Integrate Google Maps in a DSGVO-compliant manner – is that possible?
The map service of Google.
- Headquarters: Mountain View, California, United States
- Category: Maps
- Legal Basis: Consent required via Consent Management Platform (CMP)
What is Google Maps?
Over the years, Google Maps has driven atlases and large map books from the shelves at home and the glove compartment in the car. We no longer have to remember addresses or directions. Google knows what we’re looking for – maybe even before we look for it.
Even on company websites, Google Maps is integrated almost by default to allow customers to find the company location quickly and easily. Very few people know what happens in the background. This is because, as with all Google services, cookies are set and website visitor data is processed.
Data transfer to the USA: Google Maps belongs to Google LLC and transfers data to a non-European country with different data protection laws. For a long time, the Privacy Shield – an agreement between the USA and Europe – applied to the transfer of data to the USA, which has since been overturned by the ECJ due to insufficient data protection levels (Schrems ruling-II). The Privacy Shield is therefore no longer a legal basis within the meaning of Article 46 (2) of the GDPR.
The only remaining legal basis are currently standard data protection clauses, which have not yet been overturned by the ECJ, but are unlikely to be suitable in the event of a case. Solutions (possibly new agreements) remain to be found. But until then, caution is advised when it comes to service providers from the USA and urgently advised to look around for suitable alternatives from the EU, as these are subject to the General Data Protection Regulation (GDPR).c
How do I use Google Maps on commercial websites in a privacy compliant way?
Despite these data protection uncertainties and lack of transparency regarding the purposes of data processing by Google, many companies do not want to do without Google Maps. Here you can find out how you can integrate the service into your website in the most privacy-compliant way possible.
Privacy compliant integration of Google Maps
1. via a Google Maps API
An API (application programming interface) is an interface for integrating third-party services into a website. An API code enables the unique authentication of users/developers or a program and is assigned to the respective website (after creating a Google enterprise account). Google can then use this interface to track map accesses through the website. This type of integration can be done in two ways:
Via the embed function for interactive maps using an http request.
Classic way: Via JavaScript with several Google functions.
2. inclusion in the Consent Management Platform
The integration of Google Maps means that when the page is called up, cookies may be set by Google (at least the so-called NID cookie), which store user settings and information and establish a connection to the Goolge network. In this way, various information can be evaluated there within user profiles (even if they are not logged into a Google account).
For this reason, cookies from Google Maps must be categorized as analysis cookies and must be listed in the cookie banner with a granular opt-in function.
In our service knowledge base you will find comprehensive information on individual services – clearly arranged and digital!
Expert knowledge and pro tips on top 😉
Legal foundation for the processing
The basis for the processing of the data results from the GDPR in combination with the TTDSG, whereby the GDPR takes precedence should there ever be a collision.
The GDPR regulates the processing of personal data and the TTDSG focuses on access to the end device, e.g. the use of cookies.
When is there a requirement for consent?
Personal Data
The processing of personal data is only permitted if at least one of the letters of Art. 6 (1) GDPR is fulfilled. The two important letters are the following:
- Die betroffene Person hat ihre Einwilligung erteilt (lit. a)
- The processing is necessary to protect your legitimate interest (lit. f)
Cookies
According to Art. 25 (1) TTDSG, consent is required if cookies are set that are not technically absolutely necessary.
It should be noted that this means not only the well-known small text files and pixels, but all technologies that allow to find out, link or infer a user, a user agent or device.
Thus, all information elements that enable the identification of a person are subject to consent.
The requirements for exemption from consent
To ensure consent-free use, the following conditions would need to be met:
- Conclusion of a processing contract with the processor
- No use of cookies or similar profiling techniques
- Processing of personal data exclusively in Europe
- The processor does not use the obtained data for its own purposes
- The processor does not link or enrich the data across different websites
- Possibility of opting out or revoking as well as detailed information about the collection of personal data in the privacy statement
- IP anonymization (“Privacy by Default”)
- Automatic opt-out for Do-Not-Track settings in the browser
- Proof of points 1-8 carried out by the website operator
IP address
Note that the IP address is generally a personal data. If you want to prevent personal data from being transmitted, you must always ensure that the IP address is disguised.
Server location
As long as it is not clear whether/that data is collected from a secure server location, compatibility with the GDPR is difficult.
Company headquarters
In the case of American companies or their subsidiaries, the fact that it is an American company must also be taken into account. Since the ruling on the Privacy Shield, American companies belong to an insecure third country.
Why is Google Maps subject to consent?
- If data were processed on a server in a secure third country, consent pursuant to Art. 6 (1) lit. a GDPR must nevertheless be obtained for the use of Google Maps in any case, as data is stored by the service.
- Accordingly, the service of Google Maps may only be loaded after consent, otherwise a connection to one of the servers would already be established.
- Fulfilling the obligation to provide information according to Art. 13 GDPR in the privacy statement is another hurdle, since the information of the third country is missing and thus no transparent information can be provided.
This means that there are violations of points 1, 2, 3 and 7 above. Freedom from consent cannot be established.
Conclusion
The ECJ has decided that there is a general consent requirement for all cookies that are not absolutely necessary for the operation of the website. The argumentation about legitimate interest (Art. 6 para. 1 lit.f GDPR) is unfortunately not applicable in the case of Google Maps. Although the service represents an added value for users, it cannot be considered technically absolutely necessary. A visit to the website is also possible without Google Maps without any problems or restrictions. At the same time, one must include possible alternatives in one’s argumentation, and at the latest there are few arguments left on the side of legitimate interest.
Long story short: For the use of Google Maps you need the prior, informed, explicit and voluntary consent of your users.
Proposed solution: Two clicks are enough!
Important: Personal data may only be transferred after consent has been given. This means that no cookies may be set before the user has given his/her opt-in by actively setting a check mark. A common way to technically ensure that no data is transferred without permission is the two-click solution (available from some CMP providers such as Borlabs or Usercentrics).
Here, a graphic or static image of the map is first displayed in the place where the map should appear. This placeholder is uploaded to your own website and therefore does not transfer any data yet. A note may appear in this graphic informing users that they can only see the map after they have consented to data transmission by Google Maps. At this point, the privacy policy should be linked again. After the users have agreed, the desired map from Google Maps appears at this point.
Cookiebox secret tip: privacy-compliant alternative
A 100% privacy-compliant integration of Google Maps and other Google services is not possible due to the current legal situation (keyword: Privacy Shield and data transfer to the USA). If you want to be on the safe side, we recommend the alternative OpenStreetMap, which is based in the United Kingdom.
Any questions?
Then feel free to call us. We will help you with questions about our product and features or generally about all data protection topics: