GDPR

This privacy policy might help. There’s one for Canada, and one for United Kingdom.

https://www.verizon.com/about/privacy/mapquest

Hope this helps!

Hi,
many thanks for your fast response.

Maybe I should rephrase my question once more.

I don’t understand the details how the process of providing map information works (who provides the tiles; what are mapquest and/or leaflet doing in the process; where does the plugin retrieves its information from).

However, what I learned over the past week is that the google maps API might not be fully GDPR compliant as user data (not my own but those from the persons that browse to my website) is transmitted to google.

So the key question would be: Can we somehow infer what type of information is sent to the mapquest severs to which a connection is definitely established? Moreover, what is with leaflet?
And last but not least, if IP addresses are forwarded to the servers of mapquest, does the API you use allow by any means to anomymize them?

I’m slightly lost in the GDPR jungle and hope that we step by step can bring some light into this dark matter.

Best,
Ralf

This plugin has many optional pieces:

The tiles, by default, are provided by openstreetmap. They are images that are individually requested (there is no signup, or authentication for example). MapQuest can be set up to provide tiles, but you have to sign up for an account and authenticate (handled by the plugin).

Leaflet itself is fully GDPR compliant. It is a standalone JavaScript library. It does not send or store information. It is by default, however, hosted by https://unpkg.com, and such a request (like the tile images) would also pass cookies and IP details (but they likely do not store such information).

The default geocoder is Google’s Geocoding API: https://developers.google.com/maps/documentation/geocoding/intro. But you could also choose Nominatim: https://nominatim.openstreetmap.org/. These requests are done server-side (so visitors to your site would not pass IP addresses or cookies, though your server IP would likely be stored by Google/OSM). Google might be changing its services to force billing soon, so this plugin might have to change.

You are probably right about Google Maps API: Google harvests a lot of information.

I’m slightly lost in the GDPR jungle too, but I can best-guess this. MapQuest very likely stores information like Google would. It requires its own JavaScript file and authentication, and likely makes requests on behalf of each user. All images and JavaScript files would (at least) pass IP addresses and cookies with each request; but I believe the GDPR is only opposed to the storage of such information. CDN’s have no real interest in storing information (best guess), and OpenStreetMap is also unlikely to store this. MapQuest (like in the link in my last message) clearly stores and shares data on its users.

My plugin has no way of anonymizing IP’s, though I could look into this!

So, final run-down:

* You can self-host Leaflet if you want, or use CDN (each request passes cookies and IP addresses)
* You can use OpenStreetMap (image requests pass cookies and IP addresses)
* You can use MapQuest (image requests pass cookies and IP addresses, at least, and they very likely store this information, for each visitor)
* You can use any Geocoder (all requests are server-side)

Hi,

many thanks for your help. I really appreciate it!

Initially, I chose mapquest as image provider but switched back to OSM now after your response. I agree with your opinion and I am not so scared that OSM would actually collect and analyze the data (even though one would still have to find a way to allow the website visitor to choose whether to deliver data to third party servers).

Hi,

it would be great to implement a consent function. Therefore you have to click to open the map and send a request. Is that an idea to ashure full complience?

Thanks and best,
David