We Scanned 380 UK Restaurant Websites: Here's What We Found

Your restaurant website has a menu, a booking form and a Google Maps embed. Simple enough. But is it actually compliant with UK data protection law?

We scanned 380 UK restaurant websites across 17 cities, from London to Edinburgh, Manchester to Cardiff. Here's what we found.

We don't name individual restaurants. This research is about patterns, not pointing fingers.

How we scanned

We selected 407 restaurant websites from 17 UK cities via the Google Places API. Independent restaurants with their own .uk/.co.uk domain only, excluding chains, Deliveroo and Just Eat pages. Of 407 attempts, 380 scans succeeded. The remaining 27 were unreachable or blocked automated access.

Each website was scanned with the same automated checks we use in our free website scanner. We checked 13 points including cookie consent, privacy policy, Google Fonts, Google Maps, Companies House number, UK VAT number, ICO registration, security headers and basic accessibility. For the Companies House number, VAT number, ICO registration and Google Maps, we followed links to contact, imprint and privacy pages.

Key findings at a glance

51.1% have no cookie banner

Of the 380 scanned UK restaurant websites, 194 (51.1%) have no cookie banner at all.

Of the 186 sites that do show a banner, 48.4% have no working reject button. Visitors can only click "accept" or navigate through multiple layers to reject.

That leaves 96 restaurants (25.3%) with a cookie banner that actually offers an equivalent reject option.

The ICO's cookies guidance is explicit: "You must make it as easy for users to withdraw their consent as it is to give it." Since PECR (the Privacy and Electronic Communications Regulations 2003) was amended in 2011, consent for non-essential cookies must be freely given.

In January 2025, the ICO announced it was taking action on cookie compliance across the top 1,000 UK websites, a clear signal that enforcement is widening beyond big names.

Post-Brexit, some UK businesses assume EU data protection rules no longer apply. They do. The UK retained GDPR as "UK GDPR" with substantively identical requirements, enforced by the ICO. The maximum fines match the EU: £17.5 million or 4% of annual turnover.

62.1% load Google Analytics before consent

236 of the 380 restaurants load Google Analytics before the visitor has made any choice. Google Tag Manager is active on 61.3% of all scanned sites, the most common tracking service we observed in any country we studied.

25.3% (96 sites) load the Facebook Pixel before consent, also the highest rate of the four countries we scanned (NL, BE, IE, UK).

UK restaurants are more tracking-heavy than their continental counterparts. That's partly a reflection of the competitive UK hospitality market and partly the prevalence of marketing agencies pushing analytics and remarketing setups without always configuring consent properly.

59.7% load Google Fonts externally

227 of the 380 UK sites load Google Fonts directly from Google servers. Every visitor's IP address is sent to the US.

The Munich Regional Court ruled on 20 January 2022 (Az. 3 O 17493/20) that loading Google Fonts externally without consent violates GDPR and awarded €100 per visitor in damages. The German ruling doesn't bind the UK, but UK GDPR is substantively identical. IP addresses are personal data under UK GDPR (confirmed in Vidal-Hall v Google among other cases) and transferring them to the US without consent has no legal basis.

The fix: download the fonts, self-host them. Ten minutes of work.

35.3% have no findable privacy policy

246 of the 380 restaurants (64.7%) have a findable privacy policy, the highest rate we measured. Still, 134 (35.3%) have no privacy policy findable through common menu or footer links.

Every restaurant with a reservation form or email signup must provide the Article 13 disclosures under UK GDPR. The privacy policy must describe what data you collect, why, on what legal basis, how long you keep it and who you share it with.

86.1% don't display a Companies House number

Only 53 of the 380 restaurants (13.9%) display a Companies House registration number in a place we could find. This is a legal requirement under the Companies Act 2006, Section 82, which requires limited companies to display their registered number on websites and business communications.

Of course, many smaller restaurants operate as sole traders or partnerships and don't have a Companies House number. But most restaurants that look like limited companies still don't show the number. Compare this to BE (17.7% KBO) or NL (11.8% KVK). The UK is actually in the middle.

98.2% have no ICO registration number

Only 7 restaurants (1.8%) display an ICO registration number. This is the most striking compliance gap in our UK data.

ICO registration is a legal requirement for most UK businesses that process personal data, under the Data Protection (Charges and Information) Regulations 2018. It costs £52 per year for small businesses (Tier 1, £47 by direct debit) and rises to £78 (Tier 2) or £3,763 (Tier 3) for larger organisations, following the February 2025 fee uplift. The ICO has the power to issue fixed monetary penalties of up to 150% of the fee due for non-payment.

Restaurants process personal data constantly: reservation systems, CCTV footage, email newsletters, staff records. Almost all are required to register.

The ICO doesn't require the registration number to be displayed on your website (though it's a common good practice), but every reservation confirmation email and privacy policy should include it. Our scan suggests most UK restaurants either aren't registered or don't reference their registration publicly.

47.4% load Google Maps without consent

180 of the 380 restaurants embed a Google Maps widget that loads immediately, sending every visitor's IP to Google without consent. Same legal issue as Google Fonts: IP addresses are personal data, no consent was given.

Accessibility

Of the 6,867 images we analysed, 3,432 (50%) were missing alt text. 277 of the 380 sites (72.9%) had at least one image without alt text.

The Equality Act 2010 requires service providers to make reasonable adjustments for disabled users. The European Accessibility Act has not been transposed into UK law post-Brexit, but public sector websites already fall under the Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 and private sector hospitality businesses can face complaints and damages under the Equality Act for inaccessible online services.

Security: the basics are missing everywhere

42.9% of sites run WordPress (163 sites). WordPress is a popular target for automated attacks because outdated versions and vulnerable plugins are easy to find.

What this means for your restaurant

UK GDPR is not going away. The ICO issued 85 fines totalling £44 million in 2024 and enforcement notices against small businesses have been increasing, including for basic issues like missing privacy policies and improper cookie consent.

The good news: most of these issues can be fixed in an afternoon.

• Cookie banner without a working reject? Replace it with one that makes reject as easy as accept.
• Google Fonts external? Download the fonts and self-host.
• Google Maps on every page? Replace with a static map image and a "Get directions" link.
• Not registered with the ICO? Register at ico.org.uk for £52/year (£47 by direct debit).
• No privacy policy? Use a template and tailor it to your reservation form, analytics and Maps usage. Include your ICO registration number.
• Images without alt text? Every image on a public page needs a short description.

Scan your website and find out where you stand in 60 seconds.

Methodology

• Period: 14-15 April 2026
• Websites scanned: 380 successful (of 407 attempts, 27 unreachable or blocked automated access)
• Selection method: Google Maps/Places API searching for "restaurant" across 17 UK cities, filtered to .uk/.co.uk/.pub domains
• Cities: London, Manchester, Birmingham, Edinburgh, Glasgow, Bristol, Leeds, Liverpool, Newcastle, Sheffield, Nottingham, Cardiff, Belfast, Brighton, Oxford, Cambridge, Bath
• Selection criteria: Independent restaurants with their own UK-TLD domain, excluding international chains, no platform pages (Just Eat, Deliveroo, TripAdvisor)
• Scanner: TrustYourWebsite automated compliance scanner
• Checks per website: 13 universal + 3 UK-specific (Companies House number, UK VAT number, ICO registration)
• Multi-page check: For Companies House, VAT, ICO and Google Maps, the scanner followed links to contact, imprint and privacy pages (up to 5 additional pages per site)

This research is a snapshot in time. Websites change continuously. Individual restaurants are not named.

---

Want to know how your restaurant website scores? Scan free in 60 seconds.

---

This is technical analysis, not legal advice. Consult a solicitor or data protection specialist for advice specific to your restaurant.

Sources

• Privacy and Electronic Communications (EC Directive) Regulations 2003 (legislation.gov.uk)
• PECR 2003, Regulation 6: Cookie consent (legislation.gov.uk)
• UK GDPR (Retained EU Regulation 2016/679) (legislation.gov.uk)
• Data Protection Act 2018 (legislation.gov.uk)
• Data Protection (Charges and Information) Regulations 2018 (legislation.gov.uk)
• Companies Act 2006, section 82: Requirement to disclose company name etc. (legislation.gov.uk)
• Equality Act 2010 (legislation.gov.uk)
• Public Sector Bodies (Websites and Mobile Applications) (No. 2) Accessibility Regulations 2018 (legislation.gov.uk)
• Guidance on the use of cookies and similar technologies (ico.org.uk)
• Data protection fee (ico.org.uk)