audio-video
YouTube
data processing services & kategorisierung
youtube logo
YouTube

Video Service from Google

Content of this article
What kind of service is Youtube?

The moving image is a popular diversion in the presentation of content on websites. For this purpose, website operators can draw on the vast video inventory of various video platforms.

 

The best-known provider for uploading and sharing videos is YouTube. The subsidiary of Google offers easy ways to distribute the videos and embed them on websites. But there are a few things to keep in mind here from a data protection perspective. YouTube LLC is a service from the USA and is thus subject to the consent requirement according to the GDPR due to the transfer of data to a third country.

 

When embedding social media in one’s own website, it is common for them to set cookies on the end devices of website visitors, which in some cases analyze digital user behavior over a very long period of more than 5 years in order to enable targeted marketing with individual content. YouTube also works in this way when providing framing links.

 

As a result, numerous cookies are already set in the visitors’ system when they call up the website, without them having clicked on the video. In the process, YouTube establishes a connection to the Google advertising network “DoubleClick”.

Looking for a specific service?

In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!

 

Expert knowledge and pro tips on top 😉

data processing services

Legal foundation for the processing

The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.

 

The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.

When is there a requirement for consent?

Personal Data

The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:

 

  1. Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
  2. The processing is necessary to protect your legitimate interest (lit. f)

Cookies

According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.

 

It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.

 

Thus, all information elements that enable the identification of a person are subject to consent.

The requirements for exemption from consent

To ensure consent-free use, the following conditions would need to be met:

 

  1. Conclusion of a processing contract with the processor
  2. No use of cookies or similar profiling techniques
  3. Processing of personal data exclusively in Europe
  4. The processor does not use the obtained data for its own purposes
  5. The processor does not link or enrich the data across different websites
  6. Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
  7. IP anonymization (“Privacy by Default”)
  8. Automatic opt-out for Do-Not-Track settings in the browser
  9. Proof of points 1-8 carried out by the website operator
desktop icon

IP address

Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.

legal icon

Server location

As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.

desktop icon

Company headquarters

In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.

What are the options for embedding Youtube videos on your own website?

1. enhanced privacy mode

 

YouTube offers the option to enable “enhanced privacy mode” before embedding a video. To embed the video, simply click on the share icon and then on embed. There you can activate the extended privacy mode by placing a check mark. The HTML code that appears afterwards can simply be copied and pasted into the website.

 

Problem: With this method, a connection to YouTube and Google is established despite the privacy settings, just to display the thumbnail. This means that cookies could already be set and data exchanged here. So this should not be the method of choice.

 

2. embedding with framing for own videos

 

With the plugin WP YouTube Lyte, the connection to the YouTube server youtube-nocookie.com is blocked even before the video is played. The thumbnails for this can be inserted yourself and provided with a privacy notice.

 

3. embedding of third party videos


To prevent copyright infringements, the Embed Plus for YouTube plugin is recommended for embedding third-party videos. Here, instead of a thumbnail, only the privacy notice is inserted, along with a link to Google’s privacy policy. The privacy settings are to be made under Security & Privacy. The video URL can then simply be inserted in the “YouTube Wizard” block.

 

 

Conclusion

A completely privacy-safe embedding of YouTube videos is unfortunately not possible.

 

On the one hand, this is because YouTube belongs to Google and data is transferred to the USA, a third country outside the EU with no valid data protection agreement. On the other hand, this is because data is still transmitted even with the privacy-enhanced settings that YouTube itself offers.

 

The two-click solution (using plugins) as well as the consent via a cookie banner comes closest to a privacy-compliant integration. However, there still remains the insufficient information in the privacy policy, which cannot be remedied due to YouTube’s lack of transparency. Overall, the embedding of YouTube videos on one’s own website is not advisable for data protection reasons.

Cookiebox recommendation: Privacy-compliant use of YouTube videos

  • There is the option of linking. This is the safest and easiest, but then the content of the video is not available on your own site and the website visitors are redirected to YouTube when clicking on the link instead of staying on the website.
  • Another option is the local integration of a video. To do this, the video must first be downloaded and then uploaded to the backend. However, the copyright must be observed here. Attention: Not all YouTube videos can be integrated locally. Another disadvantage of this method is that internal videos worsen the loading time of the page, which is not only less user-friendly, but also has a negative impact on the Google ranking.

Speaking of load times: The same goes for plugins: the more plugins, the longer website load times. Therefore, it is simply best not to use Youtube videos.

youtube logo

Any questions?

Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics:

fragen icon

Du wünschst weitere Infos zum Privacy Hub oder unseren Beratungsleistungen?

jörg ter beek portrait

Jörg ter Beek

Managing Director, Head of Sales & Partnerships