GDPR Compliance for UK Restaurant Websites: Data, Bookings, and Consent

UK restaurants collecting customer data online must comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR). This guide covers the key obligations for online booking systems, newsletter signups, cookies, and payment processing.

What Data Do Restaurants Collect?

Restaurant websites typically collect personal data through multiple channels: online reservation systems (name, email, phone, party size, dietary requirements), email marketing lists, cookies for analytics and advertising, payment card data and customer feedback or reviews.

Some data requires special care. Dietary information including allergies is classified as a special category of personal data under UK GDPR Article 9. Processing such data requires an explicit legal basis plus an exemption. For restaurant bookings, the lawful basis is usually the contract (Article 6(1)(b)), and the exemption is Article 9(2)(c): processing is necessary to protect vital interests of the data subject or another person.

Lawful Bases for Collecting Reservation Data

When customers make a reservation, you collect their name, email, and phone number to fulfil the contract. This data processing requires no separate consent. Your lawful basis is Article 6(1)(b): contractual performance.

However, this only covers data strictly necessary for the booking. If you collect additional fields (preferred seat location, special occasion notes, photos of the diner), document your lawful basis for each. If retention exceeds what is necessary for the booking and any follow-up service recovery, you need an additional lawful basis or explicit consent.

Payment information should never be stored by the restaurant itself. Payment processors like Stripe, Square, or PayPal are data controllers in their own right and handle PCI DSS compliance. Your role is limited to forwarding the payment and customer details to the processor under a Data Processing Agreement (DPA).

Newsletter Signups and PECR Consent

Email marketing to customers is governed by PECR Regulation 22, not GDPR alone. PECR requires explicit prior consent before sending marketing emails to individuals, unless they are existing customers and you gave them an opt-out opportunity at collection.

For online signup forms, obtain clear, affirmative consent. A pre-ticked checkbox is invalid. In the 2019 CJEU ruling Planet49 (Case C-673/17), the court held that "only active behaviour on the part of the data subject" constitutes valid consent. Unchecking a pre-ticked box is passive and does not meet the standard.

Consent must be freely given, specific, informed and unambiguous. Your signup form should state clearly: "We will send you weekly offers and updates. Unsubscribe anytime."

Cookie Consent and PECR Regulation 6

PECR Regulation 6 and Regulation 4(11) define "cookie" broadly to include all storage and access technologies (including localStorage, sessionStorage, pixels and fingerprinting). You must obtain prior consent before placing any non-essential cookie on the user's device.

Essential cookies (those strictly necessary for the website to function) do not require consent. This typically includes session cookies for logging in or checkout. Analytics cookies, advertising cookies, and social media tracking cookies are non-essential.

Your cookie banner must:

1. Appear before non-essential cookies load (not after)
2. Provide an explicit "Reject all" button equally prominent as "Accept all"
3. Separate marketing and analytics consent (users can consent to one and not the other)
4. Not use dark patterns (greyed-out text, hidden reject button, false urgency)

The ICO's 2025 review of the UK's top 1,000 websites found that 30% of the top 100 sites were setting advertising cookies without valid consent. The ICO announced enforcement action, particularly targeting sites with no accessible reject option or where non-essential cookies load before consent is given.

Embedded Services and Third-Party Trackers

Embedding Google Maps, Instagram feeds, YouTube videos, TripAdvisor badges or similar widgets often loads tracking pixels and cookies from external domains without your explicit knowledge.

Test your site in browser developer tools (press F12, Network tab) to identify third-party requests. Domains like doubleclick.net (Google), facebook.com, youtube.com and hotjar.com are common trackers.

Each embedded service should have a documented Data Processing Agreement (DPA). If the service is a joint controller (e.g., you and the platform both decide what data to collect), you must document this relationship in your privacy policy.

Recommendation: load embedded services only after the user consents. Many services offer deferred loading; for example, load a static image placeholder for embedded YouTube, and only load the video player after consent.

CCTV and In-Premises Monitoring

If your restaurant has CCTV, you are processing video data of customers and staff. You must display a lawful basis notice at the entrance. Most restaurants rely on Article 6(1)(f): legitimate interests in crime prevention and staff safety.

You must retain footage only as long as necessary (typically 30 days for small venues) and provide a transparent notice: "This establishment uses CCTV for security purposes. Footage is retained for 30 days."

Staff are employees; processing their data is covered by employment law exemptions under Schedule 1, Part 2 of the Data Protection Act 2018.

Privacy Policy Requirements

Your privacy policy must clearly state:

• What personal data you collect (booking name, email, phone, dietary info, payment card details passed to processor and analytics events)
• Why you collect it (lawful basis: contract performance, consent, legitimate interests)
• How long you keep it (bookings retained for 6 months for service recovery; email lists retained while consent is active; payment records 6 years for tax and CCTV 30 days)
• Who you share it with (payment processor name, email marketing platform name, analytics provider and third-party review sites)
• Users' rights: right of access, correction, erasure, objection, data portability and right not to be subject to automated decision-making

Do not use generic templates. Tailor the policy to your actual practices.

Data Subject Rights

Under UK GDPR Articles 15-22, any customer can request:

• Access to all personal data you hold (Article 15)
• Correction of inaccurate data (Article 16)
• Erasure (the "right to be forgotten") if there is no lawful basis to retain it (Article 17)
• Restriction of processing while you investigate a complaint (Article 18)
• Data portability: export their data in a structured format (Article 20)
• Objection to marketing or profiling (Article 21)

You must respond to such requests within 30 calendar days. For small restaurants, appointing a single owner or manager as data controller and designating one person to handle subject access requests reduces compliance friction.

Compliance Enforcement

In 2024, the ICO took enforcement action against 32 UK GDPR cases, with 30 resulting in reprimands (formal warnings) rather than fines. Reprimands are particularly common for small businesses. While not financial penalties, reprimands create a public enforcement record and can lead to higher fines if future breaches occur.

The most common breaches are inadequate privacy policies, missing or invalid consent for marketing emails and cookies loading before consent. Restaurants are not typically singled out; rather, all sectors face similar obligations.

Key Next Steps

1. Review your online booking form and check which fields are truly necessary for the reservation. Remove optional data you do not use.
2. Test your cookie banner in an incognito browser window and verify that non-essential cookies do NOT load until consent is given.
3. Review all third-party embeds (Google Maps, TripAdvisor, social media pixels) and either obtain valid consent or remove them.
4. Update your privacy policy to disclose all data collection and processing practices specific to your restaurant.
5. Ensure email marketing signup forms use opt-in (not pre-ticked) consent.
6. Document your data retention policy: how long do you keep booking records, email lists, payment records, and CCTV footage?