Many people are searching the Internet for a workaround for making their site or blog GDPR Compliant. To solve the problem without having to remove YouTube videos. Drupal users can no longer use the Video Embed module without breaching the GDPR, even if they apply the suggested patch for Drupal 8, which has been reported to work on Drupal 7.56.
However, Drupal 7.56 is not secure to use, thus I don't know why someone would still be using it and worse recommend someone using it. Thus far seven attempts to a working patch have been denied as a working solution.
A possible working solution to make your site GDPR Compliant is to create a block and add the following code.
It passed the cookiemetrix test:
<iframe width="642" height="361" src="https://www.youtube-nocookie.com/embed/vN7vCfsriCA" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
This will pass the test and you could say it is a technical cookie, but and this is a big but, this is an encrypted cookie, which will pass the test but, still it is probably not a technical cookie stored in the visitors web browser.
This being said, it is the best solution available around so far, it will be downloaded with your domain name, so it looks ok in tests, but what if the encrypted cookie valid for 23 days, really contains doubleclick(.)net and someone find out. Your ass could be grass.
Now I did a test removing the encryption tag and it still passed.
I am not sure, this is safe to use, it is the best solution so far, but still...your choice.
The Google .api documents for implementing YouTube videos in modules, are still from 2014 and not updated, so they are not helping either.
Note: The legal concept of no-retroactivity, doesn't apply in this case, so bloggers or site owners need to remove old posts including YouTube videos.
Other not so good solutions are:
1. You can block all EU-countries via .htaccess or other means, but it could be bad for business.
2. Ignore the GDPR, because you are outside of EU, risky and could in the end mean a big fat bill to pay if you follow this statement.
There’s no need for visitors’ explicit consent and a notice similar to “By using this site, you agree to its use of cookies” – linked to a Privacy and Cookie Policy – is enough. Because, the visitors can change their browser settings to block cookies, so they are in total control. This option, many sites operate on at this moment.That’s an implicit consent.
Now it is important that you know the difference between, implicit consent and explicit consent.
Explicit consent works like this:
The visitors land on your site and no non-essential cookies are sent to their browsers, then next the visitors are prompted to accept or decline the cookies. The cookies that are non-essential will be sent to the browsers only if the visitors accept them. This would make your site safe.
The problem with this and above 50/50 solution is that visitors get YouTube cookies "third-party non-essential cookies", in their browser before having the chance to accept or refuse them and whilst my above example passes the test.
While a quick solution is to just add a link, this could drive away your visitors.
If you are using Firefox Quantum, you can type:
about:support
in the address field and press Enter to find out where your cookies are stored.
Once I find a working solution, that actually works 100%, I will post it here, but until then good luck.
