If you run a website in Ireland, you need to understand GDPR and cookie consent. Not because it's trendy—but because breaking these rules can cost your business €20,000 or more in fines, plus the reputational damage of a complaint to the Data Protection Commission (DPC). The stakes are real.

The good news: GDPR compliance doesn't have to be complicated. Most of the confusion comes from over-engineered cookie banners and contradictory blog posts written by people who don't work in Ireland. This guide cuts through that and tells you what the DPC actually expects from Irish websites.

What Is GDPR and Why Does It Apply to Your Website?

GDPR (General Data Protection Regulation) is EU law that controls how personal data is collected, used and stored. Ireland's Data Protection Commission enforces it here, and it applies to any website based in Ireland or targeting Irish users, regardless of where you're hosted.

Cookies are small files stored on visitor browsers. Some are essential for your site to work (shopping baskets, login sessions). Others track behaviour for analytics or marketing. GDPR says you need explicit consent before using non-essential cookies. That's where the banner comes in.

A lot of websites get this backwards. They load all their tracking cookies first, then ask permission. That's illegal. The DPC is clear: consent must come before the cookie is stored. Loading cookies first, then asking, violates GDPR.

Which Cookies Actually Need Consent?

Essential Cookies (No Consent Needed)

These cookies are necessary for basic site functionality. No consent required.

• Shopping cart cookies—so items stay in the basket
• Login/session cookies—to keep users signed in
• Security cookies—to prevent attacks
• Preference cookies—like language or currency selection on your site
• Load balancing cookies—for site performance

These can be set immediately. Your banner should explain they're essential and say something like "We use essential cookies to make our site work properly." Users don't get to opt out of these—they're required for the site to function.

Non-Essential Cookies (Consent Required)

These cookies track behaviour or enable marketing. They're not needed for basic functionality. Consent is required before loading these.

• Google Analytics—to see how many people visit and what they do
• Facebook Pixel—to track conversions and retarget ads
• Hotjar or Clarity—to see session recordings and heatmaps
• Marketing cookies—from ad networks or email platforms
• Third-party tracking pixels—from partners or platforms

These must not be loaded until the visitor actively consents. Silence (not clicking) does not count as consent. Pre-ticked boxes are illegal. The person must click "yes" to opt in to these cookies.

Building a Compliant Cookie Banner

A compliant banner needs to do four things:

1. Be Clear and Honest

Don't hide information in dark patterns or tiny text. Explain what each category of cookies does in plain language. Avoid jargon. The DPC has investigated websites with banners that say "we collect data to improve your experience"—that's too vague and doesn't clearly explain what the cookies do.

Be specific: "Google Analytics shows us which pages people visit and how long they stay. This helps us improve content and design." That's clear. That's honest. That's what the DPC expects.

2. Make Consent Easy to Give and Refuse

Your banner needs a button to accept all, a button to reject all, and a button to customise. The reject button must be as prominent as the accept button—not smaller, not buried. Many websites get this wrong. The DPC has specifically called out designs where "reject" is harder to find than "accept."

Both buttons should be equal size and similarly positioned. If your "accept" button is bright and large and your "reject" button is small and grey, you're using dark patterns and that violates GDPR.

3. Link to Your Privacy Policy

Your banner should link to a full privacy policy that explains how you use data, how long you keep it, and what rights visitors have. This needs to be detailed—not just a sentence, but a proper policy. If you don't have one, write one now. Templates exist (many are free or cheap), but they need to reflect what your site actually does.

See small business website guide for Ireland for information on building trustworthy sites.

4. Only Load Cookies After Consent

This is technical, but important: your website code must check if consent exists before loading Google Analytics, Facebook Pixel, or any other tracking script. If you're using WordPress, plugins like Cookiebot, ConsentManager, or CookieYes handle this automatically. If you're on a custom site, your developer needs to conditionally load tracking scripts based on consent status.

How Long Should Consent Last?

Consent should expire after 12 months. After that, ask again. This isn't because consent "goes stale" in a technical sense—it's because the DPC expects you to remind people what you're doing. It keeps you honest and gives visitors regular chances to opt out if they want to.

If you change how you use cookies (adding Google Analytics, adding a new marketing tool, etc.), you need fresh consent for those changes. Don't assume old consent covers everything forever.

Google Analytics and GDPR Consent Mode

If you use Google Analytics, Google has created "consent mode" which lets you operate (in a limited way) before someone consents, then operates fully after they consent. This is a Google-specific solution that helps with analytics without violating GDPR.

However, the standard approach is simpler: don't load Google Analytics until someone consents. If they refuse consent, you don't get analytics on that person. That's compliant and straightforward.

What About Transparency and Legitimate Interest?

The DPC publishes guidance regularly, and a key theme is transparency. Be specific about what cookies you use and why. If you use Google Analytics, say it. If you use Facebook Pixel, say it. If you're experimenting with a new marketing tool, disclose it.

Don't use vague language like "cookies help us improve your experience." Be transparent: "We use Google Analytics to track which pages are popular and how visitors navigate the site. This helps us improve content and design."

Legitimate interest: For some business purposes, you can claim "legitimate interest" instead of consent. But this is narrow. Legitimate interest might apply to essential cookies or fraud detection. It doesn't apply to marketing cookies or analytics. When in doubt, get consent.

Data Protection Impact Assessments (DPIA)

If you're processing large amounts of personal data or using automated decision-making, the DPC might expect a DPIA (Data Protection Impact Assessment). This is a document that describes what data you collect, how you use it, and what risks exist.

For most small business websites, a DPIA isn't required. But if you're collecting sensitive data, operating tracking systems, or using AI tools, you might need one. When in doubt, consult a data protection specialist.

Children's Data

If your website targets or could be used by children (under 16 in Ireland), you need parental consent for processing their data. Most business websites don't target children, so this doesn't apply. But if you do, the requirements are stricter.

Subject Access Requests

Under GDPR, anyone can ask you: "What personal data do you have about me?" You must provide it within 30 days. You need a process to handle these requests. Most website platforms have admin tools to export or delete user data, but you need to be able to do this quickly.

What Happens If You Don't Comply?

The DPC has issued fines from €5,000 to €20,000+ for cookie violations. More common than fines is a complaint investigation—which is expensive in time, legal costs and stress. You might be asked to prove consent was properly collected, provide copies of your consent mechanism, and explain how data was used.

There's also reputational risk. A published DPC investigation or decision follows your business online and damages trust. Customers see that you were investigated for data protection violations, and they lose confidence in your business.

Auditing Your Current Setup

If your site doesn't have a cookie banner, or if your banner pre-ticks boxes or makes it hard to refuse, fix it now. Here's what to do:

• Visit your website in a private/incognito browser window
• Look for a cookie banner or consent notice
• Check if "reject all" is as easy to click as "accept all"
• Look at your current privacy policy—is it detailed and accurate?
• Check what cookies are loaded and when
• Test your contact form for GDPR compliance (does it have a consent checkbox?)

Getting Compliant

If your site isn't compliant, it's not expensive or complicated to fix. Most compliant solutions cost €10-50 per month. If you're unsure whether your current setup is legal, ask your web designer or developer to review it against DPC guidance.

See SSL certificates and HTTPS security for information about encrypting data in transit. See website maintenance for keeping your site secure.

Next Steps

GDPR compliance is about respecting visitor privacy while protecting your business from legal risk. It's the right thing to do and the smart business thing to do.

Related: Contact form best practices, Small business website guide for Ireland