Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mapbox is a leading commercial provider of vector maps, geocoding and navigation. The Mapbox GL JS SDK transmits the visitor IP and an anonymised telemetry signal to Mapbox US servers. Consent is required in the EU; the SDK telemetry can be disabled.
Mapbox is a leading commercial provider of vector maps, geocoding, navigation and location based developer services. The product line covers Mapbox GL JS (web map SDK), Mapbox Studio (visual style editor), Mapbox Geocoding API, Mapbox Directions API, Mapbox Map Matching, Static Images, Navigation SDK for mobile, Search Box and the Boundaries tilesets. Mapbox vector tiles render server side from OpenStreetMap, OpenAddresses and proprietary datasets combined.
At map initialisation, Mapbox GL JS sends the visitor IP, the user agent, the referrer URL, the access token and the requested tile coordinates to api.mapbox.com. By default the SDK also sends anonymised telemetry data (movement samples, viewport changes) to events.mapbox.com to improve the Mapbox products. The telemetry can be disabled with map.setConfigProperty(basemap, telemetry, false) or by setting the EventManager to disabled. Local storage is used to remember the user choice of opting out from the Mapbox attribution telemetry.
Loading the Mapbox SDK with default telemetry requires prior consent under GDPR art. 6(1)(a) and ePrivacy art. 5(3) because the SDK writes a local storage entry, sends anonymised telemetry and transfers the IP to the United States. When telemetry is disabled and only tiles are fetched, legitimate interest can be argued for the map necessary to deliver the requested service, but the Munich Google Fonts ruling logic applies because the IP still goes to a US server. A click to load wrapper is the recommended pattern.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Mapbox runs the api.mapbox.com endpoint from the US by default. EU customers on enterprise plans can request EU tile delivery, but the account API, the events API and the Mapbox Studio remain US based. Mapbox is certified under the EU US Data Privacy Framework with 2021 SCCs as fallback. A Transfer Impact Assessment must be on file. Mapbox publishes its sub processor list and an audit report (SOC 2 type II).
Disable the Mapbox telemetry at SDK initialisation, use a click to load wrapper, integrate with a TCF v2.2 CMP, request EU tile delivery on the enterprise plan, list Mapbox as a sub processor in the privacy notice, sign the Mapbox DPA, mention the Data Privacy Framework certification, and consider migrating to MapLibre GL JS with an EU tile provider (Stadia, MapTiler) for full EU residency.
Websites using Mapbox must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for any Mapbox deployment in the EU because the SDK transmits the visitor IP, the access token and the anonymised telemetry signal to Mapbox US infrastructure. The DPIA should cover the Mapbox SDK telemetry toggle, the use of the Mapbox Geocoding or Directions API (which may contain freeform addresses), the EU tile delivery option, the integration with a CMP and the Mapbox Data Privacy Framework certification.
Sample consent text
Our website displays maps powered by Mapbox, operated by Mapbox Inc. (United States). When the map loads, the Mapbox GL JS SDK transmits your IP address, your user agent and the access token to Mapbox servers in the United States and sends anonymised telemetry to improve the service. With your consent we activate the map; refusing displays a static fallback image. Data is processed under the EU US Data Privacy Framework.
Third-party domains contacted
api.mapbox.comevents.mapbox.coma.tiles.mapbox.comb.tiles.mapbox.comc.tiles.mapbox.comd.tiles.mapbox.commapbox.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| mapbox.attribution.show (Local Storage) | First party (Mapbox GL JS local storage) | Persistent | Stores the visitor choice to dismiss the Mapbox attribution telemetry banner |
| mapbox.eventData.uuid (Local Storage) | First party (Mapbox GL JS local storage, when telemetry enabled) | Persistent | Stores a UUID used by the Mapbox SDK to deduplicate anonymous telemetry events; only present when telemetry is enabled |
Mapbox uses cookies for user preferences — inform visitors with a consent banner.
Mapbox does not set classic cookies. Mapbox GL JS stores a local storage entry for the attribution telemetry opt out. The map sends the IP and an anonymised telemetry signal to events.mapbox.com unless telemetry is disabled at SDK initialisation.
Yes with default settings, because the SDK telemetry transmits anonymised location samples and the IP to Mapbox US servers. If telemetry is disabled and only tiles are fetched, the Munich Google Fonts ruling logic still suggests consent because the IP goes to a US server.
Consent (GDPR art. 6(1)(a)) for the default SDK with telemetry. Legitimate interest (art. 6(1)(f)) is defensible only when telemetry is disabled, the map is essential to the service, a balancing test is documented and Data Privacy Framework is in place.
Yes by default. api.mapbox.com and events.mapbox.com are operated from the US. EU tile delivery is available on enterprise plans but the account and events endpoints remain US. Mapbox is certified under the EU US Data Privacy Framework with SCCs 2021 fallback.
Recommended in most cases because of the persistent US transfer and the telemetry. The DPIA should document the SDK telemetry toggle, the use of Geocoding or Directions APIs that may contain freeform addresses and the EU tile delivery option.
Disable telemetry at SDK initialisation, use a click to load wrapper, integrate with a TCF v2.2 CMP, request EU tile delivery on enterprise, sign the Mapbox DPA, list Mapbox in the privacy notice, and consider migrating to MapLibre GL JS with an EU tile provider for full EU residency.
MapLibre GL JS (open source fork of Mapbox GL JS) with EU tile providers like Stadia Maps, MapTiler, Geoapify or CARTO Madrid. Other EU options: Leaflet with OpenStreetMap tiles, OpenLayers. For commercial parity in the US camp: Google Maps Platform, Apple MapKit JS, Microsoft Azure Maps.
List Mapbox Inc. as a sub processor, declare the local storage entry for telemetry opt out, mention the IP transfer to api.mapbox.com and events.mapbox.com in the United States under the Data Privacy Framework, link to the Mapbox Privacy Policy and provide a DSAR contact.