Embed OpenStreetMap GDPR compliant in WordPress!

openstreetmap gdpr

Next to Google Maps, OpenStreetMap is one of the most popular services when it comes to integrating online maps into one’s own website, for example to make it easier for visitors to find their way to the nearest doctor’s office or furniture store.

Even though OpenStreetMap is considered a more privacy-friendly alternative to Google Map, the integration of an OpenStreetMap map is not always GDPR-compliant. Because there are so many things to consider here.

In this article, you can find out exactly what the requirements are for a GDPR-compliant use of an OpenStreetMap map!

We must point out that the following statements do not constitute legal advice. Therefore, we can only give you evaluations from our intensive experience with the EU legal regulations in practice and a technical assessment of the situation.

What is OpenStreetMap?

The online mapping service has long ceased to be overshadowed by its competitor Google Maps.

OpenStreetMap (OSM for short) is a product founded in 2004 with the goal of providing a free and open world map. Of course, a world map does not create itself, so the project relies on the help of volunteers who provide data collected using GPS devices. Accordingly, completing the map takes longer than with Google Maps, for example.

The OpenStreetMap data provided can be downloaded and redistributed free of charge.

Differences between OpenStreetMap and Google Maps

Both OpenStreetMap and Google Maps are obviously online mapping services. However, there are so some differences.

Creation

In the case of Google Maps, the creation of the online map is entirely in Google’s hands. Whereas OpenStreetMap is a community project – that is, the creation is not done exclusively by OpenStreetMap. However, Google Maps features a complete world map in return.

Use

OpenStreetMap is free to use and free of charge – Google Maps is not. All Google Maps maps are the property of Google. Copying and offline use of Google Maps maps is not allowed. OpenStreetMap, on the other hand, allows you to download, distribute and use maps offline.

Design

Google Maps features a wide range of designs, whereas OpenStreetMap features “only” a basic design.

Privacy

Google is not exactly known for being privacy-friendly. Therefore, OpenStreetMap is also used popular alternative to Google Maps. When using OpenStreetMap, neither cookies are set nor personal data is transferred to the USA.

Learn how to embed the online map service in your WordPress website in a GDPR-compliant way in our blog article about Google Maps and the GDPR.

OpenStreetMap and data protection

Is OpenStreetMap compliant with the GDPR? The choice between Google Maps and OpenStreetMap often falls on OpenStreetMap for a reason. Unlike Google Maps, OpenStreetMap does not set cookies in the technical sense.

However, the IP address, which in some EU countries is a personally identifiable date, is transmitted from the client to the OpenStreetMap server to enable the use of OpenStreetMap. For this, within the EU, you usually need the opt-in consent of your visitors.

One plus about using OpenStreetMap is that, unlike Google Maps, the IP address does not end up in the US, which is even more critical than the transfer itself. This is because since the end of the Privacy Shield – a data protection agreement between the US and the EU – in 2020, the US is considered an unsafe third country with a poor level of data protection. According to this, data transfer to the USA may in principle only take place on the basis of consent.

Since OpenStreetMap is not based in the USA, this problem does not apply. But: OpenStreetMap is based in the UK. Since its exit from the EU, the UK is no longer a member of the EU. Thus, the data is stored outside the EU.

Embedding OpenStreetMap into a WordPress website

Before we explain how exactly to add OpenStreetMap to your WordPress website in a GDPR-compliant way, we’ll first show you how to embed an OpenStreetMap map into your website.

  1. Open https://www.openstreetmap.org/
  2. Enter the address you want in the search box at the top.
OpenStreetMap einbinden
  1. Click on Share (German: Teilen) in the menu on the right.
OpenStreetMap Website einbetten
  1. Go to the HTML tab and copy the stored code.
OpenStreetMap Einbettungscode

Additionally, you have the possibility to embed the OpenStreetMap map as an image into your website. For example, you can set a marker and select a location. Last but not least, click on Download below. (In Google Maps such a procedure is not allowed).

OpenStreeMap Karte einbinden

If you prefer an interactive map instead of an image, do the following:

  1. If you don’t want to embed the map as an image, copy the code.
  2. Open the page in your WordPress backend where you want to embed the OpenStreetMap map. (We assume that you are using the Gutenberg editor)
  3. Click on the three dots below each other in the top right corner.
  4. Click on Code Editor.
  5. Paste the copied HTML code into the corresponding field.
OpenStreetMap Karte in WordPress einfügen
  1. Save your changes or preview them first
OpenStreetMap Karte WordPress Einbindung

Prerequisites for the GDPR-compliant integration of OpenStreetMap

Even though OpenStreetMap is in itself quite a privacy-friendly online map service, as explained in more detail just now, you need to take some additional precautions in order to incorporate the service into your WordPress website in the most privacy-compliant way possible

✅ Opt-in consent

You already know that you need opt-in consent to use OpenStreetMap. But what’s the easiest way to implement it? Quite simple: with the help of a consent management tool like Real Cookie Banner.

Real Cookie Banner provides you with numerous service (cookie) templates for privacy-compliant integration of numerous services – including the online map services Google Maps and OpenStreetMap.

To create the template for OpenStreetMap, proceed as follows:

  1. Open your WordPress backend.
  2. Go to Plugins > Install in the left menu.
  3. Search for Real Cookie Banner.
  4. Install and activate the plugin.
  5. Go to the left menu to Cookies > Services (Cookies) > Add Service.
  6. Search for OpenStreetMap.
openstreetmap gdpr cookie service
  1. The template has already been filled in, so you don’t need any technical or legal expertise to create OpenStreetMap as a service. Scroll to the bottom of the template.
  2. Leave the check mark at Create a content blocker for this service.. After saving the template, you will be automatically redirected to that of the associated content blocker.
  3. Confirm that you have checked all the information by unchecking the appropriate box and click Save.
openstreetmap gdpr cookie service content blocker
    1. Now you’ve landed in the general content blocker configuration.
    2. You can also just scroll back down, confirm that you’ve checked everything, and save the template.
    3. Tada! Now OpenStreetMap is created in your cookie banner as a service (cookie) and will be played out only after your visitors have given their consent.

Important: Remember to enable your cookie banner under Settings > Consent.

openstreetmap gdpr cookie service content blocked example

🤝 Order processing contract

When using OpenStreetMap, you commission the service to process the IP address of your users in order to display maps. Whenever you engage an external company to process personal data, you will need to have a Data Processing Agreement (PPA) in place. This is based on GDPR Art. 28. This contract regulates the correct handling of this data in accordance with data protection. You should therefore conclude an AV contract with OpenStreetMap.

📝 Privacy Policy

The final step is to list OpenStreetMap in your website’s privacy policy. For example, explain why you use OpenStreetMap in the first place, what data is collected and processed, and who the provider of the service is.

Now, if you go back to the page where you placed your OpenStreetMap map, you’ll see that the map is blocked until consent is given to load it in the cookie banner. Unless the consent has already been given. Privacy can be this simple 😉