Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentGoogle Maps is a mapping service that can be embedded on your website. When loaded directly, it sets cookies and transfers data to Google servers in the United States, requiring user consent before the map loads.
Google Maps is a web mapping platform operated by Google LLC. Website owners embed it via an iframe to display interactive maps, directions, and location pins. While extremely useful, embedding Google Maps directly triggers cookie-setting and data transmission to Google servers in the United States before the visitor has had any opportunity to consent.
When a Google Maps iframe loads, Google deposits several cookies on the visitor's device. The NID cookie stores user preferences and lasts up to 13 months. The CONSENT cookie records whether the user has interacted with Google's consent interface and persists for 2 years. The 1P_JAR cookie aggregates website statistics and is used for advertising purposes, lasting about one month. The SOCS cookie manages Google's own consent state and typically lasts 13 months. All of these are considered non-essential cookies under GDPR and the ePrivacy Directive, meaning prior consent is mandatory before the map can load.
Under GDPR and the ePrivacy Directive, you must obtain freely given, specific, informed, and unambiguous consent before loading any non-essential third-party content, including Google Maps. Embedding the map directly without a consent gate is non-compliant. Your cookie policy must list every cookie Google Maps sets, its purpose, duration, and the data controller (Google LLC). You must also disclose the transfer of personal data to the United States under Standard Contractual Clauses and include Google in your list of sub-processors.
The most common compliant approach is the two-click solution: replace the iframe with a placeholder image or a blurred map preview and a consent button. Only after the visitor clicks to accept does the real Google Maps iframe load and cookies get set. This pattern is accepted by European supervisory authorities as a valid implementation of prior consent for third-party embeds. Consent management platforms and dedicated plugins can automate this flow and integrate it with your broader cookie consent record.
Google LLC is a US company subject to US surveillance laws, including FISA 702. Data transferred when Google Maps loads flows to Google infrastructure in the United States. This transfer is covered by Google's SCCs and the EU-US Data Privacy Framework (if Google has certified). You must disclose this transfer in your privacy policy and, where required, in a Data Protection Impact Assessment. Visitors located in the EU have the right to know their data may be accessed by US authorities under certain legal frameworks.
If you want to show a location without triggering Google cookies, consider using a static map image generated via the Google Maps Static API (which can be server-side rendered without client-side cookies), an OpenStreetMap-based embed such as Leaflet.js (no Google cookies), or a simple address block with a link that opens Google Maps in a new tab only when the visitor chooses to click it. Each option trades interactivity for compliance simplicity.
Websites using Google Maps must obtain user consent under GDPR regulations.
DPIA considerations
Google Maps embeds transfer geolocation data and user identifiers to Google LLC in the United States under SCCs. A DPIA is recommended before embedding Google Maps if significant personal data (location, browsing behaviour) is collected. Assess the necessity of embedding the full map versus using a static map image. Consider whether the two-click solution or a consent-gated iframe adequately mitigates risk. Google's data processing terms and SCCs should be reviewed and documented. If processing location data of EU residents, article 35 GDPR may apply.
Sample consent text
To display this interactive map, we need to load content from Google Maps (Google LLC, USA). This will allow Google to set cookies and collect data about your usage. Do you consent to loading the map?
Third-party domains contacted
maps.googleapis.commaps.google.comfonts.gstatic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| NID | Preference | 13 months | Stores user preferences (language, region, number of search results) to personalise the Google Maps experience. |
| CONSENT | Functional | 2 years | Records whether the visitor has seen and interacted with Google's consent interface, and stores the consent state across Google services. |
| 1P_JAR | Marketing | 1 month | Aggregates website statistics and is used by Google for advertising measurement and optimisation purposes. |
| SOCS | Functional | 13 months | Manages Google's consent state for the current user, used to remember choices made in Google's own consent dialogs across sessions. |
Google Maps uses cookies for user preferences — inform visitors with a consent banner.
Get started freeYes. When a Google Maps iframe loads on a page, Google immediately sets several cookies on the visitor's device, including NID (preferences, 13 months), CONSENT (consent tracking, 2 years), 1P_JAR (advertising and analytics, 1 month), and SOCS (consent state, 13 months). These cookies are set before any user interaction with the map and are classified as non-essential, meaning prior consent is required under GDPR and the ePrivacy Directive.
Yes. Because Google Maps sets non-essential cookies and transfers personal data to Google LLC in the United States, you must collect a freely given, specific, informed, and unambiguous consent from each visitor before the map loads. Simply embedding the iframe without a consent gate is non-compliant. The two-click solution or a consent management platform integration are the standard implementation approaches accepted by European supervisory authorities.
The two-click solution replaces the Google Maps iframe with a placeholder (a static image, a blurred preview, or a notice banner) and a consent button. The map only loads after the visitor actively clicks to accept. This approach ensures no Google cookies are set and no data is transferred to Google before consent is given. It is the most widely used and legally accepted pattern for compliant Google Maps embeds in the EU.
Yes. When Google Maps loads, data including IP addresses, device identifiers, and browsing behaviour is transmitted to Google LLC servers in the United States. This constitutes an international data transfer under GDPR Chapter V. The transfer relies on Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework certification. You must disclose this transfer in your privacy policy and in any relevant Data Protection Impact Assessment.
Yes. Using the Google Maps Static API to generate a map image server-side means no Google JavaScript runs in the visitor's browser and no cookies are set client-side. Alternatively, OpenStreetMap-based libraries such as Leaflet.js provide interactive maps without Google cookies or US data transfers. A simple text address with a link that opens Google Maps in a new tab only when the visitor clicks it is also a privacy-friendly option that requires no consent.
Consent (Article 6(1)(a) GDPR) is the applicable legal basis for loading a Google Maps embed, because it sets non-essential cookies and transfers data to a third party for purposes that include advertising and analytics. Legitimate interest cannot be relied upon to justify non-essential cookie placement under the ePrivacy Directive. You must therefore implement a consent mechanism and ensure your records of processing activities reflect this basis.
A DPIA is recommended if your use of Google Maps involves large-scale processing of location data or if the map is used to infer sensitive information about visitors. Under Article 35 GDPR, a DPIA is mandatory when processing is likely to result in a high risk to individuals. Even where not strictly mandatory, documenting an assessment of the risks posed by the US data transfer and the effectiveness of the SCCs is considered best practice by most European data protection authorities.
Your cookie policy must list each cookie set by Google Maps (NID, CONSENT, 1P_JAR, SOCS), its purpose, duration, and the data controller (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). You must also note the US data transfer and link to Google's privacy policy. If you use a consent management platform, ensure Google Maps is categorised under the appropriate consent category (typically "Marketing" or "Functional" depending on how you use the embed) and that the consent record includes the user's choice for this specific service.