AI-Built Website Liability in Ireland

Your developer built your site in three days using Cursor and Claude. Six months later the Data Protection Commission sends a letter about cookies firing before consent. The developer is asking ChatGPT whether you can blame the AI. The short answer is no, and this article walks through who actually pays.

Why Irish operators sit at the sharp end of AI-website enforcement

Ireland is the lead supervisory authority under GDPR for most of the world's largest technology companies, because Meta, Google, Microsoft, X, TikTok and Apple all hold their EU headquarters in Dublin. That fact shapes the Data Protection Commission's enforcement priors in ways that matter for small Irish businesses too. The DPC processes very large cross-border investigations and issues some of the largest GDPR fines in the EU, and that institutional posture filters down into how it reviews smaller domestic websites. An Irish operator running a six-page restaurant booking site is held to the same Data Protection Act 2018 (No. 7 of 2018) and Article 5 GDPR principles as the Dublin office of a Fortune 500 platform. The DPC has limited resources and prioritises systemic cases, but a complaint from a single Irish consumer about an AI-built site can and does trigger an inquiry. Pretending the supervisory authority is too busy for small operators is not a safe assumption.

The relevant Irish statute book sits in four layers. The Data Protection Act 2018 implements the GDPR's flexibility provisions, including the lawful basis exceptions, age of digital consent (16, per section 31) and DPC powers. The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336 of 2011) transpose the ePrivacy Directive and supply the cookie-and-tracking rules the DPC enforces in parallel with GDPR. The European Union (Accessibility Requirements of Products and Services) Regulations 2023 (S.I. No. 636 of 2023) transpose the European Accessibility Act, and they make Ireland the only EU member state that attaches criminal liability to non-compliance for in-scope services after 28 June 2025. Sitting alongside these is the Consumer Protection Act 2007 enforced by the Competition and Consumer Protection Commission, which can capture misleading practices that arise from how the AI-built site is sold to consumers. The 2024 Product Liability Directive 2024/2853 layers a strict-liability claim path on top for damage to natural persons from defective AI products, applicable from 9 December 2026.

Two Irish enforcement bodies bear watching specifically for AI websites. The DPC, based at 21 Fitzwilliam Square in Dublin, runs the dominant supervisory function for everything touching personal data. Its commissioners are Des Hogan and Dale Sunderland, having succeeded Helen Dixon in 2024, and the supervisory approach has continued to emphasise consent quality, transparency under Article 13 and accountability for cross-border transfers post Schrems II. Coimisiún na Meán, established under the Online Safety and Media Regulation Act 2022, is the Irish digital services coordinator under the DSA and is the likely competent authority for parts of the EU AI Act when the Irish transposing legislation lands. The split between the DPC and Coimisiún na Meán on AI-Act competences is not finalised in Irish law as of May 2026; the AI Act itself sets a 2 August 2025 deadline for member states to designate competent authorities, and Ireland's designation pipeline is running through the Department of Enterprise, Trade and Employment.

Irish freelance-developer practice and agency contracts also create some specific exposure shapes that do not match the typical Dutch or French situation. Most Irish micro-agencies operate as limited companies under the Companies Act 2014 with paid-up share capital of one euro, which makes contractual recourse against the agency a thin remedy when something goes wrong. The Sale of Goods and Supply of Services Act 1980, section 39, implies that a service will be supplied with due skill, care and diligence, and this is the section an unhappy operator would invoke against an agency that built a non-compliant site. In practice, however, the remedy is litigation in the Circuit Court for under €75,000 or the High Court above that, and the limited-liability structure of the agency means a judgment may not be collectable. The DPC fine, by contrast, lands on the controller directly and is enforceable without recourse to the agency. That asymmetry is why the operator carries the weight in real-world terms, not the developer who shipped the code.

Cross-border posture matters in two specific Irish situations. Selling into Northern Ireland engages the UK GDPR and the UK ICO, not the DPC, for that activity, because UK-NI is outside the EU GDPR scope. The Information Commissioner's Office position on AI-generated content and cookie banners diverges from the DPC in detail (the ICO Opinion on PECR cookie compliance is materially more permissive than the EDPB's revised consent guidelines from 2024), and an operator selling cross-border has to map to both regimes. Selling into the Republic from a Northern Ireland or Great Britain base reverses the picture: the operator is in the UK regime for processing in the UK but in the GDPR scope for offering goods or services to data subjects in the Republic, under Article 3(2). That dual exposure is a routine fact pattern for Irish small businesses with cross-border customer bases.

The short answer: you do

Article 4(7) of the GDPR defines the controller as the natural or legal person that determines the purposes and means of processing personal data. The site operator decides what cookies fire, which analytics load, what the contact form does and where the data goes. The AI tool that wrote the code is neither a controller nor a processor for the site's visitors. It processed the developer's prompt, which is a separate transaction with a separate counterparty.

The Data Protection Commission cares about who runs the website. That is whoever the CRO record names, whoever the privacy notice identifies, whoever cashes the payments. The DPC will not ask which tool wrote the cookie banner.

Why the AI tool is not on the hook, yet

Three structural facts keep the AI vendor out of the chain.

First, the major AI coding tools' terms of service push responsibility for outputs onto the user. The pattern is consistent across OpenAI, Anthropic, GitHub Copilot, Cursor and Lovable as of May 2026. Outputs are provided as is. The user verifies them. The user indemnifies the provider against third-party claims arising from outputs. When the developer accepts the code Cursor suggested, the legal weight of that decision lands on the developer, not on Cursor.

Second, the AI provider is not a controller or a processor for the site's visitors. The EDPB's December 2024 opinion on AI models was requested by the DPC and puts this allocation up front: roles and responsibilities must be defined before processing takes place, and a deployer of an AI model carries its own accountability obligations even where the model was developed by someone else. That deployer is the site operator, on the operator's domain, processing the operator's data subjects.

Third, the proposed AI Liability Directive that was meant to harmonise this is gone. The Commission listed it for withdrawal in its 2025 work programme on 11 February 2025, and the withdrawal was published in OJ C/2025/5423 on 6 October 2025. The clean rules expected in 2026 are not arriving.

What about the developer that used the AI?

The agency-client liability chain pre-dates AI by decades. The same logic that applies to a developer who used unlicensed images applies to one who used an AI assistant to write code. How web designer liability works under EU law covers the underlying framework. The operator is on the public-facing hook to the regulator and the data subject. The operator-developer relationship is internal and contractual.

The AI layer adds one structural fact. The developer's contract with the AI provider almost always indemnifies the provider, not the developer or its client. The operator never had a contract with the AI vendor. The developer did. The developer promised the vendor that they, the developer, would carry the risk of using the outputs. That promise does not flow through to the operator, and it does not open a route to the AI provider's legal team.

In practice the contract between the operator and the developer is the only document that matters when the operator wants to push the cost back. If the contract is silent on compliance warranties, AI-use disclosure and indemnification, the operator is negotiating from a weak position.

What changes on 9 December 2026, and what does not

Directive (EU) 2024/2853, the new Product Liability Directive, treats software and AI systems as products under Article 4. Member States, Ireland included, must transpose it by 9 December 2026 under Article 24. From that date it applies to products placed on the market or put into service after the cutover. Pre-existing products stay under Directive 85/374/EEC.

For the AI-built website question this matters in a narrow way. From late 2026 a person who suffers material harm because of a defective AI tool may pursue the AI tool provider directly under a no-fault regime. Open source software developed outside a commercial activity is excluded under Article 2(2), but the commercial coding assistants are squarely in scope. The claim is for damage to natural persons. It is not a route for the operator to recover a GDPR fine, and it does not retroactively cover sites built before the cutover.

What does not change on 9 December 2026: who the controller is, who the DPC enforces against and who pays a GDPR fine. The PLD adds a new line of claim against the AI provider for a narrow set of harms. It does not subtract the existing line of liability against the operator. The Directive is enough of its own topic to deserve a dedicated guide. <!-- TODO: replace with /ie/en/guides/product-liability-directive-2026 when cluster #5 publishes -->

Three practical scenarios

The AI-built cookie banner has no working reject-all button. The DPC enforces against the operator under the SI 336/2011 ePrivacy Regulations (the Irish transposition of ePrivacy Directive 2002/58/EC) and Article 4(11) GDPR. The developer may be liable to the operator in contract, but only if the contract said the deliverable would meet cookie law. Whether your site needs a cookie banner is the cheapest question to answer correctly before launch.

The AI-built contact form ships data to a US analytics service without an SCC arrangement. That is a Chapter V GDPR breach, enforced against the operator. The DPC's enforcement record against Meta and Microsoft on US transfers makes Ireland a particularly weak jurisdiction to test this question. The developer may have used a default Cursor or Claude pattern that hard-coded the third party. The developer owes a fix and, if the contract is good, the fine.

The AI-generated alt text is wrong or missing on most images. The European Accessibility Act treats the business operating the site as the economic operator. From 28 June 2025 most B2C webshops above the SME thresholds need WCAG 2.1 AA alt text on functional images. The EAA penalties under Irish enforcement point at the operator, not the AI. AI-generated alt text that hallucinates is worse than no alt text in that context, because a screen reader reads it confidently to a blind visitor.

How to push the risk back to your developer

The contract is the only lever. Before signing, insist on:

• An indemnification clause that names the operator and covers third-party claims arising from non-compliance of the delivered site.
• A compliance warranty: the developer warrants the site meets GDPR, the SI 336/2011 ePrivacy Regulations, EAA obligations and applicable consumer law at delivery.
• A disclose-AI-use clause: the developer lists which AI tools generated which deliverables. Not as a liability shield, as input to the operator's own AI Act Article 50 transparency obligations from 2 August 2026 if any AI-generated copy or images are on the site. <!-- TODO: replace with /ie/en/guides/eu-ai-act-for-website-owners when cluster #4 publishes -->
• A right-to-scan clause: the operator may run a compliance scan before sign-off and any criticals must be fixed.
• A post-delivery support window: the developer fixes compliance defects found within the first 90 days at their own cost.

A developer that resists these clauses is signalling they are not confident in what they are delivering.

What to check on your own site today

Five things you can verify without a developer. Two minutes per check.

1. The cookie banner has a reject-all button that is as visible as accept-all and does not pre-tick anything.
2. Analytics and marketing scripts load only after consent is given.
3. The privacy notice is in your actual company name and CRO number, not a placeholder like [Your Company] left over from an AI template.
4. Alt texts are present on key product images and describe the image rather than just saying "image of".
5. A keyboard-only visitor can reach the main pages and the checkout without a mouse.

If any of these are uncertain, our free compliance scan checks GDPR, cookies, accessibility and image rights. It will not tell you whether your AI tools are legal. It will tell you whether the site they helped build is.

Common Questions

If my developer used Lovable, Bolt or v0 to build my Irish site, am I liable for compliance issues?

Yes. Under Article 4(7) GDPR you are the controller, regardless of whether the code was written by a human or an AI tool. The Data Protection Commission enforces against the controller, not the tool.

Can I sue OpenAI or Anthropic if their tool produced non-compliant code?

Almost never. You have no contract with them as an end user of a tool your developer picked. Their terms of service push responsibility for outputs onto the user. From 9 December 2026 the new Product Liability Directive opens a narrow no-fault path for damage to natural persons, but only for products placed on the market after that date.

Does the EU AI Act mean my AI-built site needs disclosure in Ireland?

It depends what the AI generated. From 2 August 2026 Article 50 of the AI Act requires labelling of AI-generated images, audio, video and text where a reasonable person could be misled, plus deepfake labelling. Code itself is not in scope. AI-generated copy or images on your site need a labelling approach.

What changes on 9 December 2026 with Directive 2024/2853?

Ireland must transpose the new Product Liability Directive by that date. From then the Directive treats software and AI systems as products and opens a no-fault claim path against the producer for damage to natural persons, but only for products placed on the market after 9 December 2026. Your controller obligations under GDPR do not change.

Did the AI Liability Directive not solve all this?

It would have, if it had passed. The Commission listed the proposed AI Liability Directive for withdrawal in its 2025 work programme on 11 February 2025. Formal withdrawal was published in OJ C/2025/5423 on 6 October 2025.

Related reading

If you want to go further on the questions this article touched on:

• The agency-client liability chain pre-dates AI. How web designer liability works under EU law covers the framework before the AI layer.
• The 9 December 2026 shift. The new Product Liability Directive deserves its own treatment. <!-- TODO: replace with /ie/en/guides/product-liability-directive-2026 when published -->
• AI Act transparency obligations from 2 August 2026. What the AI Act actually requires of website owners is the next article in this cluster. <!-- TODO: replace with /ie/en/guides/eu-ai-act-for-website-owners when published -->
• The cookie banner is where most AI-built sites fail first. Whether your site needs a cookie banner is the cheapest question to answer correctly.
• The fine ranges that make this question worth asking. GDPR compliance for Irish businesses explains the real exposure.

This article is technical analysis, not legal advice. The author is not your solicitor and is not your registered controller. For a binding view, talk to one of those.