Skip to main content
All guides
Moderate KVKK m.5 · m.9 · GDPR Art. 6 · Chapter V (transfers) · Map embed

Google Maps embeds leak visitor IPs to Google on load

An embedded Google Map contacts Google the moment the page loads, sending the visitor’s IP address (and referrer) to Google and potentially setting cookies — before consent.

Why it matters

Like hosted fonts and video embeds, a Maps iframe is a third-party request that fires on page load, transferring the visitor’s IP to Google in the US (KVKK Art. 9 / GDPR Chapter V) and possibly setting non-essential cookies (Art. 6). A map is rarely essential to render the page, so this transfer should not happen before the visitor asks for it.

How to fix it

Use a facade: show a static map image (or a plain "Show map" button) and load the interactive Google Maps iframe only on click or after consent. Where an interactive map is not needed, a static map image or a link to directions avoids the third-party request entirely.

<!-- Facade: no request to Google until the user clicks -->
<div class="map-facade">
  <img src="/img/map-static.png" alt="Our location">
  <button type="button">Show interactive map</button>
</div>
<script>
document.querySelector('.map-facade button').addEventListener('click', (e) => {
  const w = e.target.closest('.map-facade');
  w.innerHTML = '<iframe width="600" height="450" loading="lazy" ' +
    'src="https://www.google.com/maps/embed?pb=YOUR_EMBED_PARAMS"></iframe>';
});
</script>

Does your site have this issue?

Run a free scan to find out in seconds.

Official sources

Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.

Related guides

These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.