Cookie consent in Ireland: DPC rules your website must follow

Cookie consent in Ireland is governed by SI 336 of 2011, the Irish transposition of the EU ePrivacy Directive, and reinforced by GDPR where cookies involve personal data processing. The Data Protection Commission (DPC) has made cookie compliance a stated enforcement priority, and has initiated own-volition investigations into cookie banners across Irish websites.

Here is what your website must do.

---

The core rule: consent before cookies

Under SI 336 of 2011, you must obtain the user's consent before storing or accessing any information on their device that is not strictly necessary for the service they have specifically requested.

In practice: no tracking scripts, analytics cookies, advertising pixels, or social media widgets should load until the visitor actively accepts them.

Strictly necessary cookies (no consent needed):

• Session cookies for login and shopping basket
• Security cookies (CSRF tokens, authentication)
• Load balancing cookies
• The cookie that stores the visitor's consent preference

Everything else requires consent:

• Google Analytics, Google Tag Manager
• Facebook/Meta Pixel
• LinkedIn Insight Tag
• Hotjar, Microsoft Clarity
• Advertising and retargeting scripts
• Social share buttons that set cookies
• Google Fonts if loaded from Google's servers (transmits IP addresses)

---

DPC position on dark patterns

The DPC has been explicit: cookie banners that use design techniques to steer users towards accepting cookies are dark patterns that undermine valid consent.

The DPC considers these practices problematic:

The DPC's approach aligns with EDPB (European Data Protection Board) Guidelines 03/2022 on dark patterns, which it has formally endorsed.

---

The DPC enforcement mechanism: what it can and can't do

This is important and often misunderstood:

Under SI 336 of 2011 (ePrivacy): The DPC cannot issue direct administrative fines for cookie violations. It can serve enforcement notices and prosecute violations as criminal offences through the courts.

Under GDPR (Data Protection Act 2018): Where cookie activity involves processing personal data (which analytics cookies always do, as they transmit IP addresses), the DPC can apply GDPR enforcement powers. These include fines up to €20 million or 4% of global annual turnover.

In practice, this means serious cookie violations, particularly large-scale pre-consent tracking, can attract GDPR-level fines.

The DPC has also conducted "sweeps" of Irish websites specifically looking at cookie compliance, publishing findings and issuing letters to website operators whose banners fail the basic requirements.

---

What "prior consent" actually means

Consent under SI 336 and GDPR must be:

• Freely given: refusing cookies must be as easy as accepting them
• Specific: separate consent for analytics, marketing, functional cookies
• Informed: users must understand what they're consenting to
• Unambiguous: a clear affirmative action, not pre-ticked boxes or continued browsing
• Withdrawable: users must be able to change their mind at any time

A cookie banner that says "By continuing to use our website, you consent to cookies" does not meet the standard.

---

Common implementation failures for Irish websites

Failure 1: Google Analytics loads on every page visit The most frequent violation. GTM is installed, Google Analytics fires on page load, before any consent interaction. Fix: implement proper consent mode blocking in GTM.

Failure 2: Banner exists but doesn't block scripts The banner appears, the user clicks "Reject", but tracking scripts load anyway. This happens when the CMP (consent management platform) is misconfigured or overridden by hard-coded analytics tags. Our scanner tests this specifically.

Failure 3: Cookie preferences not remembered The banner reappears on every visit. Either the consent cookie isn't being set, or it has a very short expiry. The consent record should be stored for at least 6-12 months.

Failure 4: Free WordPress plugin with default settings Many free cookie plugins default to compliance-light configurations: pre-ticked boxes, no "Reject All" button, or banners that don't actually block scripts. Check your specific plugin's documentation.

---

Our scanner tests whether your banner actually works

Most tools check whether a banner exists. We check whether it works by simulating a visitor clicking "Reject All" and then measuring what scripts and cookies are still active.

This is how the DPC investigates complaints: they test the actual behaviour, not just the presence of a banner.

Test your cookie banner for free →

---

How Irish DPC cookie enforcement has evolved 2020 to 2026

The DPC cookie timeline tells you how the regulator's thinking shifted from warning to action.

April 2020. The DPC published its cookie sweep report after examining 38 Irish websites across publishing, retail, hospitality, insurance, sport and public sector. 35 of the 38 failed at least one compliance test. The DPC issued a Guidance Note alongside the sweep and gave six months to comply.

October 2020. The grace period ended. The DPC started engaging with individual sites that remained non-compliant.

2021 to 2022. Enforcement on cookies was mostly by reprimand and negotiated commitment rather than fines. This gave the DPC a chance to test arguments and build case law.

2023. The DPC opened public investigations into specific high-traffic sites. Settlement negotiations replaced some of these but the message landed.

2024 to 2025. The DPC reissued guidance clarifying two points: analytics cookies need consent without exception, and cookie banners that make reject harder than accept are a transparency failure not just a consent failure.

2026. Current DPC priorities include cookie banner dark patterns, consent renewal intervals and cross-border coordination with the CNIL and the Dutch AP on cookie cases that span multiple jurisdictions.

The lesson for Irish SMBs is that the DPC prefers to educate before it fines, but the educate phase is over. Banners that were acceptable in 2022 aren't acceptable in 2026.

---

Where the DPC differs from other EU regulators

Irish regulators don't operate in a vacuum. The EDPB coordinates the European DPAs and publishes common guidelines. But each regulator interprets close cases differently, and the differences matter if your site is multi-national.

Analytics cookies. The Belgian APD treats Google Analytics as non-essential and requires consent without exception. The French CNIL allows first-party analytics without consent under strict conditions including data minimisation and no cross-site tracking. The DPC sits closer to the APD position since the 2023 guidance update. Consent is the safe default.

Cookie walls. The CNIL accepts them case by case since the Conseil d'État ruling of 19 June 2020. The APD prohibits them. The DPC's position published in 2020 is that users should not suffer disadvantage for refusing. In practice the DPC has not issued a formal sanction for a cookie wall, but the position is closer to the APD than to the CNIL.

Consent renewal. The CNIL recommends six months. The DPC agrees. The ICO in the UK has accepted 12 months. The APD prefers six months.

Cross-device tracking. All EU regulators agree it needs consent. Divergence is in the expected user interface, not the rule.

For an Irish site targeting only Ireland, follow DPC guidance. For an Irish site targeting the EU, configure for the strictest of the DPC, CNIL and APD positions. That's always the APD position today.

---

Four mistakes Irish SMBs keep making

After several hundred scans on Irish business sites these four issues appear in roughly 80% of audits.

Analytics before consent. Google Analytics or Plausible or Matomo is loaded in the <head> and fires on every page view regardless of the cookie banner state. The fix is loading the script only after the consent event. Most CMPs support this. Home-grown banners often don't.

"Accept all" but no "Reject all" at level one. The user sees Accept in a bright button. The alternatives are Manage or Settings in a muted link. The DPC guidance says reject must be as easy as accept. If reject requires a second click, it isn't.

Pre-ticked boxes in the settings panel. The main banner has Accept and Manage. The user clicks Manage. The panel shows four categories all pre-toggled to on. Pre-ticked is an old habit that died in 2020 EDPB guidance and should not appear on any Irish site in 2026.

No proof of consent. The site stores a cookie called cookie_consent=accepted with a date. That's a preference record, not a proof. If the DPC asks how you know user X consented on 12 March 2025, you need a timestamped log with the banner version shown, the choices offered and the user's selection. CMPs do this automatically.

The free scan catches all four in one pass. For manual testing, open the browser devtools Network tab, reload the page, and watch what fires before you click anything. If third-party requests to Google Analytics, Meta or similar domains appear before consent, you have problem number one.

---

Sources

• SI 336 of 2011, Irish Statute Book
• DPC, Guidance on cookies and other tracking technologies
• EDPB Guidelines 03/2022 on dark patterns

---

This is technical analysis, not legal advice.