COVID-19 Post Lockdown

Learn more Got it

Privacy Enhanced YouTube Embeds

1st July, 2020

So, you’ve got yourself a blog, and in your most recent post, you want to embed a video of your latest advertising material. You head to YouTube, click share, get your embed link and place it into your post. Done, right? Maybe not…

If we take the method discussed above, and head to your new post, you’ll see that a fair few cookies get stored when the page loads. These cookies are tracking, therefore identifying, and in breach of GDPR if your user hasn’t given their consent.

Cookies set on page load

Now, if the visitor has already accepted third party cookies, that’s fine, nothing to be concerned about. However, if they haven’t chosen how they want cookies to be handled, having a third party set them would be GDPR breaking. Or, on the other hand, if they’ve opted out of third party cookies, you’ve now broken their wishes (and GDPR).

How can we deal with this?

YouTube provides a helpful feature for this exact purpose. When you’re on their sharing modal, with the embed option selected, under the code snippet they provide, you’ll see a checkbox named “Enable privacy-enhanced mode”.

Clicking this, you’ll see the code snippet they’re providing changes. There’s now an extra piece which says “-nocookie”.

// Before
<iframe width="560" height="315" src="https://www.youtube.com/embed/6GM1Viniyqs" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

// After
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/6GM1Viniyqs" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

With this addition to the embed snippet, no cookies will be stored on page load, only once a user has interacted with this video will cookies be set.

Is That All?

Unfortunately not, unless your website allows for users to accept and revoke cookies, this would still be breaking GDRP, why? Because interacting with the video will then set the cookies we’ve tried to delay without the permission of the user. Yes, the user clicking play is not them giving consent.

This feature by YouTube, although useful, is just one tool in the arsenal of protecting your users’ online rights. This feature is to be used in addition with previously enabled cookie consent implementations.

If you’re unsure if your site is compliant, send us an email. We can take a look, and discuss what steps may be needed to help you be on your way to being compliant.

No Cookie in Action

To view an example of a fully compliant YouTube no cookie embed, check out the video below. If you can see it, you’ve already given your consent for us to use third party cookies. If you see a box below telling you we are unable to show you this content, you’ve not given us permission!

If you look at the very bottom left of this window, you’ll see a little triangle with a cookie inside. Click this to view your cookie consent options. Click either “Accept Recommended Settings” or “I Do Not Accept” (you can also toggle “Third Party Cookies”) to see how the embed video changes.

This is an example of a fully compliant YouTube embed. If you have any questions regarding this, please get in touch.

Bonus Round

Manage or your own site? Feel confident delving into PHP? Have a site recently created by us? This ones for you.

Here’s a little code snippet to help you out. This snippet, runs just before data is going to be entered or updated in the database. It searches the text content for any references of “youtube.com/embed/” upon finding this it replaces all instances with the no cookie version “youtube-nocookie.com/embed/”.

Developers: drop this into your functions.php and it’ll run going forward (remember, this doesn’t account for older entries in the database).

Clients: if you have a site which has been created by us recently, then this will already be in place, meaning that all YouTube videos you embed will be GDPR complaint.

/**
 * Replace YouTube links
 * Runs prior to inserting into or updating the database
 * Searches the post_content for embed YouTube links without the privacy enhanced "-nocookie" addition.
 * If it comes across any instances all will be replaced
 */
function replace_youtube_links($data) {
  // Set the both YouTube links
  $non_privacy_youtube_link = 'youtube.com/embed/';
  $privacy_youtube_link = 'youtube-nocookie.com/embed/';

  // Get the post content
  $post_content = $data['post_content'];

  // Search for the non privacy enhanced YouTube link
  if (strpos($post_content, $non_privacy_youtube_link)) {
    // Replace the non privacy enhanced YouTube link
    $post_content = str_replace($non_privacy_youtube_link, $privacy_youtube_link, $post_content);

    // Replace the $data's post content
    $data['post_content'] = $post_content;
  }

  return $data;
}

add_filter('wp_insert_post_data', 'replace_youtube_links', 99);

As always, I hope you’ve found something of use here. If there’s anything you wish discuss, be it regarding the no cookie embeds or GDRP as a whole, email us!

Luke