Table of Contents

Who should read this?

Irish business owners, startups, marketers, and web developers operating websites with cookies, analytics (Google Analytics), or marketing tools (Meta Pixel) targeting Irish users.

They'll gain clear steps to achieve DPC-compliant consent banners, policies, and third-party tool handling, reducing legal risks and fines while focusing on business growth.

Key Takeaways

Cookie consent required for non-essential cookies under SI 336/2011 ePrivacy Regulations and GDPR standards in Ireland.
Only strictly necessary cookies exempt; analytics, marketing, functional need granular prior consent.
Banners must have equally prominent accept/reject, category toggles, easy withdrawal.
No cookies fire before consent; test implementations thoroughly.
DPC enforces actively with sweeps showing majority non-compliance, potential fines.

Cookie Consent for Irish Websites: What the Law Requires Under ePrivacy and GDPR

If your website uses cookies or tracking technologies, Irish law requires you to get consent before they fire. Cookie consent in Ireland is governed by two overlapping frameworks: the ePrivacy Regulations (SI 336/2011) and the GDPR. Getting this wrong is not a theoretical risk. The Data Protection Commission (DPC) has swept Irish websites twice and found the majority to be non-compliant. The DPC has the power to enforce.

This guide covers what the law requires, how to design a compliant cookie banner, and what to watch for with analytics and marketing tools.

What is the cookie law in Ireland?

Cookie consent in Ireland is primarily governed by Regulation 5(3) of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, known as SI 336/2011. These regulations transposed the EU ePrivacy Directive into Irish law and set the rules for storing or accessing information on a user's device.

The GDPR does not regulate the placement of cookies itself, but it governs the processing of any personal data collected through them. Since SI 336/2011 requires consent for non-essential cookies, and the GDPR sets the standard for that data protection consent, the two laws work together. Any consent you obtain must be freely given, specific, informed, and unambiguous, with a clear affirmative action from the user.

The DPC confirmed this interpretation in its 2019 guidance: consent under the ePrivacy Regulations must now meet the higher GDPR standard. Pre-ticked boxes, implied consent from continued browsing, and "cookie walls" that force acceptance do not qualify.

What does valid cookie consent require?

Valid cookie consent in Ireland means obtaining prior, informed agreement from the user before any non-essential cookies are placed on their device. The only exemption is for strictly necessary cookies, those required for the website to function (such as session cookies for a shopping cart or authentication tokens).

For everything else, including analytics, marketing, and functional cookies, you need consent that meets these following conditions:

Prior: No non-essential cookies fire until the user actively consents
Informed: The user knows what cookies are used, by whom, and for what purpose
Specific: Consent is granular, broken down by category (analytics, marketing, functional)
Freely given: Refusing cookies must not result in a degraded experience or penalty
Unambiguous: The user takes a clear affirmative action, such as clicking "Accept"

The DPC's position is clear: legitimate interest is not a valid legal basis for placing analytics or marketing cookies on a user's device. Consent is the only option.

Please note: Continued scrolling or browsing does not constitute consent. Neither does a banner that says "By using this site, you agree to our use of cookies." The DPC has explicitly rejected both approaches.

How do you design a compliant cookie banner?

Your cookie banner is the mechanism through which you collect consent. The DPC's guidance and the EDPB's dark patterns guidelines set clear expectations for how it should work.

The banner must explain that the website uses cookies, state the purposes, and provide accept and reject options that are presented with equal prominence, in line with DPC and EDPB guidance. A large green "Accept All" button next to a small grey "Manage Settings" link does not meet the standard. Both choices must be visually equivalent.

Behind the banner, provide a preference centre where users can toggle consent by category. The standard categories are:

Strictly necessary (always on, no consent needed)
Analytics (e.g., Google Analytics, Hotjar)
Marketing (e.g., Meta Pixel, LinkedIn Insight Tag, Google Ads)
Functional (e.g., chat widgets, embedded videos, language preferences)

Users must be able to revisit and change their preferences at any time. A common approach is a persistent cookie icon or link in the website footer.

For a broader view of your website's legal obligations, see our guide on terms and conditions for websites.

Author's tip: Test your implementation after setup. Use your browser's developer tools to check whether any non-essential cookies fire before consent is given. Many consent management platforms claim to block cookies automatically, but misconfigured tag managers or hardcoded scripts can bypass the blocking. Verify, don't assume.

What about analytics and marketing cookies?

Google Analytics is one of the most common tools on Irish websites, and it requires consent. GA4 collects data that qualifies as personal data under GDPR (client IDs, IP addresses, browsing behaviour). You cannot rely on legitimate interest to justify its use.

To use Google Analytics compliantly in Ireland:

Implement a consent management platform that blocks GA4 until consent is given
Use Google Consent Mode to adjust tag behaviour, only after consent signals are properly implemented, based on the user's choice
Ensure your data processing agreement with Google is in place
Disclose GA4 in your cookie policy with its purpose, provider, and duration

The same rules apply to marketing pixels. The Meta Pixel, LinkedIn Insight Tag, and Google Ads remarketing tags all place cookies that track user behaviour for advertising purposes. None of these qualify as strictly necessary, and all require prior consent.

Server-side tracking does not avoid the consent requirement. If the technology accesses or stores information on the user's device, or if it processes personal data, the same rules apply regardless of whether the processing happens client-side or server-side.

For more on managing your obligations with third-party tools, see our guide on data processing agreements.

How do you write a cookie policy?

Your cookie policy is the detailed disclosure document that sits behind your consent banner. It must explain clearly what cookies your website uses and why.

Include the following for each cookie or tracking technology:

Cookie name and provider
Purpose (what it does and why)
Duration (session or persistent, and how long it lasts)
Type (strictly necessary, analytics, marketing, functional)
Whether it is a first-party or third-party cookie

Link your cookie policy to your privacy policy. The two documents address different but overlapping obligations: your privacy policy covers all personal data processing, while your cookie policy focuses specifically on tracking technologies.

Keep the policy up to date. Every time you add a new tool, plugin, or tracking script, check whether it sets cookies and update your policy accordingly. We tend to see that many CMPs include automated cookie scanning that can flag new cookies, but manual review is still necessary.

Make the cookie policy accessible from every page of your website, typically through a footer link.

How does the DPC enforce cookie compliance?

The DPC has taken an active approach to cookie enforcement. In 2019-2020, it conducted a cookie sweep of 38 major Irish websites. The results were striking: 35 of 38 were found significantly non-compliant on transparency and consent. The most common failures included:

Cookies firing before any consent was obtained
No option to reject non-essential cookies
Accept buttons given more prominence than reject options
Insufficient information about what cookies were used and why
No mechanism for users to change their preferences after initial choice

Following the sweep, the DPC gave organisations a six-month grace period to achieve compliance. Since then, enforcement expectations have only increased. The DPC's powers include reprimands, orders to bring processing into compliance, and administrative fines.

While the largest Irish data protection fines have targeted big tech companies, the DPC has made clear that cookie compliance applies to all organisations operating websites aimed at Irish users, regardless of size.

Need help getting your website compliant?

Open Forest helps Irish businesses set up their legal and compliance framework, from company formation to GDPR readiness. We take the guesswork out of compliance so you can focus on growing your business.

Talk to Open Forest

What should you watch for next?

The EU has been working on an ePrivacy Regulation to replace the current ePrivacy Directive since 2017. As of March 2026, no final agreement has been reached, and the existing rules under SI 336/2011 continue to apply in Ireland.

When the ePrivacy Regulation eventually passes, it will apply directly across all EU member states without needing national transposition. This could change specific requirements around consent mechanisms, cookie wall rules, and exemptions for certain types of analytics. Until then, the current framework remains the standard.

For Irish businesses, the practical advice is straightforward: implement a compliant cookie banner now, maintain an accurate cookie policy, and review both whenever you change the tools on your website. The DPC has drawn its line, and the direction of travel is toward stricter enforcement, not looser requirements.

For a broader view of your data protection obligations, see our GDPR compliance guide for startups.

About the Author:

Connect:

Laura Ryan is a practising Barrister at the Bar of Ireland. She graduated from the Honourable Society of King’s Inns in 2024, having previously qualified and practised as a Chartered Accountant in a big four accounting firm.

Legal

April 2026

Cookie Consent for Irish Websites

Key Takeaways

Cross-Border Data Transfers Under GDPR

Statutory Sick Pay in the UK: Rates, Eligibility & Obligations

Grievance Procedures for Small Irish Employers

ROPA: What Irish Businesses Must Document Under GDPR

Annual Leave and Public Holidays in Ireland

Subject Access Requests: How Irish Businesses Must Respond

GDPR Vendor Compliance for Irish Startups

Right to Erasure for Irish Businesses

Cap Table Management for Irish Founders

Subscription Agreements for Irish Founders

Frequently Asked Questions

What is the cookie law in Ireland?

What does valid cookie consent require?

How do you design a compliant cookie banner?

Does Google Analytics require consent in Ireland?

How does the DPC enforce cookie compliance?

Explore our other topics

Top 5 Irish Business Bank Accounts for Non-EEA Residents (2026)

Board Meetings for Irish Companies: Legal Requirements

5 (More) Mistakes When Incorporating a Company in Ireland