Google silently changed the Google Maps URL, and no one has noticed how easily they made you pass your location data to many other Google properties.
So what’s the change?
The Google Maps URL changed from
https://www.google.com/maps. This change by Google doesn’t look like a significant change at first, but if you look deeper - it is a big change.
- How do browser permissions work?
- How does this change affect your privacy?
- What can you do to stop this?
- The broader picture
- What about the cookies from Google Maps' APIs?
- Final Thoughts
Let’s dive in!
How do browser permissions work?
To understand what is happening here and its impact on your privacy, let’s first outline how these browser permissions work.
Website visitors are asked for permission to share personal information all the time. In most cases, to enhance your user experience. Whenever you permit a site, say, location permission, in this case; the permission is shared across all sub-pages and directories.
See this example to get more clarity.
Assume you gave
https://www.example.com/some-page your location permission. Now this means that all the pages of this website, like
https://www.example.com/other-page-2, will have your location access, and you have given your location permission to every page on
Makes sense, right?
But the thing to remember is that webpages on
https://widget.example.com/* won’t have your location permission. This is because the browser treats every sub-domain like “www,” “maps,” “app,” etc., as a separate web property.
How does this change affect your privacy?
With the above understanding, we move to Google’s latest change: The Google Maps URL changed from
https://www.google.com/maps. Google moved Google Maps from a sub-domain to a sub-directory.
This means that Google.com (their search engine) and all other properties on this domain will have your location data.
A big threat to your privacy!
This also hints that Google may move other services like Google Drive, Calendar, and Meet to a sub-directory. Hence give Google permission to access your clipboard and camera.
Think of it this way - you had to use Google Meet for a meeting, but if you give camera and microphone access to Meet, now, Google.com would have access to your camera and microphone.
What can you do to stop this?
To be honest, you can’t do much.
However you can certainly stop using all Google services, but there will be times when you’d need to access a document hosted on Google Drive or have to attend a meeting via Google Meet.
To bypass this, you can either open these Google Meet and Drive links in incognito mode or instantly remove the permission when you are done using it.
Here is how to do that on Firefox.
Using a different browser, you can simply search for “Remove website permissions BrowserName.”
The broader picture
Google has a dubious track record for privacy and its clever trick with Google Maps’ URL is just the tip of the iceberg. Google services generally do all they can to grab your data for the company’s benefit.
For instance, all Android devices come with built-in advertising trackers which operate after collecting consent in less than ideal ways. And some APIs for Google Maps set unnecessary by default when embedded in a website. This is an example of how Google carefully crafts its products and their default settings in order to collect as much data as possible.
What about the cookies from Google Maps' APIs?
It is worth noting that cookies with unique identifiers are personal data. The transfer of personal data to Google in the US is the reason Google Analytics came under fire from European data protection authorities and was practically banned from Austria, France, Italy, Denmark, Finland, and Norway (please note that the Norwegian decision is still preliminary). EU-US data transfers is also how Meta got hit by a record €1.2 billion fine and is currently risking a Facebook blackout for Europe (we discussed this important case here).
Then again, the issue is bigger than just Google Analytics. Google Analytics was targeted by complaints and came under fire, but the reasoning behind the decisions can be applied to countless US services, including Google Maps and many services unrelated to Google. Cookies are not the only problem, either: for instance, IP addresses are always personal data. US data transfers sound like a very broad problem, and they are. We are only scratching the surface here- our blog goes in greater depth.
Consent can also be an issue with Google Maps cookies. If a Google Maps API reads and writes unnecessary cookies, you need to collect consent under the ePrivacy Directive. Most website owners don’t think too hard about the data collected by APIs and as a result, cookies are placed illegally. So make sure you collect consent for cookies or, better yet, use a cookieless API, if available.
Bottom line: whenever you embed an API into your website, whether it is Google’s or someone else’s, it is your responsibility to know exactly what data is being collected, and to collect these data lawfully.
This is undoubtedly a clever move by Google to breach your privacy with little effort. Big Co. like Google are always hungry for your data and will do everything they can to get it.
A new era where your privacy is always at risk. Practices like these to get to your data are nothing new and aren’t stopped easily as Google is one of the most influential companies on earth that many rely on.
Four years ago, we took a stance against Google and built a privacy-friendly Google Analytics alternative called Simple Analytics. We believe in data privacy and an independent internet that is friendly to website visitors. If this resonates with you, feel free to have a look at