javascript - GDPR: youtube-nocookie embedded URL's, need visitors' permission? - Stack Overflow

admin管理员组

文章数量:1279212

This is my first time posting on Stack Overflow and I have a question about the GDPR.

Hi there! (This is ment to be on top of the post, but for some reason it gets deleted when I save it)

Situation:

On my website I don't want to bother visitors with cookie notifications, so the goal is to only place necessary cookies. However, there will be embedded YouTube video's on the website, which usually places tracking cookies.

After some research I stumpled upon the youtube-nocookie domain, which I am using now. Without using that domain, an embedded video url will be:

With using it, it is:

By using the latter, cookies will only be placed after playing the video, and no tracking cookies will be placed (according to Google: under 'Turn on privacy-enhanced mode'). However, there will still be placed some cookies, and it is not clear for me if visitors will need to give permission for those, and if so, under what category (and maybe they are still tracking?).

Image of the cookies:

Image of cookies youtube-nocookies places

This is in Chrome. The cookies from the gstatic domain are placed on page-load for some reason. That doesn't happen in Opera.

Another weird thing is that FireFox (with allowing all cookies and trackers) and Edge don't seem to place any of the 6 cookies from the image at all.

Many sites and blogs say that this is the way to embed YouTube video's, but I can't seem to find a clear answer to the question if you still need visitors' permission for these cookies. Also on many sites where I only accept necessary cookies, I still have the possibility to view YouTube video's and the corresponding cookies will be happily placed without my consent.

Has anybody delt with this before?

Thanks in advance!

This is my first time posting on Stack Overflow and I have a question about the GDPR.

Hi there! (This is ment to be on top of the post, but for some reason it gets deleted when I save it)

Situation:

On my website I don't want to bother visitors with cookie notifications, so the goal is to only place necessary cookies. However, there will be embedded YouTube video's on the website, which usually places tracking cookies.

After some research I stumpled upon the youtube-nocookie. domain, which I am using now. Without using that domain, an embedded video url will be:

https://www.youtube./embed/7cjVj1ZyzyE

With using it, it is:

https://www.youtube-nocookie./embed/7cjVj1ZyzyE

By using the latter, cookies will only be placed after playing the video, and no tracking cookies will be placed (according to Google: https://support.google./youtube/answer/171780?hl=en under 'Turn on privacy-enhanced mode'). However, there will still be placed some cookies, and it is not clear for me if visitors will need to give permission for those, and if so, under what category (and maybe they are still tracking?).

Image of the cookies:

Image of cookies youtube-nocookies. places

This is in Chrome. The cookies from the gstatic domain are placed on page-load for some reason. That doesn't happen in Opera.

Another weird thing is that FireFox (with allowing all cookies and trackers) and Edge don't seem to place any of the 6 cookies from the image at all.

Many sites and blogs say that this is the way to embed YouTube video's, but I can't seem to find a clear answer to the question if you still need visitors' permission for these cookies. Also on many sites where I only accept necessary cookies, I still have the possibility to view YouTube video's and the corresponding cookies will be happily placed without my consent.

Has anybody delt with this before?

Thanks in advance!

• javascript
• cookies
• iframe
• youtube

Share Improve this question Follow edited May 20, 2020 at 14:00 Henk asked May 19, 2020 at 9:29 HenkHenk 19111 silver badge1010 bronze badges

Add a ment  | 

2 Answers 2

Sorted by: Reset to default 7

After some more research I think I found a clear answer. From a report of Cookiebot:

“Privacy-Enhanced Mode” currently stores an identifier named “yt-remote-device-id” in the web browser’s “Local Storage”. This allows tracking to continue regardless of whether users click, watch, or in any other way interact with a video – contrary to Google’s claims. Rather than disabling tracking, “privacyenhanced mode” seems to cover it up.

Source: https://www.cookiebot./media/1136/cookiebot-report-2019-ad-tech-surveillance-2.pdf

The 'yt-remote-device-id' indentifier, along with some other ones, are, even with the use of the youtube-nocookie. domain (or 'Privacy Enhanced Mode'), still being placed on page load (given that the iframe with the set source is already part of the DOM at this point of course).

So while no tracking 'cookies' cookies are placed, the tracking has moved to the browsers localStorage (I overlooked this before), which basically means visitors actually do need to give permission before embedded YouTube video's with Privacy Enhanced Mode enabled should be loaded on the page.

Update

Gave some nuance in response to Marc Hjorth's ment.

i can confirm that the localStorage entry effectively replaces the funktion of the cookie. it is persistent and makes you identifiable across browser sessions. i get the same "yt-remote-device-id" value each time after restarts. only erasing the local storage makes a difference.

本文标签： javascriptGDPR youtubenocookie embedded URL39sneed visitors39 permissionStack Overflow