Cookies under Irish data protection law

Irish provisions on cookies


Ireland’s ‘ePrivacy Regulations’ (S.I. 336/2011, which implemented the EU ‘ePrivacy Directive’), constitute an additional set of rules that are applicable to certain types of data processing, including the use of cookies and similar technologies, which are read together with the rules found in the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).


For the setting use of cookies and other similar technologies, the data controller normally needs data subject’s consent (as required by Regulation 5 (3) of the ePrivacy Regulations) to use these types of technologies. However, controllers do not need to obtain consent where the cookie or other technology is necessary to provide a data subject with the service they are seeking – for example, cookies which may be needed to provide  visitors with a functioning website.

Data controllers also need to provide data subjects with certain easily accessible, ‘clear and comprehensive’ information on the technology they are using and the purpose for which they are using it.

New Guidance note

In April 2020 and following a sweep conducted between August and December 2019, the Data Protection Commission (DPC) published an updated Guidance note on Cookies and similar technologies.

Hereafter, new regulatory expectations around the use of website cookies are set to include clearer instructions to  organisations and further consider the interaction between the GDPR and the ePrivacy Regulations.

The following topics are the key issues clarified in the New Guidance:


Implied consent

An inferring consent from a user navigating through a site and/or using pre-checked boxes (see the decision in Planet 49) does not constitute a freely given, specific, informed and unambiguous consent as required under the GDPR and thus, implied consent and pre-checked boxes are not permitted.

Consent Management Platforms

The use of a CMP (Consent Management Platforms) does not in itself ensure compliance and must be effective. Controllers are responsible for the tools to work in the manner intended and for the buttons on the user interface to be clear and do what they are designated to do. In particular:


  • clear cookie consent settings need to be taken into account for their accessibility and to avoid ambivalent red/green choices that may be unclear and disadvantageous to the average user.
  • where slides are set ‘on’ by default and the user’s choice to turn these cookies off is not respected, the DPC explicitly indicates this to be a priority for enforcement.

‘Necessary’ or ‘strictly necessary’ exemption

Moreover, it was found that controllers had a poor understanding of the ‘necessary’ or ‘strictly necessary’ exemption. The DPC stressed that the exemption is extremely narrow and can only apply to a service that has been explicitly requested.


Cookie consent

Consent is required for analytics cookies, but taking a similar approach to the UK ICO, the DPC considers first party analytics cookies potentially low risk and therefore unlikely to be a priority for any formal action. However, analytics cookies are not exempt and the guidance confirms two types of analytics cookies (first and third party analytics), both of which require consent. Organisations should in any case ensure they have appropriate consents.

Cookie consent should be limited to a timespan of 6 months, after which time it should be refreshed.

Consent is not needed for each individual cookie, but opt-in consent must be obtained for each purpose for which the cookies are set. Subsequently, the bundling consent is not permitted. Taking an ‘all or nothing’ approach and offering an ambiguous selection to accept or reject all cookies does not prove compliance. Further pre-ticked boxes, sliders or other similar tools that automatically set non-essential cookies to “on” by default do not ensure compliance.


Cookie walls

With regard to cookie walls, the DPC’s view is that users should not suffer any disadvantage (i.e. blocking access to a website) when they have not consented to cookies, other than to the degree certain website functionality is affected. This is a stricter approach than that applied by other regulators, including the UK ICO which says that data protection rights must be balanced against other rights, including freedom of expression and freedom to conduct a business.


Joint controllership

Controllers should take into consideration the implications of the July 2019 Fashion ID judgement of the Court of Justice of the European Union, with respect to potential joint controllership issues on data collected by third-party plugins and social ‘like’ buttons.


Special categories of data

There is a risk that some cookies involve the processing of special category data based on inferences drawn from the nature of the site that a user has visited (e.g. a health insurer’s website). The use of this data should only take place with the user’s explicit consent.

Cookie policy

The DPC emphasised the inevitability for controllers to take extra precautions when drafting and updating privacy and cookie policies for which transparency is set as key.  


Six months grace period

Organisations are given a six months grace period from the date of publication, 6 April 2020, to bring their cookies practices into compliance and potentially before engaging in any enforcement action under the Data Protection Act 2018. The DPC intends to actively exercise enforcement powers later this year in the case of those websites and apps that do not significantly adjust their cookie consent management processes.

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: