Ireland's Cookie Law: SI 336/2011 and the GDPR
Ireland transposed the EU ePrivacy Directive into national law through Statutory Instrument 336/2011 - formally titled the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. These regulations took effect on 1 July 2011 and sit alongside the GDPR (applied via the Data Protection Act 2018) to form the legal basis for cookie regulation in Ireland.
Regulation 5(3) of SI 336/2011 is the provision that matters most for cookie compliance. It requires that tracking technologies may only be used where visitors have received clear, comprehensive, and prominently displayed information about the purposes of processing - and have given their consent.
The Data Protection Commission (DPC) supervises and enforces both instruments. As the lead supervisory authority for many of the world's largest technology companies (due to their European headquarters being in Ireland), the DPC's interpretation of cookie rules carries weight well beyond Irish borders.
What the DPC Cookie Guidance Requires
In April 2020, the DPC published a detailed guidance note on cookies and tracking technologies, following a cookie sweep survey of 38 organisations conducted between August and December 2019. The guidance set a six-month grace period for compliance and clarified several points that had previously caused confusion.
Consent Must Be Explicit and Granular
The DPC's position is unambiguous: implied consent does not satisfy the GDPR standard. Visitors must take a clear, affirmative action to accept non-essential cookies. Pre-ticked boxes, continued browsing, or scrolling do not count.
Consent must also be granular. Bundling all cookie purposes into a single "accept" action is not permitted. Your cookie categories - such as analytics, advertising, and functional - each require separate opt-in controls.
Analytics cookies, including _ga and _gid from Google Analytics, are not considered strictly necessary and require consent.
Consent Duration and Renewal
The DPC guidance specifies that cookie consent should be refreshed every six months. This is stricter than some other EU member states, where 12-month consent validity is common. After six months, your website must re-prompt visitors for their cookie preferences.
Strictly Necessary Exemption
Two categories of cookies are exempt from the consent requirement under Regulation 5(5) of SI 336/2011. The first is the "communications exemption" for cookies whose sole purpose is carrying out the transmission of a communication over a network. The second is the "strictly necessary" exemption for cookies required to provide a service explicitly requested by the visitor - for example, session cookies like PHPSESSID that maintain a shopping cart.
DPC Enforcement: Record Fines and Investigations
The DPC has become one of Europe's most active data protection authorities, partly because major technology companies maintain their European headquarters in Ireland. While many of its largest fines relate to broader GDPR violations rather than cookies specifically, they demonstrate the regulator's willingness to impose serious penalties.
| Company | Year | Fine | Key Violation |
|---|---|---|---|
| Meta (Facebook) | 2023 | EUR 1.2 billion | Unlawful data transfers to the US (Article 46(1) GDPR) |
| TikTok | 2025 | EUR 530 million | EEA user data transfers to China, transparency failures |
| TikTok | 2023 | EUR 345 million | Children's privacy violations |
| Meta (WhatsApp) | 2023 | EUR 5.5 million | Consent and transparency under GDPR |
| 2024 | EUR 310 million | Data processing and consent violations | |
| Meta (Instagram) | 2022 | EUR 405 million | Children's data processing |
On the cookie-specific front, the DPC's 2019-2020 cookie sweep led to direct engagement with organisations found to be non-compliant. Eight companies were prosecuted under the ePrivacy Regulations, and 146 investigations were concluded.
The DPC also has the power to bring criminal prosecutions for breaches of SI 336/2011, a power that distinguishes Ireland from many other EU member states where cookie violations are handled through administrative fines alone.
How Irish Cookie Rules Compare to Other EU States
Ireland's cookie framework shares the same EU foundation as its neighbours, but several details differ in practice.
The six-month consent renewal period is stricter than the approach taken by France's CNIL, which typically accepts consent validity of up to six months as well but has historically been more lenient on the exact timeframe. Germany's TTDSG does not prescribe a specific renewal period in the same way. The Dutch AP has taken a notably practical stance, exempting certain analytics configurations from consent requirements - something the DPC has not done.
The criminal prosecution route available under SI 336/2011 is relatively unusual across the EU. Most member states rely exclusively on administrative fines for cookie violations, following the model set by the Spanish AEPD or Italian Garante.
Cookie Compliance Checklist for Irish Websites
Meeting the DPC's expectations requires attention to both legal and technical details. The following steps cover the essentials.
Audit Your Cookies
Run a full cookie scan to identify every cookie and tracker on your site. Many websites set cookies they are unaware of - third-party scripts from advertising networks, social media widgets, or embedded videos often drop cookies like _fbp, IDE, or YSC without the site owner's knowledge.
Categorise and Document
Group cookies into the standard categories: strictly necessary, functional, analytics, and advertising. Document the name, purpose, provider, and expiry of each cookie. This information must appear in your cookie policy.
Implement a Compliant Consent Banner
Your cookie banner must present visitors with a genuine choice. The DPC requires that refusing cookies is as straightforward as accepting them. A banner with a prominent "Accept All" button but a hidden or less visible "Reject" option would not meet this standard.
Ensure no non-essential cookies fire before consent is given. This means tag management scripts must be configured to wait for a consent signal.
Refresh Consent Every Six Months
Set your consent mechanism to re-prompt visitors after six months. Keep records of when consent was given and when it expires.
Honour Withdrawal
Visitors must be able to withdraw consent at any time, and doing so must be as easy as giving it. A persistent link to cookie preferences - in the footer or via a floating icon - satisfies this requirement.
The GDPR and ePrivacy Relationship in Ireland
A common source of confusion is how the GDPR and SI 336/2011 interact. The ePrivacy Regulations (SI 336/2011) govern the act of placing or reading cookies on a device. The GDPR governs the processing of personal data collected through those cookies.
In practice, this means two legal bases are relevant. Regulation 5(3) of SI 336/2011 requires consent for setting non-essential cookies. If those cookies collect personal data (as analytics and advertising cookies typically do), the GDPR's requirements for lawful processing also apply - and consent under Article 6(1)(a) GDPR is the standard basis used.
The DPC applies both instruments together. A cookie banner that satisfies GDPR consent standards will generally also satisfy SI 336/2011, provided it covers the ePrivacy-specific requirements around information provision and the strictly necessary exemption.
What Happens If You Ignore the Rules
The consequences of non-compliance in Ireland are not theoretical. The DPC can pursue administrative fines under the GDPR (up to EUR 20 million or 4% of global annual turnover) and criminal prosecution under SI 336/2011.
The 2019-2020 cookie sweep showed that the DPC is willing to investigate cookie practices directly, not just wait for complaints. Organisations found non-compliant were given time to remediate, but those that failed to act faced prosecution.
Given Ireland's role as the lead supervisory authority for many global technology companies, the DPC's enforcement decisions also set precedents that influence how other EU regulators approach similar cases.
Frequently Asked Questions
Do analytics cookies require consent in Ireland?
Yes. The DPC has confirmed that analytics cookies such as _ga and _gid are not strictly necessary and require explicit opt-in consent before being set on a visitor's device.
How often must cookie consent be renewed under Irish law?
The DPC guidance recommends refreshing cookie consent every six months. After this period, your website should re-prompt visitors to confirm or update their cookie preferences.
Can the Irish DPC impose criminal penalties for cookie violations?
Yes. Unlike most EU member states, Ireland allows criminal prosecution for breaches of SI 336/2011 (the ePrivacy Regulations). The DPC has used this power, prosecuting eight companies following its 2019-2020 cookie sweep.
Is implied consent valid for cookies in Ireland?
No. The DPC's guidance explicitly states that implied consent from browsing behaviour, scrolling, or pre-ticked boxes does not meet the GDPR standard of freely given, specific, informed, and unambiguous consent.
What cookies are exempt from consent in Ireland?
Two types are exempt under Regulation 5(5) of SI 336/2011: cookies strictly necessary to provide a service the visitor explicitly requested (such as session or shopping cart cookies), and cookies whose sole purpose is transmitting a communication over a network.
Does the Irish DPC regulate cookies for companies based outside Ireland?
The DPC enforces cookie rules for websites targeting Irish users. For companies with European headquarters in Ireland, the DPC also acts as lead supervisory authority under the GDPR's one-stop-shop mechanism, meaning its decisions apply across the EU.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of Irish and EU law.
