Do I need a cookie banner in Ireland? DPC SI 336 rules
Steven | TrustYourWebsite · 12 May 2026 · Last updated: May 2026
If you run a website for a Dublin restaurant, a Cork shop or an Irish online store, you almost certainly need a cookie banner. Ireland's Data Protection Commission (DPC) has named cookies as a priority area. The Irish ePrivacy Regulations require consent before any non-essential tracker loads. You can check your Irish site for cookie issues in 60 seconds.
Does your cookie banner actually work?
We test whether trackers fire before consent and keep running after rejection.
I understand this is a technical scan, not legal advice, and I accept the Terms.
What Irish law actually says
Cookie consent in Ireland sits on two stacked legal foundations.
- SI 336 of 2011 (the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011) transposes the EU ePrivacy Directive. Regulation 5(3) requires prior consent before storing or accessing information on a user's device.
- GDPR applies on top whenever those cookies process personal data. Analytics and advertising cookies almost always do, because they capture IP addresses and device identifiers.
The DPC's guidance on cookies and other tracking technologies makes the same point in plainer language. Consent must be a clear, affirmative, informed and unambiguous act before the cookie fires, not after.
When you need a banner and when you don't
Most cookie questions come down to one decision tree. Use the table below.
| Your website does this | Banner required? | Why |
|---|---|---|
| Loads Google Analytics or GA4 | Yes | Sets _ga cookies and sends IP plus device data to Google |
| Embeds Facebook Pixel, TikTok Pixel or LinkedIn Insight Tag | Yes | Drops tracking cookies for ad retargeting |
| Uses Hotjar, Microsoft Clarity or other session replay | Yes | Captures behavioural data linked to a device ID |
| Embeds YouTube videos in standard mode | Yes | Loads DoubleClick advertising cookies before play |
| Has Google Maps with the default API | Yes | Sets NID advertising cookie on load |
| Uses only a session cookie for login or basket | No | Strictly necessary under Regulation 5(5) |
| Stores the visitor's own cookie preference | No | Required to remember their consent choice |
| Stores a CSRF anti-forgery token | No | Security cookie, strictly necessary |
| Static brochure site with no third-party scripts | No | But still mention this in your privacy policy |
If a single row in the top half of that table applies to you, you need a working banner that blocks the script until the visitor accepts. A privacy policy alone is not enough.
Which trackers need consent under SI 336
The table below maps the trackers we see most often on Irish small business sites to the consent treatment the DPC expects.
| Tracker type | Examples | Consent required | DPC treatment |
|---|---|---|---|
| Strictly necessary | Session, cart, CSRF, consent preference | No | Allowed by default under Reg. 5(5) |
| Analytics | Google Analytics, Plausible (cookie mode), Matomo (cookie mode) | Yes | Consent before script loads |
| Advertising | Facebook Pixel, Google Ads remarketing, TikTok Pixel | Yes | Consent plus separate purpose label |
| Social media | Embedded share widgets that drop cookies | Yes | Often missed, still requires consent |
| Session replay | Hotjar, Microsoft Clarity, FullStory | Yes | DPC treats as high-risk profiling input |
| Map and video embeds | Google Maps default mode, YouTube standard embed | Yes | Use privacy-enhanced mode or block until consent |
Plausible and Matomo can run cookieless. In that configuration they do not need consent under SI 336 because nothing is stored on the device. The moment you enable their cookie mode, they fall back into the analytics row above.
What a compliant Irish cookie banner looks like
The DPC and the EDPB both require symmetric reject and accept choices on the first layer. The two banners below show the contrast.
<svg viewBox="0 0 600 220" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Non-compliant Irish cookie banner with a single Accept all button and a small grey manage link, which breaches DPC guidance" style={{ maxWidth: '100%', height: 'auto', border: '1px solid #e5e7eb', borderRadius: '8px', background: '#ffffff' }}>
<title>Non-compliant Irish cookie banner</title> <rect x="20" y="20" width="560" height="180" fill="#f9fafb" stroke="#d1d5db" strokeWidth="1" rx="6" /> <text x="40" y="50" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="600" fill="#111827">We use cookies to improve your experience</text> <text x="40" y="72" fontFamily="system-ui, sans-serif" fontSize="11" fill="#6b7280">By continuing to browse this site you accept our use of cookies.</text> <rect x="40" y="120" width="220" height="48" fill="#16a34a" rx="6" /> <text x="150" y="150" fontFamily="system-ui, sans-serif" fontSize="14" fontWeight="700" fill="#ffffff" textAnchor="middle">Accept all</text> <text x="290" y="150" fontFamily="system-ui, sans-serif" fontSize="10" fill="#9ca3af" textDecoration="underline">manage preferences</text> <text x="40" y="190" fontFamily="system-ui, sans-serif" fontSize="10" fill="#dc2626" fontWeight="600">FAILS DPC: no reject-all on first layer, false hierarchy, implied consent by "continuing"</text> </svg><svg viewBox="0 0 600 220" xmlns="http://www.w3.org/2000/svg" role="img" aria-label="Compliant Irish cookie banner with equally weighted Accept all and Reject all buttons on the first layer" style={{ maxWidth: '100%', height: 'auto', border: '1px solid #e5e7eb', borderRadius: '8px', background: '#ffffff', marginTop: '12px' }}>
<title>Compliant Irish cookie banner</title> <rect x="20" y="20" width="560" height="180" fill="#f9fafb" stroke="#d1d5db" strokeWidth="1" rx="6" /> <text x="40" y="50" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="600" fill="#111827">Cookie choice</text> <text x="40" y="72" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151">We use analytics and advertising cookies only with your consent.</text> <text x="40" y="88" fontFamily="system-ui, sans-serif" fontSize="11" fill="#374151">You can change this any time via Cookie settings in the footer.</text> <rect x="40" y="120" width="160" height="44" fill="#1f2937" rx="6" /> <text x="120" y="148" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#ffffff" textAnchor="middle">Accept all</text> <rect x="220" y="120" width="160" height="44" fill="#1f2937" rx="6" /> <text x="300" y="148" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="700" fill="#ffffff" textAnchor="middle">Reject all</text> <rect x="400" y="120" width="160" height="44" fill="#ffffff" stroke="#1f2937" strokeWidth="1.5" rx="6" /> <text x="480" y="148" fontFamily="system-ui, sans-serif" fontSize="13" fontWeight="600" fill="#1f2937" textAnchor="middle">Customise</text> <text x="40" y="190" fontFamily="system-ui, sans-serif" fontSize="10" fill="#15803d" fontWeight="600">MEETS DPC: equal buttons on first layer, no implied consent, no pre-ticked boxes</text> </svg>A compliant Irish banner must:
- Block all non-essential scripts until the visitor makes a choice
- Offer reject-all on the same layer as accept-all with equal visual weight
- Label each purpose category clearly (Analytics, Advertising, Marketing)
- Never use pre-ticked boxes for non-essential cookies
- Honour withdrawal at any time, as easily as the original consent
- Refresh consent on a sensible cycle (six months has become the working norm across European authorities)
The EDPB's Guidelines 03/2022 on deceptive design patterns catalogue the manipulation techniques the DPC also rejects in its banner reviews.
DPC enforcement: the honest picture
There is an important Irish nuance to be honest about.
Under SI 336 alone, the DPC cannot issue direct administrative fines for cookie violations. Regulation 17 of SI 336 of 2011 creates summary criminal offences that the DPC prosecutes through the District Court. The maximum penalty on summary conviction is the standard class A fine under the Fines Act 2010, not a GDPR-scale percentage of turnover.
Where the same cookie also processes personal data, the full GDPR enforcement regime applies. Article 83 of GDPR sets the ceiling at €20 million or 4% of worldwide annual turnover, whichever is higher. Analytics and advertising cookies normally cross this line because they carry IP addresses and device identifiers, which the DPC and the European Court of Justice treat as personal data.
In practice the DPC focuses on the GDPR overlap. In a 2020 cookie sweep the DPC examined 38 controllers across public and private sector Irish websites and found 35 of them non-compliant with SI 336. Most issues were resolved through audit follow-up rather than prosecution, but the sweep set the public expectation for what a compliant banner looks like.
So the realistic risk for an Irish small business is not a single headline fine. It is: a complaint from a visitor, a DPC audit letter, a remediation deadline and the reputational drag of being on the public record as non-compliant.
Five steps to compliance this week
Step 1: Audit every script on your site.
Open your homepage in Chrome, press F12 and look at the Network tab. Anything that loads from googletagmanager.com, google-analytics.com, facebook.net, connect.facebook.net, tiktok.com, hotjar.com, clarity.ms, linkedin.com or similar is a tracker that needs consent under SI 336.
Step 2: Separate essential from non-essential.
Strictly necessary cookies (session, cart, CSRF, the consent preference itself) stay on by default. Everything else must be gated.
Step 3: Choose a banner tool that actually blocks scripts.
Look at consent management tools built for the EU market, such as Cookiebot, Iubenda, OneTrust, Termly or Usercentrics. The critical feature is script-level blocking, not just hiding a banner. A DIY banner that drops cookies anyway is worse than no banner because it documents the violation in your own code.
Step 4: Write a privacy policy that matches the banner.
Your privacy notice must list each cookie purpose, the third parties involved (Google, Meta, others), retention periods and the route to withdraw consent. Link to it directly from the banner.
Step 5: Test reject-all in a clean browser session.
Open the site in a private window, click Reject all, then watch the Network tab for ten seconds. If _ga, fr, _fbp or any other tracking cookie appears, your banner is decorative, not functional. That is the failure pattern the DPC has called out most often.
The practical bottom line
For an almost any Irish site with a single line of Google Analytics, a Facebook Pixel or an embedded YouTube video, you need a working cookie banner with reject parity. The DPC has published clear guidance, run a national sweep and aligned with the EDPB on what a compliant banner looks like. A €10 to €20 per month consent tool with proper script blocking covers the requirement for most small businesses.
A free scan will tell you whether your current banner actually blocks trackers before the visitor clicks anything.
Sources
- SI 336 of 2011, Irish Statute Book
- DPC, Guidance on Cookies and Other Tracking Technologies
- EDPB Guidelines 03/2022 on deceptive design patterns
- GDPR Article 83, EUR-Lex
This is technical analysis, not legal advice.
<small>By Steven | TrustYourWebsite</small>
Check your website now
Scan your website for GDPR & Privacy issues and 30+ other checks.
Start free checkWebsite Guides
Cookie consent in Ireland: DPC SI 336/2011 rules
Cookie consent in Ireland under SI 336/2011 and DPC guidance. What strictly necessary means and how to test your banner.
Cookie banner dark patterns: DPC rules in Ireland
The 12 cookie banner dark patterns per EDPB taxonomy. DPC guidance, IAB Europe ruling and what the scanner detects after clicking reject all.
GDPR compliance for Irish businesses: website checklist 2026
GDPR compliance for Irish businesses: privacy policy, cookie consent, CRO number, DPC enforcement cases and a free website check in 60 seconds.