European GDPR Compliance for Video Aggregation Sites

Introduction

If you serve users in Europe — and if your platform explicitly targets European regions like ViralVidVault does with Poland, Netherlands, Sweden, Norway, and Austria — GDPR compliance isn't optional. Here's a practical, developer-focused guide to making a video aggregation site GDPR-compliant.

What Data Do You Actually Collect?

Before panicking about GDPR, audit what you actually collect. For a video aggregation site like viralvidvault.com, the typical data points are:

Data	Source	Personal?
IP addresses	Server logs	Yes (GDPR)
YouTube video metadata	YouTube API	No
Search queries	User input	Maybe
Analytics (page views)	Cloudflare/GA	Yes (cookies)
User preferences	Cookies	Maybe

The Cookie Consent Banner

European law requires informed consent before setting non-essential cookies:

<?php

class CookieConsent
{
    private const CONSENT_COOKIE = 'vvv_consent';
    private const CONSENT_TTL = 365 * 86400; // 1 year

    public function hasConsent(): bool
    {
        return isset($_COOKIE[self::CONSENT_COOKIE])
            && $_COOKIE[self::CONSENT_COOKIE] === 'accepted';
    }

    public function grantConsent(): void
    {
        setcookie(self::CONSENT_COOKIE, 'accepted', [
            'expires' => time() + self::CONSENT_TTL,
            'path' => '/',
            'secure' => true,
            'httponly' => true,
            'samesite' => 'Lax',
        ]);
    }

    public function revokeConsent(): void
    {
        setcookie(self::CONSENT_COOKIE, '', [
            'expires' => time() - 3600,
            'path' => '/',
        ]);
    }

    public function renderBanner(): string
    {
        if ($this->hasConsent()) return '';

        return <<<'HTML'
        <div id="cookie-banner" class="cookie-banner">
            <p>We use cookies to improve your experience. By continuing to browse, you agree to our 
               <a href="/privacy">Privacy Policy</a>.</p>
            <div class="cookie-actions">
                <button onclick="acceptCookies()" class="btn-accept">Accept</button>
                <button onclick="declineCookies()" class="btn-decline">Decline</button>
            </div>
        </div>
        <script>
        function acceptCookies() {
            fetch('/api/consent', { method: 'POST', body: 'action=accept' });
            document.getElementById('cookie-banner').remove();
        }
        function declineCookies() {
            fetch('/api/consent', { method: 'POST', body: 'action=decline' });
            document.getElementById('cookie-banner').remove();
        }
        </script>
        HTML;
    }
}

Privacy Policy Essentials

Your privacy policy must include:

1. What you collect — IP addresses, cookies, search queries
2. Why you collect it — Legitimate interest (site operation), consent (analytics)
3. How long you keep it — Server logs: 30 days, analytics: 26 months
4. Who you share it with — Cloudflare, YouTube (embeds)
5. User rights — Access, deletion, portability, objection
6. Contact information — Data controller details

YouTube Embed Privacy Mode

When embedding YouTube videos, use the privacy-enhanced mode:

// Instead of:
$embedUrl = "https://www.youtube.com/embed/{$videoId}";

// Use privacy-enhanced mode:
$embedUrl = "https://www.youtube-nocookie.com/embed/{$videoId}";

The youtube-nocookie.com domain doesn't set tracking cookies until the user actually plays the video.

IP Anonymization

For server logs, anonymize IP addresses:

function anonymizeIp(string $ip): string
{
    if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
        // Replace last octet: 192.168.1.100 -> 192.168.1.0
        return preg_replace('/\d+$/', '0', $ip);
    }

    if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
        // Replace last 80 bits
        $parts = explode(':', $ip);
        for ($i = 3; $i < count($parts); $i++) {
            $parts[$i] = '0';
        }
        return implode(':', $parts);
    }

    return '0.0.0.0';
}

Data Retention Policy

Implement automatic deletion:

class DataRetention
{
    public function enforce(\PDO $db): void
    {
        // Delete search logs older than 30 days
        $db->exec('DELETE FROM search_log WHERE created_at < datetime("now", "-30 days")');

        // Anonymize old analytics
        $db->exec('
            UPDATE page_views
            SET ip_address = "0.0.0.0", user_agent = "anonymized"
            WHERE created_at < datetime("now", "-90 days")
            AND ip_address != "0.0.0.0"
        ');
    }
}

Cloudflare and GDPR

If you use Cloudflare (as ViralVidVault does), note that:

• Cloudflare acts as a data processor under GDPR
• Their DPA (Data Processing Addendum) is available in the dashboard
• Cloudflare Analytics is privacy-focused by default (no cookies)
• Enable "IP anonymization" in Cloudflare settings

Key Takeaways

1. Audit what data you actually collect before worrying about compliance
2. Use youtube-nocookie.com for privacy-enhanced embeds
3. Implement cookie consent before loading any non-essential cookies
4. Anonymize IP addresses in logs
5. Automate data retention with scheduled cleanup
6. Keep your privacy policy accurate and up-to-date

GDPR compliance isn't about paperwork — it's about respecting your users' privacy. For a video aggregation site, the footprint is small, and compliance is straightforward.

---

Part of the "Building ViralVidVault" series.