YouTube — consent fix

An embedded YouTube video immediately sets tracking cookies and sends data to Google's servers. This happens even before the visitor clicks "play". If your website loads this video before the user accepts the cookie banner, you are violating the GDPR.

Why YouTube loads too early (and why nocookie is not enough)

YouTube videos are almost always placed directly in the source code of a website via an <iframe> tag, rather than through Google Tag Manager (GTM). Because of this, you cannot easily block them using standard GTM exception triggers.

Note: Many websites try to solve this by changing the iframe domain to youtube-nocookie.com. However, this is only a partial solution. While it stops personalised ads, YouTube still sets session and functional cookies (like YSC and VISITOR_INFO1_LIVE) and still receives the visitor's IP address. Under strict GDPR interpretations, this is still not permitted without explicit consent for marketing/statistics.

The Fix: Blocking the YouTube iframe

Since we cannot use GTM, we must either modify the HTML directly or use the built-in features of your Cookie Management Platform (CMP).

1. The automatic route (via your CMP)

Many popular CMPs, such as Cookiebot, have built-in automatic blocking for YouTube.

• Cookiebot: Cookiebot automatically scans your HTML and replaces the YouTube iframe with a temporary placeholder stating 'Accept marketing cookies to view this video'. Ensure that this feature ('Auto-blocking') is enabled in your Cookiebot dashboard. If the iframe still slips through, manually add the data-cookieconsent="marketing" attribute to your <iframe>.

2. The manual route (Consent Facade)

If your CMP does not support automatic video blocking, you will need to build a "Consent Facade". This means the browser is not allowed to load the video until your CMP gives the green light via JavaScript.

1. Find the YouTube <iframe> in your source code.
2. Change the src attribute to data-src. This causes the browser to no longer recognise it as an active link.
3. Use JavaScript to inject the URL back into the src attribute as soon as consent is granted via your CMP.

Here is a generic example:

<!-- The video is paused because src has been replaced with data-src -->
<iframe data-src="https://www.youtube.com/embed/123456789" width="560" height="315" frameborder="0"></iframe>

<script>
// Example: listen for a consent update from your specific CMP
document.addEventListener('consent_marketing_granted', function() {
    var iframes = document.querySelectorAll('iframe[data-src*="youtube.com"]');
    iframes.forEach(function(iframe) {
        iframe.src = iframe.getAttribute('data-src'); // Now load the video
    });
});
</script>

How to Verify the Fix

Rely on your browser's Network tab to see if the video is truly being blocked.

1. Open your website in an incognito window.
2. Ignore the cookie banner completely (do not click anything).
3. Open Developer Tools (F12) and navigate to the Network tab.
4. Search for youtube. There must be absolutely no requests to youtube.com or youtube-nocookie.com visible.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

• Embed videos & playlists (Google Support)