Video embed marketing

Vimeo — consent fix

Vimeo embeds load outside GTM — as <iframe> directly in the HTML. Vimeo sets vuid (tracking cookie, 2 years) and Cloudflare cookies before consent is given. GTM trigger exceptions don't work here because there is no GTM tag to block.

Domains

  • vimeo.com
  • player.vimeo.com
  • vimeocdn.com
  • fresnel.vimeo.com

Cookies

  • vuid
  • __cf_bm
  • _cfuvid

By default, an embedded Vimeo video immediately sets the vuid cookie (which tracks visitors for up to 2 years) alongside various Cloudflare cookies. If this video loads on your website before a visitor accepts the cookie banner, you are sharing their IP address and viewing behaviour with Vimeo without consent.

This violates the GDPR, as marketing cookies may only be placed after explicit, active consent has been granted.

Why Vimeo loads too early

Videos are almost never loaded via Google Tag Manager (GTM). Instead, they are placed directly as an <iframe> in your website's HTML source code. Because of this, standard GTM exception triggers do not apply. As soon as the page loads, the video loads, and the cookies are set.

The Fix: Blocking the Vimeo iframe

Since we cannot use GTM to fix this, we must either modify the HTML of the video itself or rely on a smart feature within your Cookie Management Platform (CMP).

1. The fast route (via your CMP)

Do you use a premium CMP like Cookiebot, CookieFirst, or Klaro? These tools often feature built-in functionality to automatically block video embeds.

  • Cookiebot: Cookiebot automatically scans your HTML and blocks iframes until consent is given. It replaces the video with a placeholder saying 'Accept marketing cookies to view this video'. If auto-blocking fails, ensure you add data-cookieconsent="marketing" to the iframe tag.

2. The manual route (Consent Facade)

If your CMP does not support automatic iframe blocking, you need to build a "Consent Facade". This means displaying a temporary placeholder image or text (the facade), and only injecting the actual video once consent is granted.

  1. Locate the Vimeo <iframe> code on your website.
  2. Change the src attribute to data-src. This prevents the browser from fetching the video immediately.
  3. Use JavaScript to inject the real URL back into the src attribute as soon as your specific CMP fires its "consent granted" event.

Here is an example using a generic CMP event:

<!-- The video will not load immediately because the src attribute is missing -->
<iframe data-src="https://player.vimeo.com/video/123456789" width="640" height="360" frameborder="0"></iframe>

<script>
// Example: listen for a consent update from your CMP
document.addEventListener('consent_marketing_granted', function() {
    var iframes = document.querySelectorAll('iframe[data-src*="vimeo.com"]');
    iframes.forEach(function(iframe) {
        iframe.src = iframe.getAttribute('data-src'); // Inject the video now
    });
});
</script>

How to Verify the Fix

Use your browser's Network tab to ensure the video patiently waits for consent.

  1. Open your website in an incognito window.
  2. Ignore the cookie banner (do not click anything).
  3. Open Developer Tools (F12) and navigate to the Network tab.
  4. Search for vimeo. There should be no request to player.vimeo.com.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

No CMP yet?

A Cookie Management Platform (CMP) handles consent automatically for Vimeo and other trackers — including the correct GTM integration.

Cookiebot → CookieYes → CookieFirst → Complianz → Borlabs Cookie → Enzuzo → ConsentOS →

Check your own site

Scan your website for free to see if Vimeo (or other trackers) loads before consent.

Start free scan →