GDPR for Restaurant Websites: What You Actually Need

Your restaurant website probably collects personal data in at least four different ways. Most restaurant owners don't realize this because the data collection happens automatically, built into the tools your web designer installed.

Reservation forms. Google Maps. Analytics. Newsletter signups. Each one triggers GDPR obligations. Here is what actually matters and what you can fix this afternoon.

Your reservation system is a data processor

Every time someone books a table through your website, you collect their name, email address, phone number and party size. Under the GDPR, that's personal data. You need a legal basis to collect it, you need to tell people what you do with it and you need to keep it safe.

If you use a third-party reservation system like Formitable, Resengo or TheFork, you're sending that personal data to another company. That makes them a data processor acting on your behalf. You need a data processing agreement with them.

The good news: most reputable reservation platforms already include a processing agreement in their terms of service. Check whether yours does. If it doesn't, ask them for one.

What you need to do:

• Make sure your reservation form links to your privacy policy
• Your privacy policy must mention what data the reservation form collects, why and how long you keep it
• If you use a third-party booking system, confirm you have a data processing agreement
• Don't keep reservation data longer than you need it. Six months is reasonable for most restaurants

Google Maps on your site leaks visitor data

Almost every restaurant website has a Google Maps embed showing the location. It makes sense. People need directions.

But the standard Google Maps embed sends your visitor's IP address to Google the moment the page loads. That IP address is personal data under the GDPR. And sending it to Google without consent is a problem.

This came under scrutiny after the 2022 German court rulings on Google Fonts. The same principle applies: loading third-party resources that transmit visitor data to US servers requires consent.

How to fix it:

• Use a consent-based loading approach: show a static map image or placeholder, then load the real Google Maps embed only after the visitor accepts cookies
• Your cookie management tool (Cookiebot, Complianz or similar) can handle this automatically if configured correctly
• Alternative: use OpenStreetMap, which doesn't track visitors

You can check whether your website loads Google Maps before consent with a free compliance scan.

Analytics tracking needs consent too

Google Analytics is on most restaurant websites. Your web designer probably added it during the build and never mentioned it.

Google Analytics 4 (GA4) sets cookies and collects data about every visitor: what pages they view, how long they stay, what device they use, where they came from. All of that requires consent under the GDPR.

This means your cookie banner needs to actually block GA4 from loading until someone clicks accept. Many restaurants have a cookie banner that looks like it does something but doesn't actually block any scripts. The banner is decoration.

What to check:

• Open your website in an incognito window
• Before clicking the cookie banner, press F12 and look at Network requests
• If you see requests to google-analytics.com or googletagmanager.com, your analytics loads without consent
• Fix it by configuring your cookie management tool to block these scripts until consent is given

If you don't look at your analytics data anyway, consider removing it entirely. Many restaurant owners never check those dashboards. No analytics means no tracking cookies means one less thing to worry about.

Social media embeds and review widgets

Instagram feeds, Facebook widgets, TripAdvisor review badges. These are common on restaurant websites and they all load third-party tracking scripts.

An embedded Instagram feed loads content from Meta's servers and places tracking cookies. A TripAdvisor widget does the same from TripAdvisor's servers. Each one sends visitor data to those companies before your visitor has any say in it.

Options:

• Block social embeds behind cookie consent, just like analytics
• Replace live feeds with screenshots that link to your social profiles
• Use a simple text link ("Follow us on Instagram") instead of an embed

The screenshot approach works well for restaurants. Your Instagram photos of dishes still appear on your site, but without the tracking baggage.

Delivery platform tracking pixels

If you work with Thuisbezorgd, Uber Eats or Deliveroo, they might have asked you to add a tracking pixel to your website. These pixels track visitor behavior and report it back to the platform.

Tracking pixels are cookies in disguise. They need consent. And they should be disclosed in your privacy policy.

Check your website's source code for any scripts or pixel tags from delivery platforms. If they're there, either block them behind consent or remove them. The delivery platform can track orders through their own app just fine.

Loyalty programs and mailing lists

Some restaurants collect email addresses for loyalty programs or weekly specials newsletters. This is allowed under the GDPR, but you need to get it right.

For newsletter signups:

• You need a clear opt-in. A checkbox that says "Yes, send me your weekly specials" works
• Don't pre-check the box. The customer has to tick it themselves
• Include a link to your privacy policy near the signup form
• Every email needs an unsubscribe link
• Keep records of when and how each person signed up

For loyalty programs:

• Tell customers exactly what data you collect and why
• If you use a third-party loyalty platform, you need a data processing agreement
• Customers have the right to see their data and ask you to delete it

WiFi guest networks

If you offer free WiFi to customers and your login page asks for an email address, that's personal data collection too. The GDPR applies.

Keep the WiFi login simple. Many restaurants now use a password displayed on the table or receipt instead of collecting email addresses. Less data collected means less to worry about.

Your privacy policy

Every restaurant website needs a privacy policy. It's not optional and it's not just something for big companies.

Your privacy policy should cover:

• What personal data you collect (names, emails, phone numbers from reservations)
• Why you collect it (to confirm bookings, send newsletters)
• Who you share it with (reservation platform, email service, analytics)
• How long you keep it
• How someone can request their data or ask you to delete it
• Your contact details

You don't need a lawyer to write one. But it needs to be specific to your restaurant, not a generic template you copied from another website. If your privacy policy mentions services you don't use, or doesn't mention your reservation system, it's not doing its job.

A practical checklist for this week

Here is what you can do right now, in order of priority:

1. Check whether your cookie banner actually blocks scripts before consent. Open your site in incognito mode and look.
2. Make sure Google Maps loads only after consent, or switch to a static image.
3. Review your reservation form. Does it link to your privacy policy? Does your privacy policy mention it?
4. Check for social media embeds and delivery platform pixels. Block them behind consent or remove them.
5. If you have a newsletter signup, make sure the checkbox isn't pre-checked and every email has an unsubscribe link.

None of these changes cost money. Most can be done by adjusting settings in your existing tools. If your web designer handles your site, send them this list.

---

Check your restaurant website now. Run a free compliance scan to see what your site loads, what cookies it sets and what's missing. Takes 2 minutes.

---

Frequently asked questions

Do I need a cookie banner if my restaurant website is just a few pages?

If your website uses Google Analytics, Google Maps, an Instagram embed or any other third-party service that tracks visitors, yes. The number of pages doesn't matter. What matters is whether your site collects personal data.

Is a reservation form personal data under the GDPR?

Yes. Names, email addresses and phone numbers are personal data. Your reservation form collects all of these. You need a privacy policy that explains what you do with this data and how long you keep it.

Can my web designer handle all of this for me?

They can handle the technical setup: configuring the cookie banner, adding consent-based loading for embeds, linking to your privacy policy. But the privacy policy content is your responsibility. You need to know what data you collect and what you do with it.

What happens if I ignore GDPR on my restaurant website?

The Autoriteit Persoonsgegevens (AP) has been actively checking websites for cookie compliance since 2024. Fines for small businesses typically start at a few thousand euros but can go higher. Beyond fines, a customer complaint to the AP triggers an investigation you'd rather avoid.

Does GDPR apply to my restaurant's social media pages too?

Partly. When you run a Facebook or Instagram business page, you're a joint controller with Meta for the data collected through that page. But the biggest risk areas for restaurants are their own website and reservation system, not their social media presence.