Google Maps on Your Website: The GDPR Problem

Almost every small business website has a Google Maps embed. Restaurants use it for directions. Hotels show their location. Shops point customers to their storefront. It seems harmless. It's a map.

But that map sends your visitor's personal data to Google the instant your page loads. Under GDPR, you need consent for that. Most websites don't ask.

What data does Google Maps collect from your visitors?

When you embed Google Maps using the standard iframe code, your visitor's browser connects directly to Google's servers. Here's what Google receives:

• The visitor's IP address
• Browser type, version and operating system
• Screen resolution and device information
• The URL of your page where the map appears
• Any existing Google cookies on the visitor's device
• GPS or network-based location data if available

Google combines this with data from its other services. If the visitor is signed into their Google account, Google can connect this page visit to their identity, search history and advertising profile.

All of this happens before the visitor interacts with the map. Just loading the page is enough.

Run a free compliance scan to check if your website loads Google Maps without consent.

Why this needs consent under GDPR

The data transfer to Google is personal data processing under GDPR Article 4. IP addresses are personal data. The CJEU confirmed this in the Breyer case C-582/14 in 2016.

You're the one who put the embed on your page. Under the CJEU's Fashion ID ruling C-40/17, that makes you a joint controller alongside Google for the initial data collection. You can't pass the responsibility to Google.

To lawfully process this data, you need a legal basis under GDPR Article 6. The most practical option is consent. Legitimate interest is hard to argue here because there are alternatives that don't transfer data to Google.

Several European data protection authorities have taken enforcement action against websites that load Google services without consent. The Austrian DSB and French CNIL have both issued decisions against unconsented Google Analytics usage. The same logic applies to Google Maps.

Three alternatives to a standard Google Maps embed

Option 1: Static map image with a link

The simplest and most privacy-friendly solution. Take a screenshot of Google Maps or use a static maps API to generate an image. Display that image on your page. Link it to Google Maps so visitors can click through if they want interactive directions.

<a href="https://maps.google.com/?q=Your+Business+Name+Address"
   target="_blank"
   rel="noopener noreferrer">
  <img src="/images/location-map.webp"
       alt="Map showing our location at 123 Main Street, Amsterdam"
       loading="lazy"
       width="600"
       height="400">
</a>

No JavaScript. No cookies. No data transfer to Google until the visitor actively chooses to open Google Maps. Your page loads faster too.

The tricky part: don't use the Google Maps static image API directly in an img tag, because that still sends the visitor's IP to Google. Generate the image once, save it to your own server and serve it locally.

Option 2: OpenStreetMap embed

OpenStreetMap is a free, open-source mapping platform. You can embed it without sending data to Google.

<iframe
  src="https://www.openstreetmap.org/export/embed.html?bbox=4.89,52.37,4.91,52.38&layer=mapnik&marker=52.375,4.9"
  width="600"
  height="400"
  loading="lazy"
  title="Map showing our location">
</iframe>

OpenStreetMap still receives your visitor's IP address, so technically you should mention this in your privacy policy. But unlike Google, OpenStreetMap doesn't build advertising profiles or track users across websites. The privacy impact is much smaller.

For a more polished look, you can use Leaflet.js with OpenStreetMap tiles. This gives you interactive maps with custom markers and styling, all without Google.

Option 3: Consent-gated Google Maps

If you want to keep Google Maps, gate it behind consent. Replace the iframe with a placeholder that loads the actual map only after the visitor agrees.

<div class="maps-placeholder" id="google-map">
  <img src="/images/map-placeholder.webp" alt="Map location preview">
  <p>This map is provided by Google Maps. Loading it will send data to Google.</p>
  <button onclick="loadGoogleMap()">Load map</button>
</div>

<script>
function loadGoogleMap() {
  var container = document.getElementById('google-map');
  var iframe = document.createElement('iframe');
  iframe.src = 'https://www.google.com/maps/embed?pb=YOUR_EMBED_CODE';
  iframe.width = '600';
  iframe.height = '400';
  iframe.loading = 'lazy';
  iframe.title = 'Google Maps showing our location';
  container.replaceWith(iframe);
}
</script>

If you have a cookie consent management platform, integrate the map loading with your consent categories. Only load Google Maps when the visitor has accepted third-party or marketing cookies.

Which option should you pick?

For most small business websites, Option 1 is the best choice. A static image with a link gives visitors what they need, which is your location and a way to get directions. It loads instantly. It works on every device. It creates zero privacy issues.

If your visitors need to interact with the map, like searching for nearby branches or getting live directions, Option 3 works. Just make sure the consent mechanism is clear and the map doesn't load by default.

Option 2 is a good middle ground. Interactive map, no Google tracking. The trade-off is that OpenStreetMap is less familiar to some users and doesn't have the same search features.

How to check your current setup

Open your website in a fresh browser with no cookies. Open the developer tools Network tab. Load the page with your map. If you see requests to maps.google.com or maps.googleapis.com before you've interacted with anything, your map is loading without consent.

You can also use our cookie checker tool or run a full compliance scan to find unconsented third-party connections.

Common Questions

Is Google Maps on my contact page really a GDPR issue?

Yes. Every page that loads Google Maps transfers visitor data to Google without consent. It doesn't matter that it's just a contact page or that the map seems helpful. The data transfer is what triggers the GDPR requirement.

Can I argue legitimate interest for showing my business location?

It's difficult. Data protection authorities have generally rejected legitimate interest arguments when privacy-friendly alternatives exist. A static map image achieves the same purpose without sending data to Google. That makes legitimate interest hard to defend.

What about the Google Maps JavaScript API instead of the iframe?

The JavaScript API has the same problem. It still connects to Google's servers and transfers visitor data. Whether you use an iframe embed or the JavaScript API, you need consent.

Do I need to update my privacy policy if I use Google Maps?

Yes. If you use Google Maps in any form, your privacy policy should mention it. List Google as a data recipient, describe what data gets transferred and explain the legal basis. Our guide on privacy policy requirements covers all the required elements.

---

Check your website now Scan your website for GDPR issues including unconsented Google Maps embeds, free in 2 minutes. Scan your website