We Scanned 499 Dutch Restaurant Websites: Here's What We Found

Most restaurant owners assume their website is compliant. A reservation form, the menu, a map to the location. Simple, right?

We scanned 499 Dutch restaurant websites across 20 cities for GDPR compliance, cookie consent, accessibility, and security. The results show that the majority fail to meet the rules — often without the owner being aware.

How We Scanned

We selected 537 restaurant websites from 20 Dutch cities via the Google Places API. Only independent restaurants with their own .nl domain — no franchise chains, no platform pages (Thuisbezorgd, Uber Eats). 499 of the 537 scans succeeded. The remaining 38 were unreachable or blocked automated access.

Every website was scanned with the same automated checks we use in our free website scanner. We checked 13 points, including cookie consent, privacy policy, Google Fonts, Google Maps, KVK number, VAT number, security headers, and basic accessibility. For KVK number, Google Maps, and VAT number we checked not just the homepage but also linked contact, impressum, and privacy pages.

Cities included: Amsterdam, Rotterdam, The Hague, Utrecht, Eindhoven, Groningen, Tilburg, Almere, Breda, Nijmegen, Haarlem, Arnhem, Enschede, Amersfoort, 's-Hertogenbosch, Zwolle, Leiden, Maastricht, Dordrecht, and Leeuwarden.

The Key Findings

67.5% have no cookie banner at all

Of the 499 scanned restaurant websites, 337 (67.5%) have no cookie banner — no notification, no choice, nothing. Visitors are tracked immediately without their knowledge.

Of the 162 websites that do show a banner, more than half (51.2%) have no working reject button. The visitor can only "accept" or is sent to a settings page where rejecting requires multiple clicks.

That means only 79 of the 499 restaurants (15.8%) have a cookie banner that actually offers an equivalent reject option.

The Dutch DPA (AP) has been actively enforcing this since 2024. In April 2025, the AP sent warning letters to more than 200 websites with misleading or absent cookie banners. About three-quarters updated their banners within the deadline. The rest face formal investigation.

The first fine was issued in 2024: Kruidvat (AS Watson) received €600,000 for tracking cookies without valid consent. After appeal, the fine was reduced to €50,000. Shortly after, Coolblue received a €40,000 fine for the same type of violation.

The AP does not differentiate by business size. Warning letters go to small and large organisations alike.

Read more: Do I need a cookie banner? and AP cookie warning letters explained.

58.9% load Google Analytics before consent

294 of the 499 restaurants load Google Analytics before the visitor has made any choice. In 52.5% of all scanned sites, Google Analytics is present. In most cases it loads immediately on page load, without waiting for a cookie banner.

Additionally, 20.2% (101 sites) load the Facebook Pixel before consent. Google Tag Manager is present on 52.7% of sites.

The problem: as soon as Google Analytics or Facebook Pixel loads, tracking cookies are placed and the visitor's IP address is sent to Google or Meta. These are personal data. Without prior consent, this violates the GDPR.

Read more: Google Analytics and GDPR.

69.5% load Google Fonts from external servers

347 of the 499 restaurant websites load Google Fonts directly from Google's servers. This means every page visit sends the visitor's IP address to Google.

The Landgericht München ruled on January 20, 2022 (Az. 3 O 17493/20) that loading Google Fonts externally without consent violates the right to informational self-determination. The court awarded €100 in damages per visitor. The reasoning: there is no legitimate interest in loading fonts from external servers, because they can easily be self-hosted.

This is a German judgment, not Dutch. But the legal logic is the same: IP addresses are personal data under GDPR Article 4(1). Sending them to Google's servers without consent lacks a valid legal basis.

The solution is straightforward: download the fonts and host them on your own server. A web designer can do this in ten minutes.

Read more: Google Fonts and GDPR.

55.9% have no findable privacy policy

220 of the 499 restaurants have a findable privacy policy. That means 279 (55.9%) do not — either because they have none, or it is not accessible via standard locations (footer, menu, contact page).

If your restaurant has a reservation form, you collect personal data (name, email, phone number, sometimes dietary requirements). A privacy policy is required under GDPR Article 13. It must describe what data you collect, why, on what legal basis, and how long you keep it.

Read more: What must a privacy policy contain? and Privacy policy generator guide.

84% do not display a KVK number

Of the 499 restaurants, only 80 (16%) display their KVK number. We checked not just the homepage but also linked contact, impressum, and privacy pages. Even fewer restaurants show a VAT number: only 30 (6%).

The Handelsregisterwet 2007, Article 27 requires every registered business to display its KVK number on all correspondence including websites. The maximum fine is €22,500 under the Wet op de economische delicten.

In practice, enforcement for website KVK number omissions is primarily complaint-driven. But the obligation is clear and a fix costs thirty seconds: add your KVK number to your footer.

Read more: KVK number requirements on Dutch websites.

45.9% embed Google Maps without consent

229 of the 499 restaurants have a Google Maps embed on their website. In almost all cases, it loads immediately — without a cookie banner or consent mechanism.

Nearly half of all restaurant websites send every visitor's IP address to Google, just to show a map. The same legal logic as Google Fonts applies: an embedded map makes a connection to Google's servers and sends the IP address.

An alternative: load the map only after consent (click-to-load placeholder), or use a static image with a link to Google Maps.

Read more: Google Maps embed GDPR guide and GDPR for Dutch restaurants.

Accessibility: 75.8% Have Images Without Alt Text

Of the 10,338 images checked across 499 websites, 61% lacked alt text. At 378 restaurants (75.8%), at least one image is missing an alt description.

Additionally, 22.8% (114 sites) have form fields without labels — meaning screen readers cannot identify what the field is for.

Since June 28, 2025, the European Accessibility Act (EAA) has been in force. The ACM is the enforcement authority for website accessibility in the Netherlands. The law applies to businesses with at least 10 employees or more than €2 million turnover that offer digital services to consumers. Many small restaurants fall under the micro-enterprise exemption. But if you offer online reservations, process online orders, or sell gift cards online — and exceed the thresholds — the EAA applies.

In November 2025, the ACM published an investigation into the 60 largest Dutch webshops. 61% had serious accessibility issues. The ACM will actively contact these businesses in 2026 — a signal to the rest of the market that enforcement is real.

The maximum fine under the EAA is €900,000. In practice, the ACM focuses first on serious violations and businesses that don't respond to initial contact. Adding alt text to images and labels to form fields is low-effort and makes your website usable for everyone.

Security: Basic Headers Often Missing

Of the 499 scanned restaurants:

• 30.9% have an HSTS header (forces HTTPS connections)
• 10.6% have a Content-Security-Policy header (prevents XSS attacks)
• 21% have an X-Frame-Options header (prevents clickjacking)

54.9% of restaurants run WordPress. Of those 274 WordPress sites, 4.4% (12 sites) have an outdated major version with known security vulnerabilities.

Security headers are not a legal obligation in themselves, but GDPR Article 32 requires "appropriate technical measures" to protect personal data. If a data breach occurs because basic security measures were absent, the AP will treat this as an aggravating factor.

What This Means for Your Restaurant

These are the facts. No panic, but genuine urgency.

The AP is actively sending warning letters for misleading or absent cookie banners. The EAA is enforced by the ACM. Copyright agencies continuously scan the internet for unlicensed images.

The four things you can fix today:

1. Add your KVK number to your footer. 30 seconds. Required by law.
2. Ask your web designer to host Google Fonts locally. 10 minutes. Prevents IP address transfer to Google.
3. Install a cookie banner with a visible reject button. Ensure tracking scripts only load after consent.
4. Add a privacy policy. KHN (Koninklijke Horeca Nederland) offers model documents as a starting point.

Want to know how your restaurant website scores? Scan free in 60 seconds.

Methodology

• Scan date: April 14, 2026
• Websites scanned: 499 (from 537 attempts)
• Selection method: Google Places API for "restaurant" in 20 Dutch cities
• Criteria: Independent restaurant with own .nl domain; no chains or platform pages
• Scanner: TrustYourWebsite automated website scanner
• Checks: 13 per website, including multi-page checks for KVK number, VAT number, and Google Maps on linked contact, impressum, and privacy pages
• Scan duration: 1,669 seconds (~28 minutes)

This research is a snapshot from April 14, 2026. Websites change continuously. No individual restaurants are named. Some restaurants with a .nl domain may be registered outside the Netherlands and may not be legally required to display a KVK number. This is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.