What Is youtube-nocookie.com? The Honest Answer (2026)

youtube-nocookie.com is the domain YouTube uses for its "privacy-enhanced mode" embeds — the version you get when you tick the Enable privacy-enhanced mode box in the embed dialog. The short, honest answer to "is it actually private?" is this: it reduces tracking, but it does not eliminate it. It holds back cookies until someone presses Play, and that is genuinely better than a standard YouTube embed. But the embed still stores data in the browser and still talks to Google the instant the page loads.

That gap between what the name implies and what the technology does is the whole story. "No cookie" sounds like "no tracking." It isn't. And if your reason for switching to this domain is privacy law — GDPR, the ePrivacy Directive, a cookie banner you'd rather not show — then the distinction matters a lot, because the things youtube-nocookie keeps doing on page load are exactly the things those laws care about.

This guide walks through what the domain is, what privacy-enhanced mode actually blocks, what it leaves running, and what it would really take to embed video on your site without sending visitors' data to a third party. We tested a live youtube-nocookie embed in June 2026 to confirm the technical details rather than repeat older guides.

What is youtube-nocookie.com?

youtube-nocookie.com is a Google-owned domain that serves the same YouTube videos as youtube.com, but through what YouTube calls privacy-enhanced mode. The domain has existed since 2009, originally created so that videos embedded on U.S. federal government websites — which were barred from setting third-party tracking cookies — could still play. Today it's available to everyone through the embed dialog.

When you click Share → Embed on any YouTube video and tick "Enable privacy-enhanced mode," the embed code you get back swaps the domain:

That domain swap is the entire mechanism. There's no separate account setting, no dashboard, no toggle on Google's side — the privacy behavior is tied to which host serves the player. (The unrelated ?rel=0 parameter, which limits suggested videos at the end of playback, works on either domain and has nothing to do with cookies.) Because the change is so small, it's easy to assume it does more than it does. To understand the limits, it helps to know what Google itself claims — and, just as importantly, what it carefully avoids claiming.

What privacy-enhanced mode actually does

To be fair to the feature, it isn't snake oil. Compared with a standard youtube.com embed, switching to youtube-nocookie.com genuinely changes a few things:

• It holds back HTTP cookies until Play. A standard embed can set tracking cookies as soon as the page loads. The nocookie version waits until the viewer actually starts the video.
• It stops embedded views from personalizing YouTube. Watching a video embedded on your site won't feed that person's YouTube recommendations or watch history the way a youtube.com embed can.
• Ads are non-personalized. If an ad shows, it isn't targeted using that viewer's profile.

Those are real improvements, and for a casual blog that just wants to be a bit more considerate, privacy-enhanced mode is a reasonable default. The problem is that the name and the marketing imply a clean break with tracking, and the reality is a much narrower change. The word doing the heavy lifting is "until." Cookies are deferred until Play — not removed. And cookies were never the only way to track someone.

What youtube-nocookie does NOT block

This is the part most guides skip or soften. To see it clearly, we loaded a youtube-nocookie embed in a clean browser in June 2026 and watched what happened before clicking anything. The results are not what the name suggests.

It stores data in the browser before anyone presses Play

"No cookie until Play" is technically true, and also beside the point, because cookies are not the only browser storage that counts. On load, with no interaction at all, the youtube-nocookie player created an IndexedDB database (YtIdbMeta) and wrote a bookkeeping entry to localStorage (ytidb::LAST_RESULT_ENTRY_KEY) under the youtube-nocookie.com origin. Both are persistent client-side storage — and under EU law, both sit in the same legal bucket as cookies.

This matters because Article 5(3) of the ePrivacy Directive doesn't single out cookies — it covers any storing of, or access to, information on a user's device. localStorage and IndexedDB are explicitly in scope. So the "we don't set cookies until Play" line sidesteps the headline word while the underlying obligation — get consent before storing — is triggered the instant the iframe loads.

One useful correction for 2026: older write-ups claim youtube-nocookie writes a persistent yt-remote-device-id identifier to localStorage on load. In our test that key did not appear until playback began. The device identifier and the tracking cookies now arrive together, on Play. The "stores data before consent" problem is real — in our test it was the YtIdbMeta IndexedDB database plus the ytidb::LAST_RESULT_ENTRY_KEY localStorage entry doing it on load, not yt-remote-device-id.

It sends your visitor's IP address to Google on load

Storage is only half of it. The moment the embed loads, the browser makes requests to several Google-owned domains — in our test, google.com, fonts.gstatic.com, and googleapis.com (the last for an anti-abuse attestation check). Every one of those requests carries the visitor's IP address to Google's servers, and the player fires telemetry and QoE beacons before a single frame has played.

An IP address is personal data under GDPR. That's not an opinion — it's the basis of a well-known German court ruling. In January 2022, the Regional Court of Munich (LG München, case 3 O 17493/20) held that loading Google Fonts from Google's servers, which transmits the visitor's IP without consent, violated GDPR, and awarded damages to the plaintiff. That case was about fonts, not YouTube — so don't let anyone tell you "a court ruled youtube-nocookie is illegal," because no such YouTube-specific ruling exists. But the risk analysis still translates: an embedded Google service can transmit a visitor's IP before consent, and a self-hosted alternative may avoid that transfer entirely.

The cookies and the device ID still arrive on Play

When the viewer does press Play, the rest of the tracking machinery switches on. YouTube can set tracking and advertising cookies such as VISITOR_INFO1_LIVE, YSC, GPS, and PREF — and, depending on the ad context, DoubleClick cookies like IDE — along with the device identifier mentioned above. Crucially, clicking Play is not legal consent. France's data protection authority, the CNIL, has been explicit that a click on a Play button doesn't meet the GDPR standard of "freely given, specific, informed and unambiguous" consent, because the visitor has no idea they're agreeing to data transfer to Google by hitting Play.

So the honest scorecard looks like this:

Privacy-enhanced mode moves one row — cookies — from "on load" to "on Play." Everything else that worries a privacy regulator stays put. If you want the fuller picture of what a YouTube embed costs your site beyond privacy, we cover the speed and branding side in why standard YouTube embeds are costly for your site.

Is youtube-nocookie.com GDPR compliant?

No — not by itself. This is the question that sends most people to youtube-nocookie in the first place, so it deserves a direct answer: switching to the nocookie domain reduces your exposure, but it does not make an embedded YouTube video GDPR compliant on its own.

The reason is everything in the section above. The embed stores data on load, transmits an IP address to Google on load, and the only thing it defers — cookies — still fires on a Play click that doesn't legally count as consent. Under GDPR and the ePrivacy Directive, processing that data needs a lawful basis, and for non-essential third-party embeds that basis is consent obtained before the data is processed.

In practice, making YouTube embeds compliant means one of these:

• Block the iframe until consent. Don't load the embed at all until the visitor explicitly agrees. A "two-click" or façade approach shows a thumbnail with a Load Video button, and only injects the iframe after a real click. This is the approach EU regulators point to.
• Use a consent management platform. Tools like Cookiebot, Borlabs Cookie, or Complianz block YouTube iframes by default and only load them after consent. youtube-nocookie can be part of this setup, but it's the gating that does the compliance work, not the domain.
• Remove the third party entirely. If the video never routes through Google, there's no IP transfer, no third-party storage, and nothing in the video to consent to — which is the only option that takes the cookie banner off the table for video.

If compliance is your goal, it's worth understanding that YouTube's "free" embed has a real cost in banners, legal review, and lost conversions — a theme we dig into in the hidden cost of keeping YouTube on your site.

How to embed YouTube with privacy-enhanced mode

If you've weighed the limits and still want to use it — for a low-stakes embed, or as one layer inside a proper consent setup — here's how. The mechanics are genuinely simple.

From the YouTube dialog: open the video, click Share → Embed, tick Enable privacy-enhanced mode, and copy the generated code. The iframe will point at youtube-nocookie.com.

By hand: take any existing embed and change the domain:

<!-- Standard -->
<iframe src="https://www.youtube.com/embed/VIDEO_ID"></iframe>

<!-- Privacy-enhanced -->
<iframe src="https://www.youtube-nocookie.com/embed/VIDEO_ID"></iframe>

In WordPress: the core oEmbed handler does not use the nocookie domain automatically — paste a YouTube URL and you get a standard embed. You'll need a plugin (several handle the swap) or a CMP like Complianz or Borlabs that rewrites and gates the embed. On their own, those plugins change the domain but don't deliver consent; pair them with iframe gating. For the broader set of WordPress embedding options, see how to embed video in WordPress. And if you're new to embed codes generally, how video embed codes work covers the fundamentals — including how the "allow embedding" setting we explain in what "allow embedding" means on YouTube interacts with all of this.

The only way to embed truly cookieless video

Step back and the pattern is obvious: every limitation of privacy-enhanced mode comes from the same root cause — the video is still served by Google. As long as the player loads from a Google domain, your visitor's browser has to contact Google, hand over an IP address, and accept whatever the player stores. You can defer some of it and gate the rest behind a banner, but you can't remove it, because it isn't yours to remove.

The only embed that takes the Google consent question off the table is one that doesn't involve a third-party video host at all. When you serve video from your own infrastructure — or a hosting service that delivers it under your domain without ad-tech attached — there are no Google cookies, no IP transfer to Google, no third-party storage, and therefore no cookie banner needed for the video. The player is just part of your page.

That's the model SmartVideo uses. It's an ad-free, branding-free video host that delivers your videos through a fast CDN with a clean player — no YouTube logo, no suggested videos, and none of the third-party tracking that forces the consent question in the first place. You add a script to your site header and drop in a tag where the video should go:

<smartvideo src="path/to/your/video.mp4" width="1280" height="720" class="swarm-fluid" controls></smartvideo>

For sites whose whole reason for reaching for youtube-nocookie was privacy or compliance, that's the difference between managing tracking and not having it. If you're evaluating the move, how to embed video without ads or tracking walks through the practical side, and the best private video hosting options compares the field.

Frequently asked questions

The bottom line

youtube-nocookie.com is real, official, and a modest improvement over a standard YouTube embed. If all you wanted was to be a little more respectful of casual visitors, ticking the box is fine. But don't mistake it for a privacy solution or a compliance shortcut. It defers cookies; it doesn't stop your site from storing data and pinging Google the moment the page loads. "Enhanced" is not the same as "private," and for anyone reaching for this domain because of GDPR, the honest answer is that the only way to take video off the consent table is to stop routing it through a third party at all.