Google Maps and GDPR for Irish Businesses: A Practical Compliance Guide

If your Dublin restaurant publishes your address with an embedded Google Map, if your Galway hotel shows a map of the local area, or if your Cork e-commerce site displays a store location—you're handling personal data. The Irish Data Protection Commission (DPC) says that Google Maps embeds, without proper consent, violate GDPR. This guide explains why, what to do, and how to stay compliant.

Why Google Maps Requires Consent in Ireland

You might think an embedded map is just showing a location. It isn't. When you embed Google Maps on your website, Google's servers automatically set cookies and tracking pixels on your visitors' devices. Google collects data about:

• Who visited your page
• How long they looked at the map
• Whether they clicked on it
• Their IP address and approximate location
• Device information and browser type
• Whether they've visited your site before (if they have a Google account)

This data collection happens automatically. Your visitors don't have to do anything. Just loading your page triggers it.

Under GDPR Article 6, you need a legal basis for processing personal data. Google's terms allow them to process this data for analytics and advertising purposes. Your website is the one embedding Google Maps, which means you're responsible for getting consent before that data collection happens.

The Irish Data Protection Commission takes this seriously. Ireland is where Google has its EU headquarters, which makes the DPC the "lead supervisory authority" for Google under GDPR's one-stop-shop mechanism. The DPC has fined Google and Meta billions for data transfer violations and lack of proper consent. They're not looking the other way on embedded maps.

The DPC's Position on Google Maps

The Irish DPC hasn't published a specific decision exclusively about embedded maps, but the principles are clear from their broader guidance on website tracking and consent:

1. Tracking scripts and cookies require consent. Even an embedded third-party service like Google Maps places cookies. GDPR Article 7(4) says consent must come before the script runs, not after.

2. Legitimate interest is weak for tracking. The DPC is skeptical of websites claiming "legitimate interest" to justify Google Maps tracking without consent. Legitimate interest requires balancing your interest against visitor privacy rights. For a restaurant map, the balance usually tips toward the visitor.

3. Legitimate Interests Assessment (LIA) isn't a free pass. Even if you document a legitimate interest, the DPC expects you to implement privacy by design. Using a non-tracking alternative (like a static map or Openstreetmap) is the first step.

4. Data transfers matter. Google processes data in the US and other countries. The DPC has scrutinised US data transfers in cases like Google Analytics. An embedded Google Map raises the same transfer questions.

The upshot: Don't embed Google Maps without consent. If you want your map to be compliant, get consent first or use an alternative.

Three Compliant Approaches

Option 1: Click-to-Load (Recommended for Most Sites)

Replace your embedded Google Map with a static image or placeholder. When visitors click it, then load the actual Google Map—but only after they've consented.

How it works:

1. Display a static image of your location or a placeholder saying "Click to load map"
2. Ask for consent: "This map uses Google Maps, which collects tracking data. Click to load and consent, or skip."
3. Only if they click do you embed the Google Maps iframe

This is GDPR-compliant because:

• Visitors see your location information without tracking
• They make an active choice to load the tracking version
• You've separated the location information (static) from the tracking (dynamic)
• They can choose not to load it at all

Tools that automate this: Osano, OneTrust, CookieBot, or custom HTML/JavaScript.

Example HTML structure:

<div id="map-container" style="background: #f0f0f0; padding: 20px; text-align: center;">
  <p>Our location: Main Street, Dublin, D01 1AA</p>
  <button id="load-map-btn">Load Map (tracking)</button>
  <p style="font-size: 12px; color: #666;">
    Loading the map will enable Google tracking cookies. <a href="/privacy">Read our privacy policy.</a>
  </p>
</div>

<script>
document.getElementById('load-map-btn').addEventListener('click', function() {
  // Check that consent is recorded
  if (hasUserConsentedToMarketing) {
    document.getElementById('map-container').innerHTML = 
      '<iframe src="https://www.google.com/maps/embed?pb=..." width="100%" height="400"></iframe>';
  }
});
</script>

Option 2: Use OpenStreetMap Instead

OpenStreetMap is a free, open-source map built by volunteers. It doesn't require consent because it doesn't set tracking cookies by default (though third-party tools can add tracking—be careful).

Use the Leaflet library to embed OpenStreetMap easily:

<link rel="stylesheet" href="https://unpkg.com/leaflet@1.9.4/dist/leaflet.css" />
<script src="https://unpkg.com/leaflet@1.9.4/dist/leaflet.js"></script>

<div id="map" style="height: 400px;"></div>

<script>
  var map = L.map('map').setView([53.3498, -6.2603], 13); // Dublin coords
  L.tileLayer('https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png').addTo(map);
  L.marker([53.3498, -6.2603]).addTo(map).bindPopup('Our location');
</script>

Advantages:

• No Google tracking
• No consent needed (for the map itself)
• Free
• Customisable
• Works in Ireland, Belgium, everywhere

Disadvantages:

• Less polished than Google Maps
• No real-time traffic or transit info
• No business listings integration

Option 3: Static Image with a Link

The simplest option: show a static image of your location (a screenshot, a custom graphic, or a simple illustration) and link to Google Maps directions.

<img src="/images/location-map.png" alt="Our restaurant is located at 42 Baggot Street, Dublin, D04 N7H5" />
<p><a href="https://goo.gl/maps/ABC123" target="_blank">Open in Google Maps for directions</a></p>

Why this works:

• No cookies, no tracking on your site
• When users click through to Google Maps, they do so knowingly
• Google's own privacy policy covers their site
• You've just linked to a public service—no embedding

Disadvantages:

• Less interactive
• Users leave your site
• Doesn't show multiple locations easily

How to Add Consent to Google Maps in Your Cookie Banner

If you choose to keep Google Maps embedded and require consent:

Step 1: Update Your Cookie Banner

Add a "Google Maps" category or bundle it under "Marketing/Analytics":

Maps and Location Services: We use Google Maps to show you 
our location. Google Maps sets cookies to track your interaction 
and measure how the map is used. This data is processed by Google 
in the United States under Standard Contractual Clauses. 
[Learn more about Google's data processing]

Be specific that this category includes Google Maps tracking, not just static location information.

Step 2: Conditionally Load the Embed

Don't load the Google Maps iframe until consent is recorded. Pseudocode:

if (cookieConsent.includes('maps') || cookieConsent.includes('marketing')) {
  // Load Google Maps iframe
  document.getElementById('map').innerHTML = '<iframe src="..." />';
} else {
  // Show static alternative
  document.getElementById('map').innerHTML = '<img src="/map.jpg" />';
}

Step 3: Document the Data Flow

Keep a record for the DPC:

• What data Google collects through Maps
• Where it's processed (US, EU, etc.)
• How long it's retained
• Your legal basis (consent)
• Standard Contractual Clauses in place

The DPC may ask for this if a complaint is filed. Having it documented shows you've done due diligence.

What About youtube-nocookie.com?

You might have heard that using "youtube-nocookie.com" for YouTube embeds avoids the tracking problem. This is a myth that applies to Google Maps too.

YouTube's no-cookie domain does reduce tracking, but:

• It doesn't eliminate all tracking (IP address is still logged)
• Doesn't prevent data from being sent to Google servers
• Still constitutes personal data processing under GDPR

The DPC doesn't accept "youtube-nocookie" as a compliance workaround. If you embed YouTube without consent, you're still processing personal data without a legal basis. Same applies to Google Maps—there's no "maps-nocookie" version.

Data Transfer Issues

The DPC cares especially about data leaving the EU. Google's standard terms say data is processed in the US, where GDPR doesn't apply. The DPC has scrutinised:

• Standard Contractual Clauses (SCCs) to ensure they actually protect data
• Whether transfers are necessary or proportionate
• Whether US government surveillance can access the data

For Google Maps specifically:

• Declare in your privacy policy that Google processes data in the US
• Confirm you have SCCs in place (Google does)
• Don't exaggerate how essential the maps are (if a static image would do, it's probably not necessary to send data to the US)

Common Irish Business Scenarios

Restaurant or Café

You show a map of your location and table reservations.

Compliant approach: Static image of your address + link to Google Maps, or click-to-load iframe.

Why: Reservations go through a booking system anyway (which has its own consent). The map adds no essential function—it's supplementary.

Hotel

You show the hotel location, nearby attractions, parking, public transit.

Compliant approach: Click-to-load Google Maps or OpenStreetMap. Guests want detailed maps, so you need something interactive. Consent is worth the extra step.

Why: The map is a key feature of the booking experience. Visitors expect it. Getting consent upfront is better than legal risk.

E-commerce Site

You have a physical store or pickup location.

Compliant approach: Static image + directions link, or click-to-load if you have multiple locations.

Why: Most visitors are buying online; the physical location is secondary. Keep the page lightweight and non-tracking.

Local Service Business (Plumber, Electrician, etc.)

You show your service area on a map.

Compliant approach: OpenStreetMap with Leaflet, or a coloured static image. No need for Google Maps.

Why: You're illustrating a geographic area. OpenStreetMap works fine and needs no consent.

Practical Implementation Steps

Step 1: Audit Your Current Maps

Check your website:

• Do I have Google Maps embeds?
• Are they visible above the fold (auto-load)?
• Do I have a cookie banner asking for consent?
• If yes, is "Maps" or "Google Maps" a separate category?

Step 2: Choose Your Approach

• Click-to-load (safest, minimal friction)
• OpenStreetMap (no consent needed)
• Static image + link (simplest)

Step 3: Implement

For click-to-load: Use a CMP's built-in feature or write custom JavaScript. For OpenStreetMap: Add Leaflet.js library and swap out the embed. For static image: Save a screenshot and replace the iframe.

Step 4: Update Cookie Banner

If keeping Google Maps:

• Add explicit disclosure about Google Maps tracking
• Make consent easy to withdraw
• Link to Google's privacy terms

Step 5: Document and Test

• Write down your data processing (for your GDPR records)
• Test with browser dev tools to confirm no Maps scripts load until consent
• Check that your privacy policy mentions maps data processing

Penalties for Non-Compliance

The DPC has authority to fine companies up to €20 million or 4% of annual global revenue, whichever is higher, for GDPR violations like unauthorised tracking. The DPC has imposed multi-billion euro fines on Google for data transfer violations. While a small business's embedded Google Map isn't Google-scale, the DPC does investigate complaints from visitors.

More practically, a visitor could complain to the DPC, triggering an investigation. If your website is processing data without consent, the burden is on you to prove you had a legal basis—and for Google Maps, consent is the strongest defence.

Summary and Checklist

Before your Google Maps goes live, confirm:

• I have chosen one of three approaches: click-to-load, OpenStreetMap, or static image
• My cookie banner discloses Google Maps tracking (if embedding)
• Maps script doesn't load until consent (if embedding)
• Privacy policy explains Google Maps data processing
• Visitors can withdraw maps consent later
• I can demonstrate the legal basis (consent) if asked

The Data Protection Commission's position is clear: embedded Google Maps without consent is unauthorised data processing. You're not required to have a map at all—but if you do, get consent first or use an alternative. Most Irish businesses find that a static image plus a Google Maps link satisfies customer needs while keeping the site GDPR-compliant.

For specific guidance, consult the Data Protection Commission (DPC) at www.dataprotection.ie. They publish guidance for businesses and accept complaints online.