Consent-based embedded videos

  • Ate Up With Motor

    (@ate-up-with-motor)


    3 years ago

    Is there a way to set embedded YouTube or Vimeo video players within a post or page to show a placeholder message until a user indicates their consents to loading that content?

    The reasoning is that embedded content collects personal information from users when it loads and sets cookies and/or web storage information in ways that require consent under the GDPR and lookalikes.

    I have a cookie consent plugin that can create appropriate helper functions, but I have no idea how to use that for an embedded player within a post that (a) won’t be stripped by the WordPress editor and (b) that works with the iFrame embed codes those video platforms provide (since my understanding is they don’t allow custom iFrames). I’ve seen Medium pages that do this, but I don’t know how, or whether there’s an equivalent for WordPress.

    I’m not a developer, so while I understand the basics of what needs to happen, I don’t even know where to start in making this work for the WordPress Classic Editor.

    Does anyone have any suggestions? Know of any suitable tutorials or plugins? (I’m not even sure how to search for this in a way that won’t just get me a bunch of cookie banner plugins, which I already have.)

    Thanks!

    • This topic was modified 3 years ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Developing with WordPress topic
Viewing 2 replies - 1 through 2 (of 2 total)

  • Is there a way to set embedded YouTube or Vimeo video players within a post or page to show a placeholder message until a user indicates their consents to loading that content?

    I don’t know about the specific approach you’re looking at, but both YouTube and Vimeo supposedly allow embedding videos without cookie tracking.

    For Vimeo, you just have to append the parameter dnt=1 to the URL, eg:

    https://vimeo.com/110033541

    Becomes:

    https://vimeo.com/110033541?dnt=1.

    The WordPress auto-embed feature works with and respects this parameter.

    For YouTube, they use a separate domain name youtube-nocookies.com so it’s a bit more complicated. Eg:

    https://www.youtube.com/embed/a4d5CbK0b3A

    Becomes:

    https://www.youtube-nocookie.com/embed/a4d5CbK0b3A

    Unfortunately, WordPress does not recognize the youtube-nocookies.com domain, so it’s unable to embed the no-cookie videos automatically.

    For a few one-time videos, you could simply use the Custom HTML block to insert the iframe embed code manually. If you’re working with a lot of YouTube videos on the site, you could tweak WordPress’ oEmbed feature to allow auto-embedding from the youtube-nocookies.com links.

    With all that said, even if these companies go by their promises and never do any tracking (via cookies or otherwise) with these official no-tracking approaches, your website visitors may not know you’re using these no-tracking approaches, and may assume these 3rd-party providers are tracking them.

    In that sense, I do believe your desired approach of making the user explicitly opt-in to play the video (and accept any tracking that may result) is a superior solution.

    Thread Starter Ate Up With Motor

    (@ate-up-with-motor)

    @gappiah – I’m aware of the DNT/enhanced privacy modes you describe, which are not adequate for two reasons:

    First, while I’m not super-familiar with Vimeo embeds, YouTube enhanced privacy/nocookies embedded players still store data in the user’s web storage as soon as the player loads, whether the user interacts with the player or not. This data contain a unique identifier, so it’s at best on shaky ground with regard to GDPR compliance, probably coming down to how individual jurisdictions actually word their cookie laws and GDPR implementation.

    Second, even if they didn’t store identifiers or potentially personally identifying information in the user agent (either in web storage or in cookies) until/unless the user interacted with the player, the mere fact that the players are loading from the remote YouTube or Vimeo server means that those servers are capturing users’ IP addresses, user agent information, and probably the referring site. (The latter may come down to how the page has its referrer-policy configured; I think the default (strict-origin-when-cross-origin) will give the video provider the origin, but not the full path.)

    The IP address alone qualifies as personal information in many jurisdictions, and the combination of IP address and user agent (or user agent, hostname, user agent, and referer) almost definitely would. So, this may be deemed sharing users’ personal information with third parties that those third parties may use for advertising purposes, which is very dicey in some jurisdictions even if no cookies are involved.

    Ideally, I would like to wrap each piece of third-party content, whether in a post, on a page, or in a Widget, in code that will check for the presence of the applicable user consent using the appropriate helper function (which I already have a way of creating). If the user has indicated their consent, the helper function would return true and load that content; if not, it would instead display some type of placeholder saying something like, “Your current privacy settings don’t allow this video player, which contains embedded YouTube content, to be displayed,” with a message about how they can adjust the setting if they want to see the content. (In a perfect world, they’d have the option to override the setting for the current item only, but that’s probably not going to be feasible.)

    I can sort of do this with a Widget (although it doesn’t work at all with caching enabled), but I don’t know how to do it in a post or page. Again, I’ve seen people do this on Medium, but I have no idea if it’s possible to do on WordPress. I understand the logic of how it works, but even if I were able to write the necessary code, if I play it in a post, I think it would risk getting stripped in the sanitation process as soon as I hit save.

    Also, the solution would need to be something compatible with the Classic Editor. I do not and will not use Gutenberg, so anything that requires blocks is not going to be an option. (Before I use Gutenberg, I’ll go back to just plain hand-coding HTML like it’s 2004.)

    If I knew enough about WordPress coding to design a plugin to do this from scratch, I would (and I would probably publish it on www.ads-software.com, because I’m obviously not the only one for whom this is an issue), but I don’t.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Consent-based embedded videos’ is closed to new replies.