Does consent always need to be obtained when embedding YouTube videos?

Yes, due to data collection and data transfer to third countries, particularly through the used script, consent is required. This is legally mandated and based on the ePrivacy Directive and the GDPR.

What are the effects of embedding YouTube videos with a script?

Embedding via script leads to extensive data collection and data transfers, even without video playback. This includes the collection of information about user behavior and the use of cookies that require consent.

How are data from YouTube videos stored on websites?

YouTube uses LocalStorage, Session Storage, and IndexedDB to store data. These storage technologies essentially represent cookies and are subject to the provisions of the ePrivacy Directive.

What legal aspects should be considered when embedding YouTube videos?

Embedding YouTube videos is problematic due to privacy concerns. Furthermore, cookies such as CONSENT with the value PENDING+107 can be transmitted, which violates the ePrivacy Directive. The court has sued Google for the delayed unlocking of videos.

Embedding YouTube videos on websites possible in a data protection compliant manner?

YouTube Videos can be embedded into websites via a Script. This is problematic from a data protection perspective, because numerous data collections take place as soon as this script is loaded. The rabbit has thus already been killed even without playing the actual video.

According to YouTube Terms of Service, the service is provided by YouTube LLC, USA. As a result, it already falls under the consent requirement due to data transfer into an insecure third country in accordance with Article 44 GDPR (see ECJ ruling on Privacy Shield and the Cloud Act). Ignoring this does not make things better:

Terms of service for Google must be obtained for embedded services like _YouTube _ for the following activities ([1]) ([2]) :

the use of cookies or other forms of local storage of information, insofar as obtaining consent for this is required by law; and the collection, disclosure and use of personal data for the personalization of advertisements.
Reference: https://www.google.com/about/company/user-consent-policy/

The integration of YouTube Videos without enhanced data protection settings is not further considered in this article, as consent-obligatory cookies are used here. The terms of use of the Google Group itself demand consent, especially due to these cookies: Even the ePrivacy Directive demands consent, and it constitutes a binding regulation for Germany, as the BGH decided in a ruling in 2020. The German regulation is concretized by § 25 TTDSG from December 2021 onwards. Since May 2024, the TDDDG applies instead of the TTDSG. It is however word-for-word identical.

When embedding videos with activated extended privacy settings (youtube-nocookie.com) the following happens:

Scripts and other files are loaded from domains youtube-nocookie.com, ytimg.com, and _ggpht.com
Google Fonts are loaded from the domain gstatic.com ([1])
The DoubleClick Tracker is loaded from the domain doubleclick.net ([1])
YouTube sendet wenige Sekunden nach dem Laden the Seite (or des Videos?) Daten an Google (Beispiel: Zieladresse: https://www.youtube-nocookie.com/youtubei/v1/log_event?alt=json&key=xxxaSyAO_xxxlqU8Q4STEHLGCilw_Y9_11xxxx, Inhalt: {"context":{"client":{"hl":"de","gl":"DE","clientName":50,"clientVersion":"20201110"}},"events":[{"eventTimeMs":1606215721310,"visualElementHidden":{"csn":"T-i8X5q6xxxxx_AP_bSxxxx","ve":{"veType":11123},"eventType":12},"context":{"lastActivityMs":"262"}},{"eventTimeMs":1316245761311,"screenCreated":{"csn":"MCxxxxE3OTAwNzc1NTMzxxxxODY.","pageVe":{"veType":12421},"implicitGesture":{"parentCsn":"T-ixxxx6CNiWx_AP_bS68yy","gesturedVe":{"veType":12211}}},"context":{"lastActivityMs":"263"}},{"eventTimeMs":1102345661336,"foregroundHeartbeatScreenAssociated":{"clientDocumentNonce":"tV2_xxxx-TExxxxs","clientScreenNonce":"MC4wNxxxxTAwNzc1NTxxxxcyxxx."},"context":{"lastActivityMs":"288"}}],"requestTimeMs":"1111111111142","serializedClientEventId":{"serializedEventId":"A-xxxxq6Cxxxx_AP_bSxxxx","clientCounter":"1"}}
DoubleClick sends – apparently with or without user action, or possibly already after movements with the mouse pointer – data at irregular intervals to Google
Despite the nocookie domain, a cookie named CONSENT is set, even if no video should be played. This cookie is not necessary in itself and therefore requires consent.

These comprehensive data collections are clearly not justified by a legitimate interest. Therefore, processing without consent is not lawful. See Art. 6 GDPR (Legal bases) in conjunction with Art. 5 GDPR (Data minimization), Art. 25 GDPR (Data protection by design) and Art. 32 GDPR (Security of processing). The cookie named CONSENT is also not consent-free, as § 25 TTDSG reveals.

When YouTube Videos are embedded with Cookies, they set several third-party cookies from the domain youtube.com (with a longer lifespan) and are therefore subject to consent requirements. This is evident solely from Article 5, Paragraph 3 of the ePrivacy Directive, which essentially also applies to Germany, as the BGH has established.

Google generally makes this clear in its privacy policy:

We collect data […] such as […] YouTube videos that you find interesting." and "If you are signed in to a Google Account, we also collect data that we store in your Google Account and consider to be personal data

So there is always a processing of personal data when a website embeds a YouTube Video and the visitor of the website is logged in with their Google Account. Since the operator of the website cannot force the visitor to log out from their Google Account beforehand, always consent must be obtained!

Conclusion:

Youtube Videos, even without using cookies, require consent before embedding via a Youtube script into a webpage.
Conclusion from a GDPR perspective and Google terms of use

Embed YouTube video via IFRAME

I have only looked at this case briefly so far, as the differences to script integration only recently became clear to me. I will go into this in more detail here soon. So much for now:

Per IFRAME YouTube videos can apparently be embedded in a more data protection-friendly way than via a YouTube script. Using the address youtube-nocookie.com, some data transfers take place when loading the IFRAME, which only go to the aforementioned address. Here, many transfers still take place, but not to other addresses. Nevertheless, there are also tracking events after loading the IFRAMES without the user clicking anything. These even occur repeatedly (periodically?).

Also cookies are transferred, even with no cookie setting. A cookie named CONSENT is being transferred with a value of PENDING+107 (or something like that). In local storage, numerous other values are saved:

LocalStorage, which is created by YouTube (with the setting "without cookies"), which also represents cookies. The values are cut off in the screenshot

In addition to LocalStorage,Session Storage is also extensively used, as well as Indexed DB. These storage designations I have taken from the Firefox Developer Console, which can be opened by pressing F12. In the Web Storage folder, the aforementioned storages are visible.

The LocalStorage is also a cookie storage! The word Cookie is not even mentioned in the ePrivacy Directive. Instead, it talks about information stored on the user's device. So, the ePrivacy Directive also applies to LocalStorage in Germany!

If the video is then played, further data transfers follow to the address googlevideo.com.

All in all, this is still far from privacy-friendly, but better than integration via a script.

Alternatives for YouTube videos

Vimeo videos are not a good alternative for YouTube videos because they also create data protection problems. Here is a selection of data protection-friendly options to embed videos on your own website ([1]) :

Standard HTML, see for example my contribution to Google Tag Manager and the video embedded there. Works best when the video is not too large. The modern server capacities and network quotas are sufficient for self-hosting smaller videos for most websites.
Preview image with link to video platform.
No video available: Often the benefit of videos is questionable, why not simply remove them, especially when they are from third parties?
Other video platforms (it's worth looking at platforms like Peertube that are associated with the Fediverse)

Uploaded videos

If you absolutely wish to upload a video to YouTube, regardless of whether it is to be integrated into a website or not, you have the right to have the video activated.

There is a decision by the Higher Regional Court (OLG) Dresden from 29 June 2021, case no. 4 W 396/21. The court sued Google Ireland Ltd. for an administrative fine of €100,000 due to delayed release of a video. The video contained information on Corona. Previously, a court had ordered Google to release the video. Google did not comply and claimed it would itself precisely check whether the video should be released.