Monday, June 29, 2020 [Tweets] [Favorites]

How to Remove YouTube Tracking

Dries Buytaert (via John Gruber):

I learned that when I embed a YouTube video in my blog posts, Google sends an HTTP cookie to track my site’s visitors.

[…]

After some research, I discovered that YouTube offers a privacy-enhanced way of embedding videos. Instead of linking to youtube.com, link to youtube-nocookie.com, and no data-collecting HTTP cookie will be sent. This is Google’s way of providing GDPR-compliant YouTube videos.

It makes his site faster, too. I always liked how the iCab browser would report whether a site was using valid HTML, but I’m not sure how influential it was because of the relatively low marketshare. Safari’s new Privacy Report will hopefully have a big impact.

Previously:

5 Comments

I must say I was a bit surprised that Gruber learned all this just now, because of the new privacy report i Safari. I mean, he does publish a website for a living and never once tried a privacy-protecting plugin like Ghostery to check what is going on?

Well, Gruber rarely embeds videos (or even pictures). Trackers are for the most part a non-issue on his site.

What surprise me in all that hubbub is that all those people did not seem know that, while it has been right there for years/em>. Under the share menu, click embed, in panel that appears, right-hand see “embed options”, check the “Enable privacy-enhanced mode.” option. Granted it used to be more visible, YT’s embrace of pseudo-minimalism has made it more messy.

An important warning for those enabling this (very useful) feature for GDPR-related reasons: some Data Protection Authorities in Europe consider that an IP address is personally identifiable and will, therefore, still argue that allowing a user's IP address to be hoovered up by YouTube constitutes an export of PII outside of the European Union. Sadly, I am not joking.

I will be the first to argue that this should not deter publishers from embedding YouTube videos where and when appropriate, nor does it make this mode any less useful.

Nevertheless, anyone who embeds YouTube videos on their site, with or without cookies, should mention this explicitly in their Privacy Policy, explain that, as a result, visitors' IP address may be sent to YouTube, and link to YouTube's own Privacy Policy for this feature. Sadly, more may be needed depending on the European countries you are based in or cater to.

An important warning for those enabling this (very useful) feature for GDPR-related reasons: some Data Protection Authorities in Europe consider that an IP address is personally identifiable and will, therefore, still argue that allowing a user’s IP address to be hoovered up by YouTube constitutes an export of PII outside of the European Union. Sadly, I am not joking.

Sounds to me like those authorities are correct? Association between IP addresses and owners are often retained by ISPs for a certain amount of time, so that law enforcement can trace them back to a person.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment