Can the DPC fine me for cookie violations?

The DPC cannot issue direct administrative fines for ePrivacy violations under SI 336 of 2011. However, it can prosecute through the courts (criminal prosecution), and where cookie-based tracking involves personal data processing (which analytics cookies almost always do), it can apply GDPR enforcement powers — which do include fines up to €20M or 4% of global turnover.

Do I need a cookie banner if I only use Google Analytics?

Yes. Google Analytics sets cookies that transmit personal data (IP addresses, device identifiers) to Google. This requires explicit consent before the script loads. Loading Google Analytics before consent is obtained is a cookie consent violation under SI 336 and potentially a GDPR violation.

What cookies don't need consent?

Strictly necessary cookies — those essential for the service the user has specifically requested. This includes session cookies for login, shopping basket cookies, security cookies (CSRF tokens), and the cookie that stores the visitor's consent preference itself. Analytics, advertising, social media, and preference cookies all require consent.

What is a dark pattern in a cookie banner?

A dark pattern is a design technique that nudges users towards accepting cookies rather than making a genuinely free choice. Examples: large prominent Accept button alongside a small grey Manage link; pre-ticked analytics checkboxes; using the word 'Allow' instead of 'Accept' to soften the impression of data collection; requiring 5 clicks to reject vs 1 click to accept.

GDPR & Privacy Cookies & Consent

Cookie consent in Ireland: DPC rules your website must follow

3 April 2026

Cookie consent in Ireland: DPC rules your website must follow

Cookie consent in Ireland is governed by SI 336 of 2011 — the Irish transposition of the EU ePrivacy Directive — and reinforced by GDPR where cookies involve personal data processing. The Data Protection Commission (DPC) has made cookie compliance a stated enforcement priority, and has initiated own-volition investigations into cookie banners across Irish websites.

Here is what your website must do.

Under SI 336 of 2011, you must obtain the user's consent before storing or accessing any information on their device that is not strictly necessary for the service they have specifically requested.

In practice: no tracking scripts, analytics cookies, advertising pixels, or social media widgets should load until the visitor actively accepts them.

Strictly necessary cookies (no consent needed):

Session cookies for login and shopping basket
Security cookies (CSRF tokens, authentication)
Load balancing cookies
The cookie that stores the visitor's consent preference

Everything else requires consent:

Google Analytics, Google Tag Manager
Facebook/Meta Pixel
LinkedIn Insight Tag
Hotjar, Microsoft Clarity
Advertising and retargeting scripts
Social share buttons that set cookies
Google Fonts if loaded from Google's servers (transmits IP addresses)

DPC position on dark patterns

The DPC has been explicit: cookie banners that use design techniques to steer users towards accepting cookies are dark patterns that undermine valid consent.

The DPC considers these practices problematic:

| Practice | Why it's a dark pattern | |----------|------------------------| | Accept button is larger or more colourful than Reject | Creates visual pressure to accept | | "Reject" requires 3-5 clicks; "Accept" requires 1 | Asymmetric effort undermines free choice | | Checkboxes for optional cookies pre-ticked | Consent must be an active opt-in | | "Manage Preferences" hidden in small print | Obscuring the reject path | | Banner reappears repeatedly until user accepts | Harassment pattern | | "We value your privacy" language before accept prompt | Misleading framing |

The DPC's approach aligns with EDPB (European Data Protection Board) Guidelines 03/2022 on dark patterns, which it has formally endorsed.

The DPC enforcement mechanism: what it can and can't do

This is important and often misunderstood:

Under SI 336 of 2011 (ePrivacy): The DPC cannot issue direct administrative fines for cookie violations. It can serve enforcement notices and prosecute violations as criminal offences through the courts.

Under GDPR (Data Protection Act 2018): Where cookie activity involves processing personal data (which analytics cookies always do — they transmit IP addresses), the DPC can apply GDPR enforcement powers. These include fines up to €20 million or 4% of global annual turnover.

In practice, this means serious cookie violations — particularly large-scale pre-consent tracking — can attract GDPR-level fines.

The DPC has also conducted "sweeps" of Irish websites specifically looking at cookie compliance, publishing findings and issuing letters to website operators whose banners fail the basic requirements.

Consent under SI 336 and GDPR must be:

Freely given — refusing cookies must be as easy as accepting them
Specific — separate consent for analytics, marketing, functional cookies
Informed — users must understand what they're consenting to
Unambiguous — a clear affirmative action, not pre-ticked boxes or continued browsing
Withdrawable — users must be able to change their mind at any time

A cookie banner that says "By continuing to use our website, you consent to cookies" does not meet the standard.

Common implementation failures for Irish websites

Failure 1: Google Analytics loads on every page visit The most frequent violation. GTM is installed, Google Analytics fires on page load, before any consent interaction. Fix: implement proper consent mode blocking in GTM.

Failure 2: Banner exists but doesn't block scripts The banner appears, the user clicks "Reject", but tracking scripts load anyway. This happens when the CMP (consent management platform) is misconfigured or overridden by hard-coded analytics tags. Our scanner tests this specifically.

Failure 3: Cookie preferences not remembered The banner reappears on every visit. Either the consent cookie isn't being set, or it has a very short expiry. The consent record should be stored for at least 6-12 months.

Failure 4: Free WordPress plugin with default settings Many free cookie plugins default to compliance-light configurations — pre-ticked boxes, no "Reject All" button, or banners that don't actually block scripts. Check your specific plugin's documentation.

Our scanner tests whether your banner actually works

Most tools check whether a banner exists. We check whether it works — by simulating a visitor clicking "Reject All" and then measuring what scripts and cookies are still active.

This is how the DPC investigates complaints: they test the actual behaviour, not just the presence of a banner.

Test your cookie banner for free →

Sources

This is technical analysis, not legal advice.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Scan your website free

Website Guides

GDPR compliance for Irish businesses: website checklist 2026

What Irish SMBs must do to comply with GDPR on their websites. Privacy policy, cookie consent, CRO number, DPC enforcement cases, and a free website check.

Is your website GDPR compliant? Free website check for Irish businesses

Free GDPR website check for Irish businesses. Our scanner tests cookie consent, privacy policy, company registration details, security, and more. Results in 60 seconds.

GDPR for dental practices in Ireland

GDPR and data protection for Irish dental practices. Patient data as special category, Dental Council registration, record retention, online booking, and breach notification.

Cookie consent in Ireland: DPC rules your website must follow

The core rule: consent before cookies

DPC position on dark patterns

The DPC enforcement mechanism: what it can and can't do

What "prior consent" actually means

Common implementation failures for Irish websites

Our scanner tests whether your banner actually works

Sources

Check your website now

Website Guides