Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Apple MapKit JS is the official JavaScript SDK that lets a website embed interactive Apple Maps with tiles, geocoding, search and routing, authenticated via a developer issued JWT.
Apple MapKit JS is the JavaScript implementation of Apple''s mapping SDK. It mirrors the native MapKit API used by iOS and macOS apps and lets web developers embed Apple Maps with interactive tiles, search, geocoding, directions, and overlays. It is positioned by Apple as a privacy oriented alternative to Google Maps and Mapbox, with a free monthly quota for most websites.
You authenticate calls by generating a short lived JSON Web Token signed with a private key from your Apple Developer account. The JWT is passed to mapkit.init. The SDK then loads tiles from cdn.apple-mapkit.com, fetches search results and routes from api.apple-mapkit.com, and renders the map. MapKit JS does not require a user logged into Apple ID.
Apple MapKit JS is largely cookieless on the loading page. Apple servers however receive the user IP, the user agent, the JWT (including your developer team ID and your origin), the tile coordinates, the search query, and the route coordinates. If you use the browser Geolocation API, precise GPS coordinates can be sent to Apple after explicit user authorisation.
IP addresses and geolocation are personal data. Even though MapKit JS does not rely on third party cookies, it loads scripts from Apple servers, which qualifies as access to terminal equipment for transmission purposes that go beyond what is strictly necessary. EU regulators commonly require prior consent for embedded maps. Apple acts as an independent controller for service improvement, in addition to being a processor for the requested map functionality.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Apple Inc is a US company and runs Apple Maps Server with EU and US infrastructure. Transfers are covered by the EU-US Data Privacy Framework (Apple is certified) and by Standard Contractual Clauses. Document the transfer in your record of processing activities.
Use a click to load placeholder mentioning Apple Maps, Apple Inc and the US transfer. Block mapkit.js loading by default in your CMP. Generate short lived JWTs server side, do not embed long lived secrets in the page, and ensure the origin claim restricts the JWT to your domains. Disclose Apple Maps in your privacy notice with the categories of data and the transfer mechanism.
Websites using Apple MapKit JS must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended on consumer journeys that combine MapKit JS with precise geolocation, especially when the map is loaded on every page. Document the JWT chain, the storage of search queries by Apple, the transfer mechanism, and the option to use a privacy friendly fallback map.
Sample consent text
We embed Apple Maps (MapKit JS) to display locations and routes. The map loads from Apple and processes your IP and approximate location on Apple servers in the EU and the United States. We only enable it after you accept the maps and embeds category in our cookie banner.
Third-party domains contacted
cdn.apple-mapkit.comapi.apple-mapkit.comsat-cdn.apple-mapkit.commaps.apple.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mk_token | localStorage | Session | Caches the developer issued JSON Web Token used to authenticate MapKit JS calls during the page session. |
| mk_locale | localStorage | 30 days | Stores the resolved locale and unit preferences used by MapKit JS to localise tiles and search results. |
Apple MapKit JS uses cookies for user preferences — inform visitors with a consent banner.
MapKit JS is largely cookieless on the host page, which makes it appealing for privacy minded sites. Apple servers still receive technical metadata such as IP, user agent, JWT claims and search queries on every tile or API call.
In most cases yes. Loading scripts from cdn.apple-mapkit.com is access to terminal equipment that goes beyond what is strictly necessary, and IP and queries are processed by a US provider. EU regulators commonly require prior consent for embedded maps.
Consent under Article 6(1)(a) GDPR is the safest legal basis. Legitimate interest can be considered only when the map is strictly necessary to deliver the user request (for example, a delivery address picker), with a documented balancing test.
Apple Maps Server is operated globally by Apple Inc, with EU and US presence. Transfers rely on the EU-US Data Privacy Framework and on Standard Contractual Clauses. A Transfer Impact Assessment is recommended.
A DPIA is recommended when MapKit JS is combined with precise geolocation, on consumer journeys at scale, or alongside other tracking. Document the JWT chain, the data sent to Apple, and the impact on data minimisation.
Use a click to load placeholder, gate mapkit.js behind consent in your CMP, generate short lived JWTs server side, restrict the origin claim to your domains, and disclose Apple Maps in your privacy notice. Provide a static fallback if the user declines consent.
Alternatives include Google Maps, Mapbox, MapTiler, HERE Maps, Leaflet with OpenStreetMap tiles, and protomaps for fully self hosted vector tiles. MapTiler and protomaps support EU only hosting and are often the best fit for European audiences.
Even without third party cookies, list Apple MapKit JS as a third party embed, explain that IP and search queries are processed by Apple in the EU and the US, describe the JWT mechanism, and link to Apple's privacy policy.