Vimeo videos are a theoretical Alternative for YouTube videos, which every website owner thinks of when they want to embed a video. From a data protection perspective, Vimeo videos are not an alternative but similarly data-hostile as YouTube videos.
For YouTube videos, consent is required before the video script can be loaded. We are not talking here about playing the video, but about loading the script that will enable the video to be played later.
A Vimeo video can, for example, be embedded with the following code:
<iframe src="https://player.vimeo.com/video/471147124713?dnt=1&title=0&byline=0&portrait=0" width="760" height="428" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen>
The text in bold is the video number, which is only given here as an example.
The parameter dnt stands for Do not track, which is a data protection-friendly version of Vimeo videos. What happens now after inserting the code mentioned above? At least, according to my tests, no cookies are set, but loading processes do occur:
- The video script is loaded from the domain player.vimeo.com.
- This script loads a mini-preview image from i.vimeocdn.com, called Thumbnail.
- Furthermore, a (apparently localized, i.e. language-dependent) player is loaded in the form of a script and a layout file (CSS). The domain is the same as before.
- Finally, a larger preview image is loaded from i.vimeocdn.com.
When the video is played now, the video data will be reloaded in segments. This happens via a connection to the domain akamaized.net or one of its subdomains, which has different names for reasons of load distribution.
According to Vimeo's website, the provider is Vimeo Inc., located in America. Due to the invalidity of Privacy Shield and the fact that the USA is an insecure third country, a consent obligation is given before loading the Vimeo Video Scripts. See also Cloud Act, EO12333 and FISA
Aside from that, it seems questionable that three domains are involved in a single video: vimeo.com, vimeocdn.com and akamaized.net
A WHOIS query from akamaized.net shows that the Registrant is the company Akamai Technologies, INC. based in the USA. When playing the video, therefore, two companies are involved. As can be read following, it appears that Vimeo uses the company Akamai to enable smoother playback of videos via a CDN. ([1])
It is also possible to watch videos directly on the Vimeo video platform. According to my research, even more critical data collection takes place here than when embedding Vimeo videos in your own website. On the Vimeo video platform, for example, Google Analytics is loaded with cookies but without consent. This is illegal.
Instead of embedding Vimeo videos, videos should be embedded locally. If the Vimeo video platform is used, then at most without Branding, so that the video view does not fall into your responsibility. Alternatively, a suitable preview image with link to the video platform can be embedded instead of a video. Those who want to embed videos directly must search for a data protection compliant provider. Instead of using user data, money will probably have to be paid then.
In the meantime, I have investigated a privacy-friendly option for video plugins that is practicable and incurs virtually no costs (apart from web hosting, which has to be available anyway):
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
