Restaurant websites look simple, but they're surprisingly complicated from a privacy standpoint. A single site might run an online ordering system, embed a reservation widget from OpenTable or Resy, display Uber Eats or DoorDash ordering widgets, show Google Reviews or TripAdvisor ratings, load a Google Maps embed, and run retargeting to bring back customers who browsed the menu but didn't order. Each sets cookies, and each creates consent obligations under GDPR and other privacy laws.

This guide covers what restaurant owners and food service IT teams need to know about restaurant food delivery cookie consent in 2026: which cookies are essential, which need consent, and where most restaurant sites get it wrong.

Online Ordering System Cookies: What's Essential and What Isn't

Your online ordering system is the revenue engine. Its cookies break into two clear categories, and getting this wrong either blocks orders (if you're too aggressive with blocking) or violates privacy law (if you're too lax).

Essential cookies (no consent needed):

Session cookies that keep the ordering flow working. These track items in the cart, maintain the checkout state, and hold the customer's selected location or delivery address across pages. Without them, the cart empties on every page load. Blocking these pre-consent breaks your ordering flow entirely.
Payment processing cookies from Stripe, Square, or your POS provider's online gateway. These handle fraud detection, 3D Secure authentication, and payment session integrity. They're strictly necessary for completing a transaction.
Authentication cookies for logged-in customers with accounts on your ordering platform (remembering a returning customer's session after login).
CSRF protection tokens securing your ordering forms against cross-site attacks.

Cookies that need consent:

Analytics cookies tracking which menu items customers view, how long they spend on the menu page, or where they drop off in the checkout funnel. These serve your business goals, not the customer's ordering request. GA4's _ga and _ga_* cookies fall here.
Retargeting cookies from Meta Pixel (_fbp, _fbc) or Google Ads (_gcl_aw) used to show ads to people who browsed your menu but didn't order.
Cross-session personalization like "your recent orders" or "recommended for you" based on browsing history. If it's driven by cookies rather than a logged-in account, it needs consent.
A/B testing cookies from Optimizely or VWO testing different menu layouts or pricing presentations.

The legal test is straightforward: does this cookie serve what the customer asked for right now (placing an order), or does it serve what you want later (marketing, analytics, optimization)? The first category is essential. The second needs consent. For a deeper breakdown, see our cookie types guide.

Reservation System Integrations: OpenTable, Resy, and Consent

Most restaurants don't build their own reservation system. They embed widgets from OpenTable, Resy, Yelp Reservations, or similar platforms. This creates a consent question that catches many restaurant owners off guard: who's responsible for cookies set by an embedded reservation widget on your domain?

Embedded widgets and iframes: When an OpenTable booking widget loads inside an iframe on your website, it sets its own cookies on the OpenTable domain. But you chose to embed it. Under GDPR, that makes you jointly responsible for informing visitors and collecting consent before those cookies fire. You can't dismiss them as "not our cookies" when you put the widget on your page.

Redirect-based booking: When "Reserve a Table" links to OpenTable's own site, consent for cookies on their domain is entirely their problem. Your obligation ends at your domain boundary. This is the simpler approach from a compliance standpoint.

What the widgets actually set: Reservation widgets typically drop session cookies (essential for the booking flow), analytics cookies (tracking widget interactions for the platform), and sometimes marketing cookies (for the platform's own retargeting). The session cookie is essential. The analytics and marketing cookies need consent, and since they're firing on your domain, you need to account for them in your banner.

The practical fix: audit your reservation widgets with an automated cookie scanner. Know exactly what cookies each widget sets. If consent hasn't been given, either block the widget's non-essential cookies or switch to a redirect-based integration where customers book on the platform's own site.

Delivery Platform Widgets: Uber Eats, DoorDash, and Grubhub on Your Site

Many restaurants embed ordering buttons or widgets from delivery platforms directly on their website. The consent implications depend entirely on how you integrate them.

Simple buttons vs. embedded widgets: A plain HTML link to your Uber Eats listing doesn't set any cookies and needs no consent. But a JavaScript-powered widget that loads the platform's ordering interface inline on your page loads third-party scripts, sets cookies, and sends data to the platform before the customer even interacts with it.

What these widgets typically set:

Platform session cookies for the ordering state within the embed (usually essential if the customer is actively ordering).
Platform analytics cookies tracking widget usage and conversion rates (serves the platform, needs consent).
Advertising and attribution cookies connecting the visit to the platform's ad network (definitely needs consent).

If the widget loads on your domain and sets cookies there, you're responsible for consent, not the delivery platform. Their privacy policy doesn't cover what happens on your site. The simpler alternative: a plain link or QR code to your platform listing. No scripts, no cookies, and the platform handles its own consent on its own domain.

Review Platform Tracking: Google Reviews and TripAdvisor Widgets

Displaying reviews builds trust, but the way you display them matters for consent compliance. Loading a Google Reviews, TripAdvisor, or Yelp widget via JavaScript pulls in third-party scripts that set tracking cookies on your domain. These serve the platform's analytics and advertising ecosystem, not your visitor's request, so they need consent.

The consent-free alternative: Display review content as static HTML instead of live embeds. Pull in review quotes, show your star rating as rendered text, and link to your full listings. Static content sets zero cookies and needs zero consent. Updating review quotes monthly is a small effort compared to managing consent for multiple third-party widgets.

If you do use live widgets, make sure your script blocking holds them until consent is granted, with a static fallback visible when scripts are blocked.

Local SEO and Consent: Google Maps, Business Profile, and Your Website

Local SEO matters more for restaurants than almost any other business. Your Google Business Profile, Google Maps embed, and local search presence are your primary discovery channels. But there's a cookie angle many restaurant owners miss.

Embedded Google Maps: Most restaurant sites embed a Google Map for directions. This loads Google's scripts and sets cookies. Under strict GDPR interpretation, Maps is a convenience feature, not strictly necessary for the site to function. Some DPAs require consent because the embed transmits visitor IP addresses and browsing data to Google.

If you block Maps until consent, visitors who decline see no map. For a restaurant, directions are genuinely useful, not decorative. Two approaches work:

Consent-gated with fallback: Show a static map image or a text address with a "click to load interactive map" button that triggers after consent. The visitor still gets the address and can copy it into their preferred navigation app.
Link-based: Skip the embed entirely. Link to your Google Maps listing. No scripts load, no cookies set, and the customer gets full navigation functionality on Google's own surface.

Google Business Profile interactions: Reviews, photos, posts, and Q&A on your GBP listing happen on Google's platform, not your website. Those interactions are Google's consent responsibility. But if you embed GBP reviews or posts on your site using Google's JavaScript, the consent obligation moves to you.

Schema markup and structured data: Adding Restaurant or LocalBusiness schema markup to your pages for rich search results is pure HTML metadata. No cookies, no scripts, no consent needed. This is the local SEO work that's entirely consent-free and you should be doing it regardless.

Multi-Location Restaurant Groups and Franchises

If you run multiple locations on a single domain (restaurant.com/locations/berlin), consent cookies are shared naturally and one banner covers everything. But consent rules should adapt by visitor location, not restaurant location. A visitor in Berlin browsing the Paris page gets GDPR rules because of where the visitor is.

Separate domains per location each need their own consent configuration. For shared preferences across domains, you'll need server-side consent sharing tied to customer accounts. For multi-region operations, regional consent rules let one configuration adapt per jurisdiction automatically. See our privacy law comparison for which rules apply where.

How CookieBeam Handles Restaurant Site Compliance

CookieBeam addresses the specific challenges restaurant sites face without adding friction to the ordering experience.

Automated scanning: CookieBeam's cookie scanner crawls your site and identifies every cookie from your ordering system, reservation widgets, delivery platform embeds, review widgets, and Maps integration. It flags new cookies when your ordering platform updates or you add a new integration, catching drift before it becomes a compliance gap.

Smart script blocking: Essential ordering cookies (session, cart, payment) are never blocked. Marketing and analytics scripts are held until consent is granted. Your ordering flow works identically regardless of whether the customer accepts or declines cookies. Only tracking changes.

Consent Mode v2: CookieBeam fires the right Consent Mode v2 signals based on each visitor's choice. When marketing cookies are declined, Google's behavioral modeling still recovers some analytics visibility so you're not completely blind on traffic patterns.

Geo-based consent rules: A restaurant in a tourist area serves visitors from dozens of jurisdictions. CookieBeam's regional system matches each visitor to the right consent behavior at page load. EU visitors get prior opt-in. US visitors get opt-out defaults. No manual per-visitor configuration needed.

Simple setup: CookieBeam installs with a single script tag. The scanner auto-classifies detected cookies from ordering platforms, reservation systems, and review widgets. No dedicated IT team required.

Quick Compliance Checklist for Restaurant Websites

Audit your ordering system's cookies. Session, cart, and payment cookies are essential. Analytics and retargeting cookies on the ordering flow are not.
Check your reservation widget. If you embed OpenTable, Resy, or similar, know what cookies they set on your domain. Consider switching to a redirect-based booking link if the widget sets cookies you can't control.
Review delivery platform embeds. A simple link to your Uber Eats or DoorDash listing is consent-free. A JavaScript widget is not.
Handle review widgets. Use static review quotes instead of live embeds to avoid third-party tracking cookies entirely.
Address the Google Maps embed. Provide a static image or text address fallback for visitors who decline cookies.
Use geo-based consent. Don't apply the strictest GDPR rules to every visitor globally. Adapt by visitor location to balance compliance and data collection.
Deploy server-side tracking for marketing recovery. Meta CAPI and Enhanced Conversions via sGTM recover attribution lost to consent refusals, especially valuable for restaurants running local ads.
Scan regularly. Ordering platform updates, new delivery integrations, and review widget changes introduce new cookies. Automated scanning catches them before regulators do.