I’ve been using Youtube embeds in enhanced privacy mode by
chang[ing] the domain for the embed URL in your HTML from https://www.youtube.com to https://www.youtube-nocookie.com
I remember checking via DevTools (Application/Storage tab) that no cookie was actually set.
A customer just notified me that they did find cookies set by the domain
.youtube-nocookie.com — weirdly, something about "consent pending", which does not change when I click play, as other sources state.
They have also alerted me to some shenanigans in Local Storage, namely an item with the key
yt-remote-device-id, which has a UUID and an expiration date 10 years in the future.
I have always suspected that Enhanced Privacy Mode is somewhat of a exaggeration, but this seems to defeat the purpose almost entirely. And it makes youtube-nocookie practically useless w.r.t. a less painful GDPR-compliant user experience.
Is this a recent change? Is there any documentation or changelog on that?