Google Maps embeds leak visitor IPs to Google on load
An embedded Google Map contacts Google the moment the page loads, sending the visitor’s IP address (and referrer) to Google and potentially setting cookies — before consent.
Why it matters
Like hosted fonts and video embeds, a Maps iframe is a third-party request that fires on page load, transferring the visitor’s IP to Google in the US (KVKK Art. 9 / GDPR Chapter V) and possibly setting non-essential cookies (Art. 6). A map is rarely essential to render the page, so this transfer should not happen before the visitor asks for it.
How to fix it
Use a facade: show a static map image (or a plain "Show map" button) and load the interactive Google Maps iframe only on click or after consent. Where an interactive map is not needed, a static map image or a link to directions avoids the third-party request entirely.
<!-- Facade: no request to Google until the user clicks -->
<div class="map-facade">
<img src="/img/map-static.png" alt="Our location">
<button type="button">Show interactive map</button>
</div>
<script>
document.querySelector('.map-facade button').addEventListener('click', (e) => {
const w = e.target.closest('.map-facade');
w.innerHTML = '<iframe width="600" height="450" loading="lazy" ' +
'src="https://www.google.com/maps/embed?pb=YOUR_EMBED_PARAMS"></iframe>';
});
</script>
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.