YouTube, maps and embeds — do they require consent?
An embedded YouTube video, a Google Maps map on the contact page, a social feed in the footer — it feels like content, not tracking. But technically the embed is loaded from the third party's servers, and it often sets cookies in the visitor's browser the moment the page opens — before the visitor has even touched the cookie banner. The website has then collected data without consent, no matter how correct the banner otherwise is. And the responsibility does not sit with YouTube or Google — it sits with the website doing the embedding.
What does the law say?
The base rule is in article 5.3 of the ePrivacy Directive, in Swedish law chapter 9, section 28 of the Electronic Communications Act: storing or reading information in the visitor's equipment requires consent, except when strictly necessary for the service the visitor requested. The rule is technology-neutral — it applies to cookies whether they are set by an analytics script or an embedded video player.
The consent must also meet the GDPR's requirements — freely given, specific, informed and unambiguous (article 4.11) — and be given before the storage happens. A cookie set at page load, before any choice in the banner, has by definition been set without consent.
That the cookie comes from youtube.com or google.com does not change the responsibility. It is the website that chose to embed the content and thereby let the third party in — the responsibility for what loads before consent sits with whoever owns the page.
Why does an embed set cookies?
An embed is usually an iframe — a web page inside the web page, loaded directly from the third party's domain. When the browser fetches it, the third party can set and read cookies, just as if the visitor had visited their website. A standard YouTube embed, a Google Maps iframe or a social media widget often does exactly that already at page load.
So it is not enough that the visitor never plays the video or clicks the map — the loading itself is what triggers the cookie setting. And the banner only helps if the embed is actually wired to it: an iframe sitting directly in the page's code loads regardless of what the visitor answers.
Is YouTube's privacy-enhanced mode enough?
YouTube offers a "privacy-enhanced mode" via the youtube-nocookie.com domain, which postpones cookie setting until the visitor starts playback. That is a clearly better mode than the standard embed — but do not trust the name. Verify the behaviour on your own page: what actually loads and gets stored is what counts.
The safest pattern is a two-click solution, sometimes called a facade: the page shows a still image or placeholder, and the iframe itself loads only when the visitor clicks. An alternative with the same effect is letting the consent tool (the CMP) block iframes until the visitor has approved the right category — then consent controls the loading, not the other way around.
Common issues we see
- A YouTube video is embedded with the standard code from youtube.com — cookies are set as soon as the page loads, regardless of what the visitor answers in the banner.
- A Google Maps map on the contact page loads before consent — one of the website's most visited pages.
- Social feeds and sharing widgets in the footer or sidebar load third-party content on every page where they appear.
- The consent tool blocks scripts but not iframes — the banner looks correct, but the embeds slip past.
- Privacy-enhanced mode is used, but no one has verified what actually loads — the assumption has replaced the measurement.
How CompliantHQ tests this
The scanner visits your pages in a real browser without touching the cookie banner and measures which third-party iframes load before consent. It is a deterministic measurement of actual behaviour — not a guess based on which tools the page appears to use.
If a video, map or other embed loads before the visitor has been able to choose, it is flagged, so you can see which embeds are involved. The check is included already in the trial.
How to fix it
- Use a two-click solution: show a still image or placeholder and load the iframe only when the visitor clicks — then the loading happens at the visitor's initiative.
- Or let the consent tool block iframes until the right category has been approved — many tools support this via a modified embed code.
- For YouTube: switch to privacy-enhanced mode (youtube-nocookie.com) as a first step — and then verify that no cookies are set before playback.
- For maps: consider a static map image linking on to the map service — a contact page rarely needs an interactive map before consent.
- Measure again after the change: what counts is the actual behaviour in the browser, not what the embed code appears to do.
What the check covers
- That no third-party iframes (video, maps, embeds) load before consent.
Common questions
Can I embed a YouTube video without consent?
Not if the embed stores or reads anything in the visitor's browser before consent — and the standard embed often does, already at page load. Block the iframe until consent is given, use a two-click solution, or use privacy-enhanced mode and verify the behaviour.
Is youtube-nocookie.com (privacy-enhanced mode) enough?
It is a good step: cookie setting is postponed until playback starts. But do not trust the name — verify what actually loads on your page. The safest pattern is a two-click solution or having the consent tool block the iframe until the visitor has consented.
Who is responsible — my website or Google?
The website doing the embedding. You let the third party's content onto your page, and you are therefore responsible for nothing being stored in the visitor's browser before consent.
Do the same rules apply to Google Maps and social feeds?
Yes. The rule is technology-neutral: storing and reading in the visitor's equipment requires consent unless strictly necessary — whether it comes from a video player, a map or a social feed.
Want to see what we find on your site?
Run a free scan — all four modules included for 30 days, no card required.