat, meetings, and document sharing. Embedded widgets load from Microsoft's servers to enable real-time messaging, video calls, and file collaboration. Sets authentication and session cookies to verify participant identity and maintain connection state.
Apple Maps JS
Apple Maps JS
Apple Maps JS is Apple's JavaScript mapping framework for embedding interactive maps on websites. Scripts load map tiles, location pins, and routing data from Apple's MapKit servers to render navigable maps within web pages. Requires a MapKit JS token for authentication but does not set tracking cookies or collect behavioral analytics data.
Apple Business Chat
Apple Business Chat
Apple Business Chat enables direct customer messaging between websites and Apple's Messages app. Scripts load chat buttons and conversation interfaces that connect visitors to business support agents through iMessage. Sets minimal session cookies to maintain conversation context but does not track browsing behavior or collect analytics data.

Manage consent for YouTube

ConsentStack automatically detects and manages YouTube trackers so your site stays compliant with global privacy regulations.

Get started