Stop YouTube embeds tracking visitors before consent (KVKK/GDPR)
A standard YouTube <iframe> contacts Google and can set advertising cookies as soon as the page loads — before the visitor ever presses play or accepts cookies.
Why it matters
An embedded player is a third-party (Google/DoubleClick) request that runs on page load, so it can drop tracking cookies pre-consent (ePrivacy Art. 5(3) / GDPR Art. 6) and transfer data to Google in the US (Chapter V). The video is not essential to the page, so it should not load third-party trackers before a choice is made.
How to fix it
Use the youtube-nocookie.com privacy-enhanced domain to reduce cookie-dropping, and — better still — use a facade: show a static thumbnail and only load the real iframe when the visitor clicks play (or after consent). That way no request reaches Google until the visitor asks for the video.
<!-- Facade: no request to Google until the user clicks play -->
<div class="yt-facade" data-id="VIDEO_ID">
<img src="/img/video-poster.jpg" alt="Play video">
<button type="button">▶ Play</button>
</div>
<script>
document.querySelector('.yt-facade button').addEventListener('click', (e) => {
const w = e.target.closest('.yt-facade');
w.innerHTML = '<iframe width="560" height="315" allow="autoplay" ' +
'src="https://www.youtube-nocookie.com/embed/' + w.dataset.id + '?autoplay=1"></iframe>';
});
</script>
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.