YouTube No Cookies Adds Cookies

At 4/19/2024

An illustration of a chocolate chip cookie on a purple background.

It’s counterintuitive and misleading, but if you use YouTube’s no cookies domain, YouTube will still set cookies when someone starts playing a video.

I recently discovered this on a website where we can’t use a cookie consent banner. The best way to comply with privacy laws was to avoid cookies and personally identifiable information.

We removed Google Analytics. We didn’t need cookies for the custom functionality we built. The only third-party service we used was YouTube, and we were using the no cookie version of YouTube.

We thought we had succeeded in building a cookie-free site. On the contrary.

Permalink to YouTube No Cookies Doesn’t Exist

YouTube No Cookies Doesn’t Exist

I have since learned that YouTube no cookies isn’t a real feature. Instead, it is called YouTube Enhanced Privacy Mode. The reason many people call it YouTube no cookies is because the way to turn on YouTube Enhanced Privacy mode is by switching the domain that you use to embed videos from:

www.youtube.comCode language: plaintext (plaintext)

to:

www.youtube-nocookie.comCode language: plaintext (plaintext)

You would be forgiven for thinking that a domain that says nocookie wouldn’t set a cookie, but that’s not what happens. Per Axbom describes how YouTube’s “Enhanced Privacy Mode” actually works:

If you use the youtube-nocookie.com domain, there is no cookie set when the page with the YouTube embed loads.

Instead, YouTube utilizes something called Local Storage in your browser to store a unique device identifier. Note that this is done without anyone’s consent and GDPR is violated already in this step. GDPR is not only about cookies.

As soon as a user presses Play on the video, a cookie from YouTube is set. Whether or not consent has been given from the viewer. The second violation of informed consent in the same embed.

Given this behavior, naming the domain nocookie seems Orwellian.

Permalink to Should I have known this?

Should I have known this?

After I discovered that YouTube was setting cookies and reading Per’s excellent summary of the issue, I found news articles from 2009—shortly after the feature was released—that point out “YouTube’s new ‘nocookie’ feature continues to serve cookies.” It has been this way from the beginning.

But I’m not the only one who was fooled. It isn’t hard to find articles on privacy and GPDR compliance that advocate for using www.youtube-nocookie.com without mentioning that YouTube will still set cookies if you use that domain.

So I’m still kicking myself for not double-checking to make sure cookies weren’t getting set. Trust, but verify as it were.

But mostly, I’m mad at YouTube. It can’t be a surprise that many people thought this feature wouldn’t set cookies. It’s right there in the domain name.