German DPA: Government Websites Disobey Privacy Law by Embedding YouTube Videos

The office's first automated sweep of nearly 200 federal websites in Q1 2025 analyzed more than 500,000 individual pages and identified 40 infringements. The BfDI sent 40 advice letters to the identified locations, it said.

Government authorities can use YouTube videos on their websites in compliance with data protection laws, but it becomes problematic when videos are embedded directly, the BfDI said.

When a visitor accesses the website, the user's browser automatically connects to YouTube services and transmits IP addresses, among other data, the regulator noted. This data transmission occurs without prior user consent, violating the Telecommunications Digital Services Data Protection Act.

The BfDI has repeatedly warned public authorities about this, it said. Despite this, it's apparent that awareness of the problem "has not arrived everywhere."

This first automated analysis allowed the regulator to obtain a more objective and comprehensive view of the scope of the problem rather than relying on self-reports or sampling, it said.

There are two alternatives to embedding the videos, the regulator said. One is to host them on an authority's servers and integrate them on the website, ensuring complete control over the data processing and user interactions.

The second is a two-step solution where users click on a preview image before the connection to YouTube is established, a variant that should always offer an equivalent alternative without third-party providers, the BfDI said.

The use of automated tests is an important step in data-protection supervision, the BfDI said. At year's end, it will assess how or whether the affected offices responded to the letters of advice. It also plans further automated tests with a different focus and additional websites, it added.