blueredix logo
SCAN On-demand vulnerability scans from €149
high gdpr-google-maps-embedded

Google Maps embedded without a consent gate

A live Google Maps iframe sends visitor IPs to Google before consent. Use a click-to-load placeholder or the Maps Static API for simple location displays.

What this means in plain English

Your site embeds Google Maps the canonical way:

<iframe src="https://www.google.com/maps/embed?pb=...">…</iframe>

Or it loads the Google Maps JavaScript API. Either form transmits the visitor’s IP address, user agent, and the URL of the embedding page to Google as soon as the page is parsed. The mechanics are identical to Google Fonts. Consent is required.

Why it matters

The legal analysis is the same as for Google Fonts, and German courts have ruled on Maps in the same direction.

  • LG Frankfurt am Main, 2-03 O 15/22 (December 2022) ordered the operator to stop embedding Maps without consent.
  • Multiple cease-and-desist actions in 2023–2025 by competition associations and individual data subjects.

Maps is also a much heavier embed than Fonts. A typical Maps iframe loads several megabytes of JavaScript, sets several cookies, and maintains a persistent connection while the page is open. The data exposure per visit is correspondingly larger.

How to fix it

For the typical “where to find us” use case on a contact page, you have three good options.

Option A: click-to-load placeholder (best UX, full functionality)

Replace the iframe with a static image that says “click to load the interactive map”. When the visitor clicks, swap in the iframe. Most consent platforms ship a Maps wrapper that does this for you in a single setting. For plain HTML:

<div id="map-placeholder">
  <img src="/images/map-static.png" alt="Map showing our location">
  <button onclick="loadMap()">Show interactive map</button>
</div>
<script>
function loadMap() {
  document.getElementById('map-placeholder').innerHTML =
    '<iframe src="https://www.google.com/maps/embed?…"></iframe>';
}
</script>

For a fixed marker on a fixed location, generate a single PNG via Google’s Maps Static API at deploy time and serve it as a regular image from your own server. The visitor’s browser never talks to Google. The free tier covers 28,000 requests per month, which is plenty for a small business website.

Option C: OpenStreetMap (no Google involvement)

Self-host a Leaflet plus OpenStreetMap embed. Full interactivity, no third-party question, no warning-letter exposure. Slightly more setup than Maps but well-documented.

Some German cities also offer a self-hosted alternative through “AdminMap” services run by individual states.

Further reading