Google silently changed the Google Maps URL, and no one has noticed how easily they made you pass your location data to many other Google properties.
So what’s the change?
The Google Maps URL changed from https://maps.google.com
to https://www.google.com/maps
. This change by Google doesn’t look like a significant change at first, but if you look deeper - it is a big change.
- How do browser permissions work?
- How does this change affect your privacy?
- What can you do to stop this?
- The broader picture
- What are the legal issues with Google Maps?
- Final Thoughts
Let’s dive in!
How do browser permissions work?
To understand what is happening here and its impact on your privacy, let’s first outline how these browser permissions work.
Website visitors are asked for permission to share personal information all the time. In most cases, to enhance your user experience. Whenever you permit a site, say, location permission, in this case; the permission is shared across all sub-pages and directories.
See this example to get more clarity.
Assume you gave https://www.example.com/some-page
your location permission. Now this means that all the pages of this website, like https://www.example.com/other-page-1
and https://www.example.com/other-page-2
, will have your location access, and you have given your location permission to every page on https://www.example.com/*
.
Makes sense, right?
But the thing to remember is that webpages on https://tool.example.com/*
or https://widget.example.com/*
won’t have your location permission. This is because the browser treats every sub-domain like “www,” “maps,” “app,” etc., as a separate web property.
How does this change affect your privacy?
With the above understanding, we move to Google’s latest change: The Google Maps URL changed from https://maps.google.com
to https://www.google.com/maps
. Google moved Google Maps from a sub-domain to a sub-directory.
This means that Google.com (their search engine) and all other properties on this domain will have your location data.
A big threat to your privacy!
This also hints that Google may move other services like Google Drive, Calendar, and Meet to a sub-directory. Hence give Google permission to access your clipboard and camera.
Think of it this way - you had to use Google Meet for a meeting, but if you give camera and microphone access to Meet, now, Google.com would have access to your camera and microphone.
What can you do to stop this?
To be honest, you can’t do much.
However you can certainly stop using all Google services, but there will be times when you’d need to access a document hosted on Google Drive or have to attend a meeting via Google Meet.
To bypass this, you can either open these Google Meet and Drive links in incognito mode or instantly remove the permission when you are done using it.
Here is how to do that on Firefox.
Using a different browser, you can simply search for “Remove website permissions BrowserName.”
The broader picture
Google has a dubious track record for privacy and its clever trick with Google Maps’ URL is just the tip of the iceberg. Google services generally do all they can to grab your data for the company’s benefit.
For instance, all Android devices come with built-in advertising trackers which operate after collecting consent in less than ideal ways. And some APIs for Google Maps set unnecessary by default when embedded in a website. This is an example of how Google carefully crafts its products and their default settings in order to collect as much data as possible.
What are the legal issues with Google Maps?
Cookies
Some versions of the Google Maps API use cookies. Under the law, these cookies can only be placed with the user's consent. But many websites are unaware about the cookies and implement them without a thought!
If you want to use a Google Maps API for your website, make sure that you know what version you are using, and that you are implementing it in compliance with the law. This often means either asking for consent before placing cookies, or using a different API (if possible).
Data transfers
Cookies with unique identifiers are personal data. The transfer of personal data to Google in the US is the reason Google Analytics came under fire from European data protection authorities and was practically banned from Austria, France, Italy, Denmark, Finland, and Norway (please note that the Norwegian decision is still preliminary). EU-US data transfers is also how Meta got hit by a record €1.2 billion fine and is currently risking a Facebook blackout for Europe (we discussed this important case here).
The legal saga around data transfers is on a halt now because of the new data transfer framework between the EU and the US- but we don't expect the situation to last. The new framework that allows for data transfers suffers from major flaws and will likely be invalidated by the EU Court of Justice (this already happened twice with the Schrems rulings).
User consent makes no difference for data transfers- they are unlawful even if you collect consent! If possible, ensure that your version of the map API does not use cookies to begin with. This will ensure compliance in the long term.
Final Thoughts
This is undoubtedly a clever move by Google to breach your privacy with little effort. Big Co. like Google are always hungry for your data and will do everything they can to get it.
A new era where your privacy is always at risk. Practices like these to get to your data are nothing new and aren’t stopped easily as Google is one of the most influential companies on earth that many rely on.
Four years ago, we took a stance against Google and built a privacy-friendly Google Analytics alternative called Simple Analytics. We believe in data privacy and an independent internet that is friendly to website visitors. If this resonates with you, feel free to have a look at
This article is a guest blog by Ankit from Growthfyi.com