Cookie consent in Ireland: DPC SI 336/2011 rules

Cookie consent in Ireland is governed by SI 336 of 2011, the Irish transposition of the EU ePrivacy Directive, reinforced by GDPR where cookies involve personal data processing. The Data Protection Commission (DPC) has made cookie compliance a stated enforcement priority and has initiated own-volition investigations into cookie banners across Irish websites.

You can run a free scan of your cookie banner in under two minutes. The scanner clicks reject and checks whether trackers keep firing. That is exactly how the DPC tests complaints.

Here is what your website must do.

---

The core rule: consent before cookies

Under SI 336 of 2011, you must obtain the user's consent before storing or accessing any information on their device that is not strictly necessary for the service they have specifically requested.

In practice no tracking scripts, analytics cookies, advertising pixels or social media widgets should load until the visitor actively accepts them.

Cookie categories at a glance

Google Fonts loaded from Google's own servers transmits the visitor IP to a third country and is treated by the DPC as outside the strictly necessary band. Self-host the font files or load through a consent gate.

---

DPC position on dark patterns

The DPC has been explicit. Cookie banners that use design techniques to steer users towards accepting cookies are dark patterns that undermine valid consent.

The DPC considers these practices problematic:

The DPC's approach aligns with EDPB Guidelines 03/2022 on deceptive design patterns, which it has formally endorsed.

A picture of the asymmetry

<svg viewBox="0 0 600 220" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Asymmetric cookie banner with a large green Accept button next to a small grey Reject link" style={{ maxWidth: '100%', height: 'auto', border: '1px solid #e5e7eb', borderRadius: '8px', background: '#ffffff' }}>

<title>Asymmetric cookie banner</title> <rect x="20" y="20" width="560" height="180" fill="#f9fafb" stroke="#d1d5db" strokeWidth="1" rx="6" /> <text x="40" y="50" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="600" fill="#111827">We value your privacy</text> <text x="40" y="74" fontFamily="system-ui, sans-serif" fontSize="11" fill="#6b7280">We and our 214 partners use cookies to improve your experience.</text> <text x="40" y="90" fontFamily="system-ui, sans-serif" fontSize="11" fill="#6b7280">By clicking Accept you agree to analytics and marketing cookies.</text> <rect x="380" y="140" width="180" height="44" fill="#16a34a" rx="6" /> <text x="470" y="167" fontFamily="system-ui, sans-serif" fontSize="14" fontWeight="600" fill="#ffffff" textAnchor="middle">Accept all</text> <text x="60" y="167" fontFamily="system-ui, sans-serif" fontSize="11" fill="#9ca3af" textDecoration="underline">Manage</text> <text x="40" y="200" fontFamily="system-ui, sans-serif" fontSize="10" fill="#dc2626">Asymmetric design. The DPC reads this as pressure to accept.</text> </svg>

---

The DPC enforcement mechanism: what it can and cannot do

This is important and often misunderstood.

Under SI 336 of 2011 (ePrivacy): The DPC cannot issue direct administrative fines for cookie violations. It can serve enforcement notices and prosecute violations as criminal offences through the courts.

Under GDPR (Data Protection Act 2018): Where cookie activity involves processing personal data (which analytics cookies always do because they transmit IP addresses) the DPC can apply GDPR enforcement powers. These include fines up to EUR 20 million or 4 percent of global annual turnover.

In practice serious cookie violations, in particular large-scale pre-consent tracking, can attract GDPR-level fines.

The DPC has also conducted sweeps of Irish websites specifically looking at cookie compliance, publishing findings and issuing letters to website operators whose banners fail the basic requirements.

---

What "prior consent" actually means

Consent under SI 336 and GDPR must be:

• Freely given. Refusing cookies must be as easy as accepting them.
• Specific. Separate consent for analytics, marketing and functional cookies.
• Informed. Users must understand what they are consenting to.
• Unambiguous. A clear affirmative action, not pre-ticked boxes nor continued browsing.
• Withdrawable. Users must be able to change their mind at any time.

A cookie banner that says "By continuing to use our website, you consent to cookies" does not meet the standard. The CJEU confirmed this in Planet49 (C-673/17).

---

Common implementation failures for Irish websites

Failure 1: Google Analytics loads on every page visit. The most frequent violation. Google Tag Manager is installed, Google Analytics fires on page load, before any consent interaction. Fix: implement proper consent mode blocking in Google Tag Manager.

Failure 2: Banner exists but does not block scripts. The banner appears, the user clicks Reject but tracking scripts load anyway. This happens when the consent management platform is misconfigured or overridden by hard-coded analytics tags. Our scanner tests this specifically.

Failure 3: Cookie preferences not remembered. The banner reappears on every visit. Either the consent cookie is not being set or it has a very short expiry. The consent record should be stored for at least 6 to 12 months.

Failure 4: Free WordPress plugin with default settings. Many free cookie plugins default to compliance-light configurations including pre-ticked boxes, no Reject All button or banners that do not actually block scripts. Check your specific plugin documentation.

---

Our scanner tests whether your banner actually works

Most tools check whether a banner exists. We check whether it works by simulating a visitor clicking Reject All and then measuring what scripts and cookies are still active.

This is how the DPC investigates complaints. They test the actual behaviour, not just the presence of a banner.

Test your cookie banner for free

---

How Irish DPC cookie enforcement has evolved 2020 to 2026

The DPC cookie timeline tells you how the regulator's thinking shifted from warning to action.

April 2020. The DPC published its cookie sweep report after examining 38 Irish websites across publishing, retail, hospitality, insurance, sport plus public sector. 35 of the 38 failed at least one compliance test. The DPC issued a Guidance Note alongside the sweep and gave six months to comply.

October 2020. The grace period ended. The DPC started engaging with individual sites that remained non-compliant.

2021 to 2022. Enforcement on cookies was mostly by reprimand plus negotiated commitment rather than fines. This gave the DPC a chance to test arguments and build case law.

2023. The DPC opened public investigations into specific high-traffic sites. Settlement negotiations replaced some of these but the message landed.

2024 to 2025. The DPC reissued guidance clarifying two points. First, analytics cookies need consent without exception. Second, cookie banners that make reject harder than accept are a transparency failure, not just a consent failure.

2026. Current DPC priorities include cookie banner dark patterns, consent renewal intervals plus cross-border coordination with the CNIL on cookie cases that span multiple jurisdictions.

The lesson for Irish SMBs is that the DPC prefers to educate before it fines, but the educate phase is over. Banners that were acceptable in 2022 are not acceptable in 2026.

---

Where the DPC differs from other EU regulators

Irish regulators do not operate in a vacuum. The EDPB coordinates the European DPAs and publishes common guidelines. Each regulator interprets close cases differently. The differences matter if your site is multi-national.

For an Irish site targeting only Ireland, follow DPC guidance. For an Irish site targeting the EU, configure for the strictest of the DPC, CNIL plus APD positions. That is the APD position today.

---

Four mistakes Irish SMBs keep making

After several hundred scans on Irish business sites these four issues appear in roughly 80 percent of audits.

Analytics before consent. Google Analytics or Plausible or Matomo is loaded in the <head> and fires on every page view regardless of the cookie banner state. The fix is loading the script only after the consent event. Most consent management platforms support this. Home-grown banners often do not.

"Accept all" but no "Reject all" at level one. The user sees Accept in a bright button. The alternatives are Manage or Settings in a muted link. The DPC guidance says reject must be as easy as accept. If reject requires a second click, it is not.

Pre-ticked boxes in the settings panel. The main banner has Accept plus Manage. The user clicks Manage. The panel shows four categories all pre-toggled to on. Pre-ticked is an old habit that died in 2020 EDPB guidance. It should not appear on any Irish site in 2026.

No proof of consent. The site stores a cookie called cookie_consent=accepted with a date. That is a preference record, not a proof. If the DPC asks how you know user X consented on 12 March 2025, you need a timestamped log with the banner version shown, the choices offered plus the user's selection. Consent management platforms do this automatically.

The free scan catches all four in one pass. For manual testing, open the browser devtools Network tab, reload the page and watch what fires before you click anything. If third-party requests to Google Analytics, Meta or similar domains appear before consent, you have problem number one.

---

Sources

• SI 336 of 2011, Irish Statute Book
• DPC, Guidance on cookies and other tracking technologies
• EDPB Guidelines 03/2022 on deceptive design patterns in social media platform interfaces (version 2.0, adopted 14 February 2023)
• CJEU Planet49 (C-673/17)

---

This is technical analysis, not legal advice.