YouTube and Data Protection – What Website Operators Need to Know

If a website operator embeds YouTube videos via iFrame or player, they process click paths, web server log data and user profiles for the purpose of providing video content on the basis of consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). YouTube is a video streaming service from Google that enables free access to video content and is often used by website operators to embed product, training or advertising videos.

A. Purpose and Function of YouTube

YouTube is a video platform from Google Ireland Limited. Website operators can upload videos via the YouTube platform or embed them externally on their websites. This enables visitors to watch videos directly on the website without visiting YouTube itself.

Integration function: YouTube videos are typically embedded via an HTML <iframe> element pointing to a YouTube server (youtube.com or optionally youtube-nocookie.com). The player loads when the page is accessed or when the video is opened/played and displays the video content. In parallel, YouTube sets cookies and transmits user data to Google servers.

Optionally, website operators can use the youtube-nocookie.com domain, which according to the provider sets fewer cookies but is not entirely cookie-free and still transmits data.

This page deals exclusively with the embedding of YouTube videos in websites (third-party content). The use of the YouTube platform as an independent controller (uploading videos, YouTube Studio) is not the subject of this presentation.

B. Mandatory Disclosures in the Privacy Policy regarding YouTube

The GDPR requires the following mandatory disclosures for the use of YouTube: purposes of the data processing (Art. 13(1)(c) GDPR), legal bases (Art. 13(1)(c) GDPR), recipients or categories of recipients (Art. 13(1)(e) GDPR), third-country transfers (Art. 13(1)(f) GDPR) and storage duration or its criteria (Art. 13(2)(a) GDPR).

It is not necessary to treat YouTube as its own text template in the privacy policy. The widespread practice of providing a separate section for each tool used produces long, confusing and difficult-to-maintain texts – and contradicts the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented one that explains external third-party content (videos, maps, social media) in an overarching way and names Google Ireland Limited in the recipient appendix.

C. Provider of YouTube: Google Ireland Limited

Provider: Google Ireland Limited (controller for EU users)

Full address: Gordon House, Barrow Street, Dublin 4, Ireland

Country of seat: European Economic Area (EEA), Ireland

According to the provider, Google Ireland Limited acts as the controller under Art. 4(7) GDPR for the data processing by YouTube. The actual data processing, video storage and server operation are carried out by Google LLC (Mountain View, California, USA) and its subprocessors.

Data Privacy Framework (DPF): According to the provider, Google LLC is certified under the EU-US Data Privacy Framework. Verification at: https://www.dataprivacyframework.gov/participant/5780

Provider's privacy policy: https://policies.google.com/privacy

Data Processing Agreement (DPA): For the embedding of YouTube videos, the operator should verify whether a DPA is required and available.

D. Data Processing by YouTube – Workflow

E. Data Collected when Using YouTube

YouTube collects the user's IP address, browser and device information, cookies for user tracking, and specific video interaction data when the player is loaded and the video is played. If users are logged in to their Google account, these activities are linked to the account.

This data can be classified into the following standardized data type classes:

• Web server log data: IP address, date/time/time zone, user agent (browser, operating system, device type), referrer page
• Click paths: Page on which the video is embedded, video ID, play/pause interactions, playback position
• Device data: Device type, operating system, screen resolution, orientation
• Browser information: Browser name, browser version, language
• Coarse location data: Coarse location determined from the IP address
• User profiles: Google account data (when logged in), video playback history, interest categories for advertising
• Interaction data: Play, pause, volume adjustment, full-screen mode

F. Purposes of Use when Using YouTube

The website operator uses YouTube primarily to provide video content for their visitors (product demonstrations, training videos, advertising). According to the provider, Google LLC uses the collected data to improve the YouTube platform, for personalization and for advertising personalization.

The purposes can be classified as follows:

• Provision of functionality: Provision of video content, video player functionality, video streaming
• Security and abuse protection: Detection of bot traffic, youth protection
• General product improvement: Optimization of video recommendations, improvement of streaming quality
• General marketing: Measurement of video engagement, reach analysis
• User profile creation: Creation of interest profiles based on video playback history (by Google as an independent controller)
• User-individual marketing: Personalized video recommendations, personalized advertising (by Google)

G. Legal Bases for YouTube

YouTube is a third-party content service in which external video servers (Google) are embedded into the website. Typically, the following comes into question:

Primary legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG)

Since YouTube sets cookies when the player loads and transmits data to Google servers, consent of the user before loading regularly comes into question as the legal basis. Consent is typically obtained via a cookie consent system; a practical implementation is the two-click system (video teaser → user clicks → video loads).

Important: The use of youtube-nocookie.com alone, according to information from various data protection authorities, does not constitute a solution that allows consent to be waived, since this domain also sets cookies and transmits data.

The specific legal basis must be reviewed in each case by the website operator.

H. Special Features and Notes regarding YouTube

• youtube-nocookie.com: This domain sets fewer cookies than youtube.com, but is not exempt from the consent requirement. Even when using youtube-nocookie.com, data is transmitted to Google servers.
• Two-click solution: A privacy-friendly implementation: A video teaser (thumbnail with play button) is initially displayed. The user must actively click to load the iFrame. This enables consent to be obtained before data transmission.
• Data Privacy Framework (DPF): According to the provider, Google LLC is DPF-certified. Verification at: https://www.dataprivacyframework.gov/participant/5780
• Alternative video platforms: For website operators who want to avoid third-party tracking, self-hosted videos with the HTML5 video element or more privacy-friendly platforms are options.
• Processor activity: The operator should verify whether a DPA with Google for the YouTube embedding must be concluded.

I. FAQ on YouTube

J. Conclusion and Recommendation regarding YouTube

YouTube is the world's largest video platform and is used by many website operators for embedding video content. Since cookies are set when the player loads and data is transmitted to Google servers, consent is typically considered as the legal basis. According to the provider, the data is transferred to the USA under DPF certification.

It makes little sense to include a separate text template for YouTube in the privacy policy. This produces long, confusing and difficult-to-maintain texts and contradicts the transparency requirement of Art. 12(1) GDPR. A more appropriate approach is a topic-oriented one that describes third-party content in an overarching way and lists Google Ireland Limited in the recipient appendix. This is exactly the methodology of the matterius generator.