GDPR Art. 13(1)(e) requires disclosure of the recipients or categories of recipients of personal data — which for cookie-based tracking means identifying the third-party providers by name, not just category. Users making a consent decision about 'analytics cookies' cannot give informed consent under GDPR Art. 4(11) without knowing that accepting means sharing behavioral data with Google LLC or Meta Platforms Inc. YouTube embeds are a common blind spot: an embedded youtube.com iframe — not youtube-nocookie.com — sets VISITOR_INFO1_LIVE and YSC cookies on page load, before any user interaction with the video.
Low because the failure is one of disclosure completeness rather than the presence of unconsented tracking, but it renders consent uninformed and therefore invalid under GDPR Art. 4(11) for the undisclosed providers.
For embedded YouTube content, switch to the privacy-enhanced URL to prevent cookie-setting on load. For all third-party cookies, ensure the registry includes provider legal name, privacy policy URL, and expiry.
// Use privacy-enhanced embed to avoid YouTube cookies on page load
<iframe
src="https://www.youtube-nocookie.com/embed/VIDEO_ID"
title="Video description"
allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
allowFullScreen
/>
For Google Fonts, self-host to eliminate the third-party request entirely — place font files in public/fonts/ and reference via CSS @font-face. For all other third-party cookies in src/lib/cookies/registry.ts, add provider: 'Google LLC' (not 'Google'), providerPrivacyUrl: 'https://policies.google.com/privacy', and expiry: '2 years'. Provider cookie inventories are published at their respective privacy policy URLs.
ID: cookie-consent-compliance.cookie-classification.third-party-cookies-disclosed
Severity: low
What to look for: From the cookie registry, filter to entries where thirdParty: true. For each third-party cookie, verify the registry (and cookie policy) includes: (1) the exact cookie name or name pattern, (2) the third-party provider's name (e.g., "Google LLC", "Meta Platforms Inc.", not just "Google"), (3) the provider's privacy policy URL or DPA URL, (4) the cookie's purpose in user-facing language, (5) the duration/expiry, (6) the consent category. Check whether the cookie policy page renders these fields for each third-party cookie. Pay particular attention to embedded content: if the application embeds YouTube videos, YouTube sets cookies (VISITOR_INFO1_LIVE, YSC) that must be disclosed. If Google Fonts is loaded directly from fonts.googleapis.com, Google can set cookies — check whether fonts are self-hosted instead.
Pass criteria: Count all third-party domains that set cookies. All third-party cookies are documented in the registry and cookie policy with provider name, privacy policy link, purpose, and duration. Embedded content (YouTube, Vimeo, Maps) cookies are disclosed. No third-party cookie is undisclosed. 100% of third-party cookie sources must be disclosed in the consent UI or cookie policy.
Fail criteria: Third-party cookies listed by name only with no provider, purpose, or duration information. Embedded content cookies (YouTube, Google Maps) not disclosed. Provider names are generic or incorrect (e.g., "Analytics provider" instead of "Google LLC").
Skip (N/A) when: Application loads no third-party scripts and uses no embedded third-party content.
Detail on fail: Example: "Cookie policy lists '_ga' with no provider name, no duration, and no link to Google's privacy policy." or "Site embeds YouTube videos via iframe. YouTube sets VISITOR_INFO1_LIVE and YSC cookies which are not in the cookie registry or policy.".
Remediation: For embedded YouTube content, use YouTube's privacy-enhanced mode (youtube-nocookie.com) to avoid cookies until playback starts:
// Use privacy-enhanced embed URL to avoid YouTube cookies on page load
<iframe
src="https://www.youtube-nocookie.com/embed/VIDEO_ID"
title="Video title"
allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture"
allowFullScreen
/>
For Google Fonts, self-host to eliminate the third-party request entirely:
# Download fonts locally using google-webfonts-helper.herokuapp.com
# Place in public/fonts/ and reference via CSS @font-face
For all remaining third-party cookies, ensure registry entries include all required fields. Third-party providers publish lists of their cookies in their privacy/cookie documentation (Google: policies.google.com/technologies/cookies; Meta: facebook.com/policies/cookies).