GDPR for UK Restaurant Websites: Data, Bookings, and Consent

UK restaurants collecting customer data online must comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR). This guide covers the key obligations for online booking systems, newsletter signups, cookies and payment processing.

What Data Do Restaurants Collect?

Restaurant websites typically collect personal data through multiple channels: online reservation systems (name, email, phone, party size, dietary requirements), email marketing lists, cookies for analytics and advertising, payment card data and customer feedback or reviews.

Some data requires special care. Dietary information including allergies is classified as a special category of personal data under UK GDPR Article 9. Processing such data requires an Article 6 lawful basis plus an Article 9 exemption. For restaurant bookings, the lawful basis is the contract (Article 6(1)(b)) and the special-category exemption is Article 9(2)(a) explicit consent: the customer types in their allergy on the booking form, knowing why, so the act of entering it constitutes the explicit consent the regulation requires. Article 9(2)(c) (protecting someone's life when they cannot consent themselves) does not apply to a routine reservation, because the customer is capable of consenting.

If you collect dietary data over the phone or by email instead of through a structured form, capture and store the same explicit-consent record alongside the booking. Without that record, you have no defensible Article 9 basis to keep the data.

Not sure what your live booking form actually collects and stores? Run a free scan of your restaurant website to see which fields trigger trackers and where allergy data may end up beyond your booking system.

Lawful Bases for Collecting Reservation Data

When customers make a reservation, you collect their name, email and phone number to fulfil the contract. This data processing requires no separate consent. Your lawful basis is Article 6(1)(b): contractual performance.

However, this only covers data strictly necessary for the booking. If you collect additional fields (preferred seat location, special occasion notes, photos of the diner), document your lawful basis for each. If retention exceeds what is necessary for the booking and any follow-up service recovery, you need an additional lawful basis or explicit consent.

Payment information should never be stored by the restaurant itself. Payment processors like Stripe, Square or PayPal are data controllers in their own right and handle PCI DSS compliance. Your role is limited to forwarding the payment and customer details to the processor under a Data Processing Agreement (DPA).

Newsletter Signups and PECR Consent

Email marketing to customers is governed by PECR Regulation 22, not GDPR alone. PECR requires explicit prior consent before sending marketing emails to individuals, unless they are existing customers and you gave them an opt-out opportunity at collection.

For online signup forms, obtain clear, affirmative consent. A pre-ticked checkbox is invalid. In the 2019 CJEU ruling Planet49 (Case C-673/17), the court held that "only active behaviour on the part of the data subject" constitutes valid consent. Unchecking a pre-ticked box is passive and does not meet the standard.

Consent must be freely given, specific, informed and unambiguous. Your signup form should state clearly: "We will send you weekly offers and updates. Unsubscribe anytime."

Cookie Consent and PECR Regulation 6

PECR Regulation 6 covers the storage of, and access to, any information on a user's device. The ICO interprets this technology-neutrally so that cookies, localStorage, sessionStorage, pixels and fingerprinting are all in scope. You must obtain prior consent before placing any non-essential cookie or equivalent technology on the user's device.

Essential cookies (those strictly necessary for the website to function) do not require consent. This typically includes session cookies for logging in or checkout. Analytics cookies, advertising cookies and social media tracking cookies are non-essential.

Your cookie banner must:

1. Appear before non-essential cookies load (not after)
2. Provide an explicit "Reject all" button equally prominent as "Accept all"
3. Separate marketing and analytics consent (users can consent to one and not the other)
4. Not use dark patterns (greyed-out text, hidden reject button, false urgency)

The ICO's 2025 review of the UK's top 1,000 websites found that 30% of the top 100 sites were setting advertising cookies without valid consent. The ICO announced enforcement action, particularly targeting sites with no accessible reject option or where non-essential cookies load before consent is given.

Embedded Services and Third-Party Trackers

Embedding Google Maps, Instagram feeds, YouTube videos, TripAdvisor badges or similar widgets often loads tracking pixels and cookies from external domains without your explicit knowledge.

Test your site in browser developer tools (press F12, Network tab) to identify third-party requests. Domains like doubleclick.net (Google), facebook.com, youtube.com and hotjar.com are common trackers.

Each embedded service should have a documented Data Processing Agreement (DPA). If the service is a joint controller (e.g., you and the platform both decide what data to collect), you must document this relationship in your privacy policy.

Recommendation: load embedded services only after the user consents. Many services offer deferred loading, for example, load a static image placeholder for embedded YouTube and only load the video player after consent.

CCTV and In-Premises Monitoring

If your restaurant has CCTV, you are processing video data of customers and staff. You must display a lawful basis notice at the entrance. Most restaurants rely on Article 6(1)(f): legitimate interests in crime prevention and staff safety.

You must retain footage only as long as necessary (typically 30 days for small venues) and provide a transparent notice: "This establishment uses CCTV for security purposes. Footage is retained for 30 days."

Staff are employees, and processing their data is covered by the employment, social security and social protection condition in Schedule 1, Part 1, paragraph 1 of the Data Protection Act 2018. Schedule 1, Part 2 is a different category covering substantial public interest conditions and does not apply to ordinary staff records.

Privacy Policy Requirements

Your privacy policy must clearly state what personal data you collect, why, how long you keep it, who you share it with and customers' rights. The retention table below covers the categories most restaurants handle.

Do not use generic templates. Tailor the policy to your actual practices.

Data Subject Rights

Under UK GDPR Articles 15-22, any customer can ask you to do one of the following. You must respond within 30 calendar days from the date you receive the request.

For small restaurants, appointing a single owner or manager as data controller and designating one person to handle subject access requests reduces compliance friction. Log every request with date received, requester, action taken and date completed in case the ICO asks for evidence later.

Compliance Enforcement

In 2024, the ICO took enforcement action against 32 UK GDPR cases, with 30 resulting in reprimands (formal warnings) rather than fines. Reprimands are particularly common for small businesses. While not financial penalties, reprimands create a public enforcement record and can lead to higher fines if future breaches occur.

The most common breaches are inadequate privacy policies, missing or invalid consent for marketing emails and cookies loading before consent. Restaurants are not typically singled out, rather, all sectors face similar obligations.

Key Next Steps

1. Review your online booking form and check which fields are truly necessary for the reservation. Remove optional data you do not use.
2. Test your cookie banner in an incognito browser window and verify that non-essential cookies do NOT load until consent is given.
3. Review all third-party embeds (Google Maps, TripAdvisor, social media pixels) and either obtain valid consent or remove them.
4. Update your privacy policy to disclose all data collection and processing practices specific to your restaurant.
5. Ensure email marketing signup forms use opt-in (not pre-ticked) consent.
6. Document your data retention policy: how long do you keep booking records, email lists, payment records and CCTV footage?