What's the difference between GDPR and the ePrivacy Directive when it comes to cookies?

The ePrivacy Directive covers the storage and retrieval of information on someone's device—it requires consent before storing cookies. GDPR covers what you do with personal data once you have it. Both apply to most Irish websites.

What cookies are actually 'essential' and don't need consent?

Essential cookies are only those without which your website's core functionality won't work—session cookies, security tokens, necessary preference cookies. Analytics, retargeting, and heatmaps are not essential and require consent.

What happens if the DPC finds my site isn't compliant with cookie laws?

The DPC will typically issue a warning notice giving you time to fix the issues. If you don't comply, fines follow. Being proactive about compliance is far cheaper than dealing with enforcement action.

Cookie Consent for Irish Websites: GDPR Guide 2026

Q: What happens if my Irish business doesn't comply with cookie consent rules?

The Data Protection Commission can issue fines of up to EUR 20 million or 4% of global turnover under GDPR. In practice, most enforcement starts with warnings and orders to comply. However, consumer complaints are increasing and reputational damage from non-compliance can be significant.

Q: Do I need cookie consent for Google Analytics on my Irish website?

Yes. Google Analytics uses cookies to track user behaviour, which requires explicit consent under GDPR and the ePrivacy Directive. You must not load GA tracking code until the visitor has given consent. Google Consent Mode can help manage this.

Published 27 February 2026

If you run a website in Ireland, you've almost certainly seen cookie consent banners. You might even have one on your site right now. But here's the uncomfortable truth: most Irish businesses get cookie consent wrong. They either ignore it completely, implement something half-hearted that doesn't actually comply with the law, or choose a tool that creates more problems than it solves.

The consequences aren't theoretical. The Data Protection Commission (DPC) in Dublin has issued fines to Irish and international companies for cookie violations. Your site could be next. But the good news is that getting cookie consent right isn't actually complicated. It just requires understanding what the law actually requires, not what marketing companies claim it requires.

What Are Cookies, Actually?

Let's start with basics. A cookie is a small text file stored on someone's computer or phone when they visit your website. That file contains data that your site (or third-party services) can read when the visitor returns. Cookies are how websites remember that you've logged in, keep items in your shopping basket, or track which pages you've visited.

The technical part is straightforward. The compliance part is where it gets tricky. Under Irish and EU law, you need permission before storing most cookies on someone's device. The exceptions—which you need to know—are cookies that are absolutely essential to make your website function. Everything else requires explicit consent.

The Law: ePrivacy Directive and GDPR

Two pieces of legislation matter for cookie consent in Ireland. They work together, not against each other, but most people get confused about which is which.

The ePrivacy Directive (2002/58/EC), updated by the ePrivacy Directive 2009/136/EC, covers the storage and retrieval of information on someone's device. This is the law that says you need consent before storing cookies. The ePrivacy Directive doesn't care what you do with the data—it's purely about permission to store something on someone's device.

GDPR (General Data Protection Regulation) covers what you do with personal data once you have it. If your cookies collect information about an identifiable person—their behaviour, preferences, location, identity—then GDPR applies. See the Data Protection Commission for detailed guidance on data protection requirements. GDPR is about lawful processing of data, not the initial storage permission.

In practice, this means: ePrivacy Directive requires you to ask for permission to place cookies. GDPR requires that if those cookies contain personal data, you handle that data lawfully and transparently. Most websites need to comply with both.

What Irish Sites Get Wrong

Pre-ticked consent boxes. The ePrivacy Directive and GDPR both require affirmative consent—the user must actively opt in. A pre-ticked box is not consent. Neither is scrolling down the page or clicking 'continue'. This is one of the DPC's most common enforcement points.
Burying the 'Reject All' button. Your cookie banner should make rejecting cookies as easy as accepting them. If you have a big green 'Accept All' button and a tiny greyed-out 'Reject' link, that's not compliant.
Confusing 'essential' categories. Most sites claim far too many cookies are 'essential'. In reality, essential cookies are only those without which your website simply won't work. Analytics? Not essential. Retargeting? Definitely not essential. Many 'essential' cookies are actually preference cookies that should require consent.
No opt-out mechanism for new visitors. Some sites only show the cookie banner once. If someone rejects cookies and clears their browser, they should see the banner again next time. Not offering a way to change cookie preferences is a compliance issue.
Vague privacy policies. Your privacy policy should specifically explain which cookies you use, what they do, who operates them (is it Google Analytics, Facebook Pixel, Hotjar?), and how long they're kept. A generic privacy policy isn't enough.
Using tools that don't actually comply. Just because a tool claims to be GDPR-compliant doesn't mean it is. Some popular cookie management platforms have been fined by regulators. You need to check the tool's approach to consent and data handling, not just take their word for it.

Essential vs Non-Essential Cookies: The Real Distinction

This is where most confusion happens. Let's be clear about what qualifies as 'essential':

Essential cookies: Session cookies (keeping you logged in), security tokens (protecting against attacks), language preferences if your site is multilingual, shopping basket data on ecommerce sites. These are only the cookies that are technically necessary for the website to function as intended.
Non-essential cookies: Analytics (tracking user behaviour), marketing (retargeting ads), preference tracking (remembering choices like dark mode), heatmaps, form analytics, video embeds that aren't core to the page. These all require explicit consent.

The test is: if the cookie is removed, does the core functionality of the website still work? If yes, it's not essential. This distinction matters because the DPC actively looks at whether sites are miscategorising cookies to avoid getting consent.

💡 Pro Tip:

Use a consent management platform like CookieYes or Cookiebot that automatically scans your site and categorises cookies. This saves hours of manual work auditing your site and stays updated as new scripts are added. The tool does the heavy lifting so you don't have to manually track every single cookie.

How to Implement Cookie Consent Properly

Here's what actually compliant cookie implementation looks like:

Step 1: Audit Your Cookies

Before you choose a tool or write anything, you need to know every cookie your site currently uses. If you're running Google Analytics, Facebook Pixel, LinkedIn Insight Tag, Hotjar, or any other tracking tool, they're all setting cookies. Open your browser's developer tools (F12), go to the Application tab, and look at the Cookies section. Write down what you find.

For each cookie, determine: What does it do? Who owns it (your domain or a third party)? Is it essential, or should it require consent? How long is it stored? If you can't answer these questions, disable the service until you can.

Step 2: Classify Cookies Accurately

Create categories for your cookies. Something like: Essential, Analytics, Marketing, Preferences. Be honest here. If you're using Google Analytics to track behaviour across your site—which you almost certainly are—that's not essential. It's analytics.

Step 3: Don't Load Non-Essential Services Until Consent

This is critical. Your website should load analytics scripts, pixels, and tracking codes only after the user has given consent. This is the opposite of what many sites do. They load everything, show a cookie banner, and claim they're compliant. That's not compliant. The cookie banner doesn't retroactively make it compliant.

Most cookie management tools should handle this automatically, but verify that they do. Your analytics service shouldn't fire until someone clicks 'Accept Analytics' or equivalent.

Step 4: Implement a Compliant Banner

Your cookie banner should: (1) clearly state you're using cookies and why; (2) link to your full privacy policy; (3) provide an 'Accept All' button and a 'Reject All' button of equal prominence; (4) allow granular consent (user can accept some categories and reject others); (5) save preferences so they see the banner again only if they clear cookies; (6) be accessible from every page—usually in the footer.

Step 5: Update Your Privacy Policy

Your privacy policy must specifically list every cookie you use, what it does, and who owns it. Generic privacy policies aren't enough. If you use Google Analytics, say so. If you use Hotjar heatmaps, list that. If you use Facebook Pixel, disclose it. For each service, include: what data it collects, how long it's stored, and the third party's privacy policy link.

✅ What Works:

Offering granular cookie choices rather than just accept or reject all. The DPC views genuine choice as essential and it builds trust with privacy-conscious visitors. When users see they can accept analytics but reject marketing cookies, they feel respected rather than coerced.

Compliant Cookie Banners: What They Look Like

A compliant banner shows cookie categories clearly, allows the user to accept or reject by category, and makes it obvious how to reject cookies. The reject button should be as visible as the accept button. It should not use dark patterns—colours, sizing, or layout designed to manipulate the user into accepting.

The banner should appear on first visit and remain visible until the user makes a choice. Once they've chosen, you should honour that choice for a reasonable period (usually until they clear cookies). You should provide a way for users to change their preferences later—typically a link in the footer.

⚠️ Watch Out:

Cookie walls that block all content until consent is given. The DPC and EDPB consider these coercive and they may not constitute valid consent under GDPR. Users should have the ability to browse your site even if they reject non-essential cookies.

Cookie Management Tools That Actually Work

There are hundreds of cookie management platforms. Here are three that have proven track records with Irish and UK businesses:

CookieYes

CookieYes (formerly CookieBot) is one of the most established cookie consent tools. It autodetects cookies on your site, allows granular consent, and integrates with major analytics and marketing platforms. Pricing starts at approximately €50-100 per month depending on traffic. The dashboard shows which cookies are on your site and why, making audits easier. CookieYes has been through DPC audits and maintains strong compliance. It's particularly good if you want the tool to do most of the heavy lifting.

Complianz

If you're running WordPress, Complianz is a solid choice. It's a plugin that scans your site for cookies, generates an automatically updated cookie list, and can block scripts until consent is given. You can use the free version for basic cookie management, or upgrade to the premium version (around €200 per year) for more features. Complianz integrates directly with WordPress, making it simpler for sites already on that platform.

CookieBot

CookieBot (now part of Usercentrics) is enterprise-grade cookie consent. It's more expensive—typically €200+ per month—but it offers sophisticated cookie mapping, automated consent workflows, and handles complex multi-domain setups. If you have multiple websites or are operating ecommerce with significant compliance requirements, CookieBot is worth considering. It's probably overkill for a small business site with basic analytics.

Don't choose based on features alone. Choose based on: Does it autodetect your cookies? Does it allow script blocking until consent? Does it clearly distinguish essential from non-essential? Is the cost proportionate to your traffic? If a tool costs €500 per month and you have 5,000 monthly visitors, that's disproportionate.

Common Cookie Mistakes Irish Sites Make

Loading Google Analytics before consent. This is incredibly common and actively non-compliant. Google Analytics shouldn't load until someone consents to analytics cookies. Many sites load the entire gtag script before the banner appears.
Setting cookies with no way to manage them. If you're using third-party tools like Hotjar, Drift, or Intercom, these set cookies automatically. You need to delay their loading until consent is given.
Inconsistent cookie practices across devices. Your mobile site and desktop site should have identical cookie consent flows. If your mobile site doesn't show the banner properly, that's a compliance gap.
Not honouring 'Do Not Track' headers. If someone's browser is set to 'Do Not Track', some cookies should respect that. Your tool should be configured to handle this.
Keeping cookies longer than necessary. If you're storing analytics data for 12 months when 6 months is adequate, you're holding onto personal data longer than you should. Review retention periods regularly.
Cookie walls. Some sites make functionality contingent on accepting non-essential cookies ('You must accept all cookies to continue'). This is non-compliant. Users should have meaningful choice.

🚫 Common Mistake:

Assuming you only need cookie consent for tracking cookies. Session cookies, authentication cookies, and preference cookies all need to be disclosed even if they are technically necessary. The law requires transparency about ALL cookies, not just the problematic ones.

DPC Enforcement: What You Need to Know

The Data Protection Commission, based in Dublin, is the independent authority responsible for enforcing GDPR and ePrivacy regulations in Ireland. They take cookie compliance seriously. In 2023-2024, the DPC issued significant fines for cookie violations, including to major international companies with Irish operations.

The DPC doesn't typically target small business sites with a few thousand monthly visitors. But they do investigate complaints, and they monitor for patterns. If you're a larger business with significant traffic, or if you get a complaint, you should expect scrutiny. The DPC will look at: How you're classifying cookies, whether scripts load before consent, whether your banner actually prevents cookie loading, whether your privacy policy is accurate, and how you're honouring user choices.

If the DPC finds issues, you'll receive a warning notice giving you time to fix them. If you don't, fines follow. But more importantly, non-compliance can result in your site being reported by visitors, triggering investigations. The easier path is to get it right from the start.

Making Your Site Cookie Compliant Today

Here's what you should do this week: (1) Audit your current cookies. (2) Classify them honestly. (3) If you don't have a cookie banner, implement one. (4) Verify that non-essential scripts aren't loading until consent. (5) Update your privacy policy with specific cookie details. (6) Test your cookie preferences to confirm they work.

Cookie compliance isn't complicated. It's straightforward once you understand that the law isn't asking for something unreasonable—it's asking you to respect your visitors' choice about what data you collect and store. Get that right, and you've solved 95% of the compliance puzzle.

Frequently Asked Questions

What happens if my Irish business doesn't comply with cookie consent rules?

Non-compliance can result in warnings from the Data Protection Commission, followed by significant fines if you don't address the issues. Beyond legal consequences, non-compliance damages trust with visitors. For detailed guidance on staying compliant, see our article on website security for Irish businesses.

Do I need cookie consent for Google Analytics on my Irish website?

Yes, unless you've specifically configured Google Analytics to anonymise IP addresses and disabled all advertising features. Most implementations require consent. Check out our guide on on-page SEO for Irish businesses which includes analytics best practices.

Need Help with Cookie Compliance?

If you're not sure whether your site's cookie setup is compliant, or if you want expert guidance on implementing the right solution for your business, reach out to discuss your needs. We can audit your current setup, recommend the right tool for your traffic and needs, and implement it properly. Cookie compliance doesn't have to be painful.

Search