Google Maps can be embedded on websites with a map script. This allows an operator to display a map. It seems questionable why many websites do this, especially since Google Maps does not seem to conform to the GDPR. Probably, many are following old habits or imitating others.
Usefulness of Google Maps
The possible application scenarios for Google Maps or an interactive map in itself, which is what it's all about, are described below.
That most website operators haven't really thought about the benefits of Google Maps is shown by the fact that most embedded maps allow arbitrary zooming out (zooming out) and the map section can be moved arbitrarily as well. If you want to visit a butcher in Büttelborn, I wonder why a map has to show Brazil or why one can zoom out so far that the map shows all continents at once.
Privacy issues with Google Maps
By embedding Google Maps, files from several domains are accessed, namely from: maps.google.com fonts.googleapis.com ssl.gstatic.com www.google.com apis.google.com:
- google.com
- googlefonts.gstatic.com (Google Fonts, critically assessed since at least the judgment of the LG Munich from 20.01.2022)
- maps.googleapis.com
- maps.google.com
- _Google Maps and the GDPR Google Maps can be embedded on websites with a map script. It seems questionable why many websites do this, especially since Google Maps does not seem to conform to the GDPR. Probably many are following old habits or imitating others. https://khmsx.googleapis.com with x = 0,1 …
When using Google Maps on a website, certain user data is transferred, including the Google ID of a user who has logged in with their Google account. See the discussion about Google reCAPTCHA for more information on this topic.
The Dr. GDPR solution is absolutely privacy-friendly and available for free.
Further down you will see how to arrive at the solution.
When loading the Google Maps script and its parts, numerous cookies are transferred, including: Google Maps:
According to § 15 Abs. 3 TMG in a compliant interpretation with the ePrivacy Directive (Art. 5 Abs. 3), this is impermissible without consent. The TMG merged into the identical DDG in May 2024. A compliant interpretation is mandatory, as the BGH has ruled (Planet49 judgment). These cookies may not be involved for every user. Apparently, it depends on the browser configuration, and certainly also on the user's previous browsing history. ([1])
Update: It appears that no cookies are set when using the Google Maps JavaScript API. However, this usage method is not universal. Aside from cookies, other aspects also make Google Maps, even in its more privacy-conscious variant, appear questionable.
Loading Google Maps with cookies directly therefore violates data protection laws. There are further reasons related to transparent information (Art. 12 GDPR), purpose limitation, and data minimization (Art. 5 GDPR).
Possible settings, linked with the Google ID, are not necessary for a user-friendly display of the Google map: After deleting all cookies and reloading a webpage with a Google map, the map what displayed just as before. In particular, the language setting remained the same.
Instead of setting a new NID cookie, Google Maps actually resets it if it's not present after logging out from the Google account or manually deleting all cookies. ([1])
_Google Maps loads Google Fonts, which certainly does not simplify data exchange processes. Using Google Maps without consent thus appears hardly or not at all justifiable. The map tool from Google can be classified as tracker. ([1])
Does a cookie consent requirement apply to Google Maps?
Those who want to do it right, ask for consent on the map. This has several advantages:
- There is enough space where the map would be to request a reasonably legally sound consent
- Popular Consent Management Platforms are simply bad (this is my opinion after a comprehensive test).
- Relaxing the consent request can mean that a global consent can be waived and the user only needs to be asked for consent on the pages where the map is displayed. Furthermore, an existing global consent request becomes easier to manage because it no longer has to request so many individual consents.
Alternatives for Google Maps
I suggest replacing most Google Maps embeds on websites with alternative solutions, depending on the use case as follows:
Interactive Map – Solution by Dr. GDPR
On your website, an interactive map is displayed as usual, similar to Google Maps. The difference: The map is absolutely data protection compliant and can be represented in various ways. The first view shows a topological map:
The second view is the normal view analogous to OpenStreetMap:
The difference from embedding OpenStreetMap is that no data transfer takes place to the OpenStreetMap Foundation, which has its seat outside Europe. You no longer have to search in vain for the imprint or privacy policy on the OSM website to determine the person responsible for data processing. Furthermore, the map section is limited to your company's location plus a relevant surrounding area. In addition, the map offers practical functions such as an integrated button to call up a route plan or jump back to your location on the map.
Directions description
Remove the map completely, add a button to invoke a route planner, invoke Google Maps on maps.google.com in a new window. Example invocation of the route planner with a predefined destination address:
https://www.google.de/maps/?daddr=Hauptstrasse+23,11111+Musterstadt
Show location
Displaying the location might make sense for regional businesses.
I recommend using a stylized image of a map instead. This can either be created yourself (yes, it takes work, but is much more meaningful than a generic map without love) or you might find one from your city's marketing department. Where there's a will… An open-source project that can draw maps like the ones below is prettymaps.
Here is (not really stylized) a picture of the Innenstadt of Idstein, which could be one of several images taken to showcase the location of a shop in a way that promotes business. Other images could show the location from a bird's-eye view.
Clicking on the image even reveals what else is possible if you accept that there are solutions other than Google's.
If you really want to use a map, you should use an OpenStreetMap variant, which I will describe in another article. The variant is self-hosted or hosted by a service provider in Germany. Additionally, the map cannot be moved or zoomed arbitrarily. For a shop in Darmstadt, it's not necessary that Frankfurt or even all of Germany can be displayed.
Herding instinct
Herding behavior means: Everyone uses Google Maps, so the three-millionth website must also use Google Maps. Why, isn't entirely clear, but probably because everyone does it, and what many do must be right.
Solution: Remove the map. No one needs to see where a company is located on a map if they don't intend to go there. A map that shows a location from a maximum bird's-eye view, perhaps in the form of a world map, is not very helpful.
Displaying multiple locations
Use OpenStreetMap, preferably with hosting on your own server. Soon I will provide a solution for comfortably running OpenStreetMap on your website without transferring data to third parties. The problem with embedding OpenStreetMap via a server of the OpenStreetMap Foundation is that the address of this organization is not precisely named and no guarantees exist that this organization handles the received data (connection data of your visitors) carefully.
Update: There is a configurator for multiple locations, which are supposed to be shown on the same map at the same time. For each location, its own label can be displayed under the location symbol on the map.
In a separate article, alternatives for various other Google tools are described.
Who simply wants to view a map or link to one from their website should look at the Metager Map. The map is based on OpenStreetMap, but it's operated by a German provider who, according to their imprint, is non-profit.
The configuration tools for maps of different types (one location per map, multiple locations on the same map) are equipped with various features. For example, there is the possibility to generate a plugin for WordPress. After downloading the WordPress plugin, simply upload and activate it in the admin area of WordPress. Then, you can embed the interactive map at a desired location on a page (Page) or post (Post) using a shortcode called [iak]. After that, just add the data protection text to the page with the data protection declaration, including the necessary notice about the author, and it's done – the data protection compliant solution is complete. The interactive map keeps all user data locally and does not pass them on to third parties. That's how simple the world can be when you're not Google and don't want to collect endless amounts of data.
Key takeaways of this article
Embedding Google Maps on websites may violate data protection laws because it sets numerous cookies and transmits user data to Google.
Google Maps is a tracker and requires user consent for embedding on websites.
Avoid using Google Maps on your website due to its privacy concerns and reliance on a single provider. Instead, opt for open-source alternatives like OpenStreetMap, which you can host yourself.
With this WordPress plugin, you can embed a privacy-compliant interactive map on your website.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
