The lie of YouTube's privacy-enhanced embed mode

Do you remember Facebook's hugely popular like button? A quick-to-add JS snippet enabled site owners to implement Facebook functionality, and the social media giant started tracking people across the web.

It's been wild times, and luckily, things are different today. People are more privacy aware, (some) browsers started blocking all these trackers, and I stopped using Facebook years ago.

But I do watch many YouTube videos. And this made me think: how does YouTube treat privacy when you embed a video?

I was delighted to learn about YouTube's privacy-enhanced embed mode!

If you turn it on, the iframe source changes from youtube.com/embed/[ID] to youtube-nocookie.com/embed/[ID]. That's pretty cool!

But unfortunately, I just stumbled upon Jason Grigsby's disappointment about the feature.

So what's up?

First, the domain youtube-nocookie.com seemed to have been a cute developer idea until the business decided that dropping all cookies isn't great for the ad monetization model. youtube-nocookie.com does not mean no cookies.

"We won't store user info unless you interact with the embed".

Ouch... but fair; YouTube doesn't hide what they're doing here. youtube-nocookie.com isn't more than an unfortunate domain choice, but hey, we've all bought silly domains at some point, right?

But it's not okay that the explainer claims that the embed only starts storing user info after an interaction.

I just tried it out, and look what I've found in my localstorage. 🤦‍♂️

So much about, "we won't store user info unless you play the video". Not cool, YouTube. Really not cool!