Google Maps — consent fix

Google Maps immediately sets the NID cookie, which Google uses to track visitor behaviour for 6 months. Additionally, the visitor's location and IP address are sent to Google's servers. If you display the interactive map before active consent is granted (for functional or marketing cookies), you are violating the GDPR.

Why Google Maps loads too early

Google Maps is typically installed in one of two ways, both of which operate outside the scope of your standard Google Tag Manager (GTM) setup:

1. As a direct <iframe> embed in the source code (for example, on your contact page).
2. Via the Google Maps JavaScript API, pasted as a script in the <head>.

In both cases, the code does not automatically recognise your cookie banner and loads the map immediately upon page visit.

The Fix: Only show Google Maps after consent

Because Google Maps is usually hardcoded, you must either modify the HTML (Consent Facade), utilise your CMP smartly, or rebuild the integration via GTM.

1. The automatic route (via your CMP)

Do you use a premium Cookie Management Platform like Cookiebot? These systems automatically recognise Google Maps iframes.

• Cookiebot: Ensure the 'Auto-blocking' feature is enabled in your dashboard. Cookiebot will automatically replace the interactive map with a placeholder stating 'Accept functional/marketing cookies to load the map'.

2. The manual route (Consent Facade)

If you use an iframe and your CMP does not support automatic blocking, you can build a "Consent Facade". This involves showing a static image (screenshot) of your location, with a "Load interactive map" button underneath.

1. Find the Google Maps <iframe> in your source code.
2. Change the src attribute to data-src.
3. Use JavaScript to populate the src attribute only after the CMP grants permission (functionality_storage).

<!-- The map will not load yet -->
<iframe data-src="https://www.google.com/maps/embed?..." width="600" height="450" style="border:0;" allowfullscreen="" loading="lazy"></iframe>

<script>
document.addEventListener('consent_functionality_granted', function() {
    var maps = document.querySelectorAll('iframe[data-src*="google.com/maps"]');
    maps.forEach(function(map) {
        map.src = map.getAttribute('data-src'); // Now inject the source
    });
});
</script>

3. The JavaScript API route (GTM)

If you use the Maps JavaScript API, the cleanest approach is to move the loading process into Google Tag Manager.

1. Create a new Custom HTML tag in GTM.
2. Paste your Google Maps <script> here.
3. Expand Advanced Settings > Consent Settings.
4. Select Require additional consent for tag to fire and enter: functionality_storage.
5. Remove the script from your original HTML source code.

Alternative (No consent required): Consider OpenStreetMap (e.g., via Leaflet.js). This does not send personal data or tracking cookies to external tech giants and therefore requires no explicit consent upfront.

How to Verify the Fix

Use your browser's Network tab to monitor the requests.

1. Open your website in an incognito window.
2. Ignore the cookie banner (do not click accept).
3. Open Developer Tools (F12) and navigate to the Network tab.
4. Search for maps. There must be absolutely no requests to maps.googleapis.com or maps.gstatic.com visible.

Not sure if the fix worked, or want to verify that no other scripts are leaking data? Run a free scan with ConsentChecker.eu for instant confirmation.

Sources

• Google Maps Platform Terms of Service