Come, I’ll show you the world! 🌎
The online map service of the US tech giant has been decorating various websites on the World Wide Web for years. Instead of a dry address, companies, restaurant owners and supermarket chains, for example, have the opportunity to visualise their locations and directions using a smart digital map – worldwide.
Sounds fantastic at first glance!
But: When integrating Google Maps, website operators can quickly step into nasty data protection pitfalls and, as a result, sometimes have to pay high fines. In this article, we will show you how to integrate Google Maps into your WordPress website in the best possible way and in compliance with data protection laws.
What is Google Maps
Seeing all corners of the world – this is exactly what can be done with the Google service (at least in theory). The digital map service is primarily used for navigation, to calculate routes and find parking spaces. But Google Maps is also no longer a foreign word to culture lovers, travel enthusiasts and gourmet tasters. Finding new restaurants, theatres, sights, exhibitions and much more is possible thanks to the map service.
For the search, the service developed by Google uses aerial photographs and satellite data.
In 2007, Google Maps was expanded by the free service “Street View”. This service also allows individual addresses to be displayed in a 360° panoramic view. The US map service can be used both online and in the form of an app. It is also possible to download offline maps to find the right address even if the internet connection is slow.
With several billion users, Google Maps is definitely more than popular. It therefore makes sense for website operators to include a map on their website in order to be found more easily.
Is Google Maps GDPR compliant?
Whenever the topic of Google comes up, the GDPR’s toenails curl. Because the US company is not exactly known for complying with the requirements for the correct handling of personal data.
Since Google Maps, like Google Analytics, is a service of the US company Google LLC, it transfers data to the USA. The USA is considered an insecure third country in the EU from a data protection perspective. Previously, the Privacy Shield agreement negotiated between the US and the EU regulated data transfers to the US. However, this agreement is now obsolete, as the ECJ found the level of data protection in the USA to be insufficient.
Legal basis within the EU
If Google Maps is integrated into a website, an automatic connection to the Google server is established – this applies both to the map and to Google Fonts. As a result, personal data of the user is transferred to Google. Google Maps also sets cookies for advertising purposes, which are considered non-essential.
However, this requires the opt-in consent of the visitor, as the setting of such cookies and the collection, storage and further processing of personal data may not normally be carried out without the active and informed consent of the user.
In conclusion, the Google Maps service, which transmits data to third parties (Google), may only be integrated after the express OK of the user.
It is not possible to integrate Google Maps into a website without a cookie.
As just mentioned, Google Maps sets non-essential cookies (as of 2021, especially the NID and SID cookies). These store user information by means of an individual user ID.
To legally obtain consent for cookies, it is recommended to use Google Maps in combination with a cookie consent tool like Real Cookie Banner. Unlike other WordPress cookie plugins, Real Cookie Banner has already taken care of the correct set-up of the Google Map service (cookies), so you can manage consent and corresponding documentation easily & quickly.
What do I need for the data protection-compliant integration of Google Maps?
To use Google Maps in the most privacy-friendly way, we recommend that you meet the following criteria.
🤝 Order processing agreement
As with the use of Google Analytics, an order processing contract is also necessary in the case of Google Maps.
In the case of commissioned processing (formerly: commissioned data processing), a website operator concludes a contract with a company if user data are processed. Such a contract is intended to ensure that the company commissioned by the website operator processes the data in accordance with the requirements of data protection. The legal basis for the order processing contract is Article 28 of the GDPR.
In the specific case of the use of the Google Maps API, Google has created the supposedly optimal Joint Control Contract. This stipulates that several parties share responsibility for data processing. Specific requirements for joint responsibility are regulated in Article 26 of the GDPR.
This is how you agree to the contract:
- Go to your Google Cloud by opening console.cloud.google.com.
- Click on the three dots arranged vertically below each other and click on Project Settings.
- Make sure you have chosen the right project.
- Click on Privacy & Security > Data Processing and Security Terms.
- Click on Review and Accepts.
- Click I Accept.
- Done!
You probably already agree to the Joint Control Contract by accepting the Google Maps Terms of Use.
✅ Opt-in consent
In the previous course of the article, we already addressed the issue of Google and data protection and opt-in consents.
Therefore, to briefly repeat: The USA is considered a third country with an inadequate level of data protection from the EU’s point of view, especially after the overturning of the Privacy Shield. Since Google is a US company, data collected by the individual services is transferred to the USA – which the GDPR does not like. It is therefore necessary to inform visitors about this and, in particular, to obtain active and informed consent in advance (opt-in procedure).
Opt-in consent is best implemented with the help of a cookie banner.
📝 Privacy policy
You should also remember to list Google Maps in your privacy policy, in which you inform your website visitors about the purpose of the integration, the data collected, the provider, the recipient of the data, the conditions under which this data is passed on to third-party providers etc. This way, you can comply with Article 13 of the GDPR.
Why Google Maps is not essential
One reason why Google Maps may not be included without the visitor’s consent is that it is not an essential function.
What exactly is meant by this?
Non-essential services are those that do not affect the basic functionality of your website. In other words, your website would also function without them. An economic interest of the website operator is also irrelevant here.
One example of this is Google Fonts. Although nicer fonts are really nice on the website, they are not necessary to guarantee the basic functionality of a website – texts can also be read perfectly well in Arial, for example. The situation is different with the shopping basket cookie of an online shop, for example, without which no goods could be placed in the shopping basket and consequently no purchases could be made.
More privacy-friendly alternatives for Google Maps
Since you have already established that Google Maps and data protection compliance are anything but easy to reconcile, we will now take a look at supposedly more GDPR-friendly alternatives.
OpenStreetMap
A popular and at the same time more privacy-friendly alternative to Google Maps, which can also be used for WordPress websites, is OpenStreetMap. OpenStreetMap is a free project developed by volunteers that aims to map all rivers, places, roads, etc. just like Google Maps. The project is financed by donations and the active support of volunteers.
A special feature of OpenStreetMap is the free use and free further processing of maps. Unlike Google Maps, screenshots of maps can be placed on a website or printed out.
In addition, there is the option of operating one’s own OpenStreetMap server, which is provided with the current database at the time. This means that there is no risk of data being transmitted to unsafe third countries. However, the installation of such a server is anything but simple.
HERE WeGo
Thanks to numerous cooperations with TripAdvisor and Wikipedia, among others, HERE WeGo offers a wide range of maps. Developed by Nokia, the online map service was later adopted and optimised by car manufacturers BMW, Daimler and Audi.
How do I add Google Maps to my WordPress website?
In the following, we will show you how you can integrate a Google Maps map into your WordPress website in the best possible way in accordance with data protection regulations.
Obtaining the correct consent from visitors can be so simple – and yet many website operators fail time and again. Unfortunately, this is not all too seldom due to a faulty cookie banner.
The fact is that before you decorate your WordPress website with digital maps from Google Maps & Co., you must ensure that your visitors explicitly consent to the processing of their data.
Real Cookie Banner takes the hassle out of setting up the corresponding services (cookies), so that you can use Google Maps on your WordPress website within a few clicks.
In addition, the WordPress Consent Plugin helps you to create content blockers that ensure that the map is only integrated after the website visitor’s consent. The visitor must actively agree to the loading of the map in order to have it displayed. Before this happens, a kind of placeholder image is displayed. Such a two-click solution supports the GDPR-compliant integration of Google Maps immensely.
Instructions: Integrate Google Maps into the website
Now we’ll finally show you 😉 how you can use Google Maps on your website in the best possible way in compliance with the GDPR.
To add a Google Maps map to your WordPress website using an opt-in solution, follow these steps:
- In your WordPress backend, open the page where you want to display the Google Maps map. In our example, we have created a new page called Maps.
- Create a new HTML block.
- Paste the HTML code for embedding the Google Maps IFrame into the corresponding field.
- Click on Publish. The map is now integrated into your website via iFrame – but not yet GDPR-compliant.
To integrate Google Maps into a WordPress website and get the most out of the service, there are now a variety of plugins available. These include:
- In the last step, we create a Google Maps service (cookie) with an associated content blocker in Real Cookie Banner. We assume that you have already installed Real Cookie Banner in your WordPress. To do so, go to the Real Cookie Banner settings by clicking on Cookies > Services (Cookies) > Add Service and select Google Maps from the templates. Important: The template is only available in the PRO version.
- We have already created the template for the service and for the content blocker for you to the best of our knowledge, so you can simply scroll down and click on Save. In the Content Blocker template, for example, we have already defined various rules for blocking Google Maps.
- The whole thing should now look like the screenshot in the frontend. Google Maps is now blocked on your website in compliance with the GDPR until the user a) agrees to the integration directly in the cookie banner or b) gives specific consent to loading in the visual content blocker (two-click solution).
Done ✅ This is how easy it is to use Google Maps on your website in the best possible way in accordance with data protection laws!