We Scanned 479 Belgian Restaurant Websites: GDPR Findings

You run a restaurant in Belgium. Your website shows the menu, a reservation form and a map. But does that website comply with the GDPR?

We scanned 479 Belgian restaurant websites in 16 cities for GDPR, cookie consent, accessibility and security. The majority fall short. Scan your own website and see the result within 60 seconds.

This article shows the patterns. No names. No clues pointing to specific businesses.

The method in brief

• Period: 14-15 April 2026.
• Sample: 479 successful scans out of 514 attempts. 35 sites were unreachable or blocked automated access.
• Source URLs: Google Places API with the search term "restaurant" in 20 Belgian cities, filtered for an own .be domain.
• Excluded: chains, franchises and platform pages such as Takeaway, Deliveroo or TripAdvisor.
• Tooling: TrustYourWebsite automated scanner. 13 universal checks plus 2 Belgium-specific checks (KBO number and VAT number).
• Multi-page check: for the KBO number, VAT number and Google Maps we also checked the linked contact, imprint and privacy pages (a maximum of 5 extra pages per site).
• Not measured: server logs, email habits, social media accounts or offline communication.

The findings at a glance

Overview per problem category

Cookie consent: pass or fail?

The key findings

64.3% have no cookie banner at all

Of the 479 scanned sites, 308 (64.3%) have no cookie banner. No notice. No choice. Visitors are tracked immediately.

Of the 171 sites that do have a banner, 58.5% have no working reject button. The visitor can only "accept" or ends up on a settings page where rejecting takes multiple clicks.

Only 71 of the 479 restaurants (14.8%) have a banner with an equivalent reject option.

The Gegevensbeschermingsautoriteit (GBA), Belgium's data protection authority, actively enforces this. In February 2022 the GBA imposed a fine of €250,000 on IAB Europe for the Transparency and Consent Framework. That framework was used by thousands of websites. The Litigation Chamber ruled that consent obtained through that framework was not valid under the GDPR.

In 2024 the GBA increased the pressure. At Mediahuis the penalty payment ran up to €25,000 per day per news site for as long as the banners kept using misleading colours and hidden reject options. The Litigation Chamber pointed both to the absence of a genuine "reject" button at the same level and to the misleading colour contrast between "accept" and "reject". The Marktenhof annulled that decision on 19 March 2025 on procedural grounds. The assessment criteria themselves still stand in the GBA's cookie checklist.

Read more: Cookie banner requirements in Belgium.

46.8% load Google Analytics before consent

224 of the 479 restaurants load Google Analytics before the visitor can choose anything. In total, 39.9% of all scanned sites have Google Analytics active. Google Tag Manager runs on 38.8%.

In addition, 11.3% (54 sites) load the Facebook Pixel before consent.

As soon as Google Analytics or the Facebook Pixel loads, the site places tracking cookies and the visitor's IP address goes to Google or Meta. Without prior consent that is a GDPR violation. The GBA watches for it.

68.5% load Google Fonts externally

328 of the 479 Belgian restaurant websites load Google Fonts directly from Google servers. On every page visit, the visitor's IP address leaves for the US.

The legal reasoning is clear under the GDPR. An IP address is personal data under Regulation (EU) 2016/679, Article 4(1). There is no valid legal basis for transferring it to an external font server, because the same fonts can be hosted locally. The GBA applies the same logic as other European regulators.

The fix is simple. Download the fonts and host them on your own server. Ten minutes of work for a web designer.

57.8% have no findable privacy policy

202 of the 479 restaurants have a findable privacy policy. 277 (57.8%) do not.

Does your restaurant have a reservation form? Then you collect personal data. Regulation (EU) 2016/679, Article 13 then requires a transparent privacy policy. It describes which data you collect, why, on what legal basis and how long you keep it.

82.3% show no KBO number

Only 85 of the 479 restaurants (17.7%) display their KBO number (enterprise number) on the homepage or on the usual contact and imprint pages.

The Kruispuntbank van Ondernemingen (Crossroads Bank for Enterprises) registers every incorporated business. The Code of Economic Law (WER), Article III.25, requires the number on all business communications. Websites are explicitly covered. The FPS Economy supervises this.

The VAT number is shown more often. 200 restaurants (41.8%) display a Belgian VAT number. In Belgium that is culturally more common than in the Netherlands. It appears by default at the bottom of invoices and is repeated more often on websites.

40.9% load Google Maps without consent

196 of the 479 restaurants have an embedded Google Maps widget that loads as soon as the page opens. No cookie consent. Every page visit sends the visitor's IP address to Google in the US.

Read more: GDPR for restaurant websites.

Accessibility: the blind spot

Of the 5,993 images checked, 2,584 (43.1%) were missing alt text. That is the description screen readers read out to blind and visually impaired visitors. On 330 of the 479 sites (68.9%), alt text is missing on at least one image.

Since 28 June 2025 the European Accessibility Act (Directive (EU) 2019/882) has been in force. In Belgium the FPS Economy and the Economic Inspection supervise the accessibility obligations for digital services such as e-commerce. Fines run up to €80,000 (or 4% of annual turnover) for an ordinary infringement and up to €200,000 (or 6% of annual turnover) in cases of bad faith, additional decimes included.

Micro-enterprises (fewer than 10 employees and less than €2 million turnover) get a transition period until June 2030. Many independent restaurants fall under that exemption, until they grow beyond it.

Security: the basics are often missing

33.8% of the sites run WordPress (162 sites). WordPress is a popular target for automated attacks because outdated versions and vulnerable plugins are easy to detect.

Security headers are not a legal obligation in themselves. But Regulation (EU) 2016/679, Article 32 requires "appropriate technical measures" to protect personal data. In the event of a data breach caused by missing basic security, the GBA weighs that in its assessment.

Belgium versus the Netherlands: the comparison

Belgium scores better than the Netherlands on tracking (less GA and Facebook Pixel before consent) and on displaying the enterprise number. The Netherlands more often has a working reject button when a banner exists at all. Both countries score badly on Google Fonts, Google Maps and privacy policies.

Hospitality-specific: FAVV and transparency

A restaurant is more than a website. The FAVV (Federal Agency for the Safety of the Food Chain) requires hospitality businesses to display their approval or registration visibly on the premises. For consumers there is also Foodweb, where you can look up the inspection results per business.

Do you also sell or deliver online? Then put your FAVV registration, KBO number and VAT number in the footer or on a contact page. That aligns with the KBO disclosure obligation in Article III.25 WER and with the transparency expectation the FAVV sets for B2C businesses.

What this means for your restaurant

The GBA is one of the most active privacy regulators in Europe. The IAB Europe case and the Mediahuis penalty payment (annulled by the Marktenhof on procedural grounds in March 2025) show that the Litigation Chamber is prepared to impose heavy sanctions on systemic players. Small businesses are rarely fined directly. But they do receive complaints from consumers and access requests under the GDPR.

The good news: most problems can be fixed in half a day.

Action plan: four fixes for a GDPR-compliant restaurant website in 2026

1. Put your KBO number in the footer on every page. Also add the VAT number and, where applicable, your FAVV registration. Satisfies Article III.25 WER and the transparency requirements for hospitality.
2. Ask your web designer to host Google Fonts locally. Download the fonts, place them on your own server and adjust the CSS. Prevents IP transfers to Google.
3. Install a cookie banner with an equivalent reject button. Same position, same size and same colour as the "accept" button. Tracking scripts only load after consent.
4. Publish a privacy policy. Start from a template and adapt it for your reservation form, your use of Google Analytics and your Google Maps embed.

Scan your website free in 60 seconds and see where you stand.

Methodology

• Period: 14-15 April 2026.
• Number of websites scanned: 479 out of 514 attempts. 35 sites unreachable or blocked automated access.
• Selection method: Google Maps and Places API for "restaurant" in 20 Belgian cities, filtered for a .be domain.
• Cities: Brussels, Antwerp, Ghent, Bruges, Leuven, Liège, Namur, Mechelen, Hasselt, Kortrijk, Ostend, Turnhout, Sint-Niklaas, Aalst, Charleroi and Mons. Four other attempted cities produced no valid results.
• Selection criteria: independent restaurant with its own .be domain. No international chains. No platform pages (Takeaway, Deliveroo, TripAdvisor).
• Scanner: TrustYourWebsite automated compliance scanner.
• Checks per website: 13 universal plus 2 Belgium-specific (KBO number and VAT number).
• Multi-page check: for the KBO number, VAT number and Google Maps we also checked linked contact, imprint and privacy pages (a maximum of 5 extra pages per site).
• Not measured: server logs, email habits, social media accounts or offline communication.

This research is a snapshot. Websites change constantly. Individual restaurants are not named. This is technical analysis, not legal advice.

Frequently asked questions

How compliant are Belgian restaurant websites in 2026?

Our scan of 479 Belgian restaurant websites found that 64.3% have no cookie banner, 46.8% load Google Analytics before consent and 57.8% have no findable privacy policy.

Which regulator enforces the GDPR for Belgian restaurants?

The Gegevensbeschermingsautoriteit (GBA) is the Belgian privacy regulator. In 2022 the GBA issued a landmark fine to IAB Europe for the consent framework used by thousands of websites.

Must a Belgian restaurant display a KBO number on its website?

Yes. Belgian businesses must display their KBO number (enterprise number) on their website, emails and invoices. Only 17.7% of the scanned restaurants do this.

Must a restaurant also display its FAVV registration online?

The FAVV requires hospitality businesses to display their approval or registration visibly on the premises. Businesses that also sell or deliver online are best advised to display these details on their website too, alongside the KBO number and the VAT number.

---

Want to know how your restaurant website scores? Scan free in 60 seconds.

Sources

• Regulation (EU) 2016/679 - General Data Protection Regulation (eur-lex.europa.eu)
• Directive (EU) 2019/882 - European Accessibility Act (eur-lex.europa.eu)
• Code of Economic Law (Wetboek van economisch recht), codification act of 28 February 2013 (ejustice.just.fgov.be)
• Gegevensbeschermingsautoriteit - IAB Europe decision (gegevensbeschermingsautoriteit.be)
• Gegevensbeschermingsautoriteit - Measures against Mediahuis (gegevensbeschermingsautoriteit.be)
• FPS Economy - Crossroads Bank for Enterprises (economie.fgov.be)
• Crossroads Bank for Enterprises - public search (kbopub.economie.fgov.be)

This is technical analysis, not legal advice. Consult a qualified lawyer for specific legal guidance.