Embedded videos and maps

Forum Moderators: webwork

Message Too Old, No Replies

Embedded videos and maps

Marketing and tracking cookies

SmallP

5:09 pm on May 14, 2018 (gmt 0)

I have a large number of YouTube videos and Google maps embedded throughout my website which I've noticed are placing a number of cookies. Some of the cookies look like they could definitely be passing PII (personal identifiable information).

It's a stumbling block because I am trying to remove cookies passing PII to make compliance with GDPR for EU visitors as simple as possible and would prefer not to have to ask for permission.

Has anyone else thought of this? Come up with any solutions?

keyplyr

7:23 pm on May 14, 2018 (gmt 0)

Not a solution but the page won't show that cookie is being set if the video is shown in a child window through an event triggered script.

If done this way, any scan will show 0 cookies. The cookie is set when the video is watched in the child window.

Hopefully YouTube will deal with PII on their end if they haven't done so yet. Is there any announcement from YouTube on this? Do we need to update our YT embed code?

tangor

5:29 am on May 15, 2018 (gmt 0)

Good questions all, and a reminder that third party is just that, a third party. What level of legal exposure is thus developed?

Shaddows

3:02 pm on May 16, 2018 (gmt 0)

What level of legal exposure is thus developed?

Technically, the site owner is liable.

If you own a site, you chose to include content. If that content has GDPR-covered implications (such as dropping PII cookies), you are "passing" PII to a 3rd party controller - something that probably requires consent (unless you think you can legally defend the fact the user would "expect" the data to be handed over, and no reasonable person would so object - in which case you can cite "legitimate interests").

You may be able to rely on legitimate interests in order to lawfully disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.

You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them.
[ico.org.uk...]

SmallP

3:23 pm on May 16, 2018 (gmt 0)

I thought I had found an easy solution - changing the url in the embed from youtube.com to youtube-nocookies.com. Unfortunately that still doesn't get it past GDPR as I believe it only prevents cookies until the video is clicked / watched.

Interesting the ICO website mentions cookies from embedded Youtube videos with their "privacy enhanced" mode:

[ico.org.uk...]

But all I can find on Youtube about that is this:

When you turn on privacy-enhanced mode, YouTube won't store information about visitors on your website unless they play the video.

I've come to the reluctant conclusion that Youtube cookies are going to require "Consent".

Shaddows

3:49 pm on May 16, 2018 (gmt 0)

My strong impression is that by the USER undertaking an action (as opposed to being force-fed it by the site owner), the relationship transfers to YouTube.

One for Case Law, that one.

SmallP

3:56 pm on May 16, 2018 (gmt 0)

Interesting point, @Shaddows.

It's not so simple anymore, is it?