Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — IEStylized flag-color motif for editorial reference. Not an official symbol.IE
Ireland Éire / Republic of Ireland

WEB ANALYTICS · COOKIE COMPLIANCE · WESTERN EUROPE · IE

Ireland — analytics & cookie compliance reference

Ireland's DPC is the lead supervisory authority for most US Big Tech under GDPR's one-stop-shop — which is why the largest GDPR fines on record (Meta €1.2B, Instagram €405M, TikTok €345M) have all issued from Dublin. English-language privacy notices are accepted natively.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Ireland — and, by extension, the EU establishments of Meta, Google, Apple, Microsoft, TikTok, X, LinkedIn, and most other US tech whose EU HQ sits in Dublin. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

DPA 2018
Data Protection Act 2018
National implementation of GDPR opening clauses + special-categories + employee data + child consent age + DPC powers + criminal offences. Crucially, §40 retains employer-specific protections and §31 fixes the digital-consent age at 16.
  • § 31 Digital consent age — Ireland fixed it at 16, the GDPR maximum (not lowered to 13 like the UK)
  • § 36 Children's data — Fundamentals for a Child-Oriented Approach (binding DPC code, Dec 2021)
  • § 40 Employee data — processing by employer permitted on specified grounds; intersects with Industrial Relations Act
  • § 141 Criminal offences — disclosure of personal data without authority; up to €250K fine + 5 years imprisonment
Number 7 of 2018 — gives effect to GDPR + transposes Law Enforcement Directive (EU) 2016/680
ePrivacy Regs 2011  Stricter
European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011
National transposition of ePrivacy Directive Article 5(3) — cookies + terminal-equipment access + electronic marketing. Regulation 5(3) is the Irish cookie-consent provision; Regulation 13 governs unsolicited communications (email/SMS/calls).
  • Reg 5(3) Cookies + terminal-equipment access — prior consent required (DPC 2020 guidance: must match GDPR-grade consent standard)
  • Reg 13(1) Email/SMS marketing — prior opt-in for individuals; B2B soft-opt-in narrower than UK
  • Reg 13(11) Soft opt-in — only for similar products from existing customer relationship + opt-out at every contact
S.I. No. 336/2011 (as amended by S.I. 526/2018)
Children First Act 2015
Children First Act 2015
Mandated-person reporting and child-welfare obligations. Intersects with analytics where sites target under-18s — DPC's Fundamentals code (Dec 2021) folds child-protection thinking into data-protection compliance for child-directed services.
  • § 14 Mandated reporting — providers of relevant services must report concerns about a child's welfare
Number 36 of 2015

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
DPC · Data Protection Commission / An Coimisiún um Chosaint Sonraí
Single national DPA for all sectors. Lead supervisory authority under GDPR Article 56 for Meta, Google, Apple, Microsoft, TikTok, X, LinkedIn, Airbnb, Yahoo, and most US tech with EU establishment in Dublin. Three Commissioners since Feb 2024 (Des Hogan, Dale Sunderland, Niamh Sweeney).
https://www.dataprotection.ie/

Coordination body

EDPB · European Data Protection Board
DPC participates in EDPB consistency mechanism. Several DPC draft decisions have been escalated to Article 65 binding-decision procedure (Twitter 2020, WhatsApp 2021, Instagram 2022, Meta 2023) — the EDPB has consistently increased fines proposed by the DPC, sometimes by an order of magnitude.
  • 2020-12-15 · DPC Twitter decision — First DPC big-tech fine (€450K) — small relative to later precedents but procedurally significant: first Article 65 binding decision in DPC history.
  • 2021-07-28 · WhatsApp Article 65 — EDPB binding decision raised DPC's proposed €30–50M fine to €225M (final) for transparency failures.
  • 2022-09-05 · Instagram Article 65 — EDPB raised DPC's draft fine to €405M for processing children's data — at the time the largest GDPR fine.
  • 2023-05-22 · Meta €1.2B Article 65 — EDPB binding decision overrode DPC reluctance to fine — final €1.2B remains the largest GDPR fine on record.
https://edpb.europa.eu/

Notable enforcement

Ireland leads the EU in cumulative GDPR fine totals — not because Irish controllers are uniquely non-compliant, but because the DPC is the lead supervisory authority for most US Big Tech under GDPR Article 56 one-stop-shop. The €1.2B Meta fine (May 2023), €405M Instagram fine (Sep 2022), €345M TikTok fine (Sep 2023), and €225M WhatsApp fine (Sep 2021) all issued from Dublin. The pattern: DPC drafts a decision → EDPB Article 65 binding-decision procedure raises the fine substantially → final amount issued by DPC. Irish-domestic enforcement (i.e., on Irish-only controllers) is much milder. For Irish SMBs targeting Ireland, the DPC's posture is investigatory-first rather than fining-first.

  1. 2023-05 €1.2B
    Meta Platforms Ireland (Facebook) DPC · Art 46(1) stood (under appeal)

    Largest GDPR fine on record. Continued transfer of EU user data to US under SCCs after Schrems II without adequate supplementary measures. EDPB Article 65 binding decision overrode DPC reluctance to issue suspension order. Largely moot post-DPF (Jul 2023).

  2. 2025-05 €530.0M
    TikTok Technology Limited (China transfers) DPC · Art 46(1), 13(1)(f) stood

    DPC fined TikTok €530M (€485M + €45M) on 2 May 2025 for unlawful transfers of EEA user data to mainland China without an adequate transfer mechanism plus deficient transparency. Among the largest GDPR fines on record.

  3. 2022-09 €405.0M
    Instagram (Meta) DPC · Art 5, 6, 12, 24, 25, 35 stood

    Children's data exposure — Business accounts converted from personal accounts left phone numbers and email addresses publicly visible. EDPB Article 65 raised DPC's draft fine substantially.

  4. 2023-09 €345.0M
    TikTok Technology Limited DPC · Art 5, 12, 13, 24, 25 stood

    Children's accounts default-public; family-pairing feature flaws; transparency failures regarding processing of under-13s. EDPB Article 65 binding decision shaped final amount.

  5. 2024-12 €251.0M
    Meta Platforms Ireland (Facebook 'View As') DPC · Art 25, 32, 33 stood

    September 2018 'View As' security breach exposing 29M users globally (3M in EU). Privacy-by-design failures + insufficient breach mitigation.

  6. 2021-09 €225.0M
    WhatsApp Ireland DPC · Art 12, 13, 14 stood

    Transparency failures — incomplete disclosures to users and non-users about processing of personal data, inter-Meta data sharing. EDPB Article 65 raised DPC's proposed €30-50M to final €225M.

  7. 2024-09 €91.0M
    Meta Platforms Ireland (passwords) DPC · Art 5(1)(f), 32, 33(1), 33(5) stood

    Plaintext password storage discovered 2019 affecting hundreds of millions of Facebook/Instagram passwords; insufficient breach response and notification. DPC announcement 27 Sep 2024.

  8. 2020-12 €450k
    Twitter International (X) DPC · Art 33(1), 33(5) stood

    First DPC fine on a Big Tech platform. Late breach notification (>72h) and incomplete record-keeping. Procedurally landmark — first Article 65 binding decision involving the DPC.

GA4 status

GA4 is usable in Ireland with prior consent under ePrivacy Reg 5(3). The DPC is Google LLC's lead supervisory authority because Google Ireland Limited is the EU establishment. Post-DPF (Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. The DPC has been comparatively permissive on GA4 vs CNIL/AEPD/Garante — no Schrems II GA4 ban issued from Dublin. Consent-layer compliance under ePrivacy Reg 5(3) remains the primary risk surface.

DPAStance
DPCPermissive post-DPF — lead supervisory authority for Google Ireland; transfers lawful with DPF certification + ePrivacy Reg 5(3) consent. No Schrems-II-style ban on GA4 has issued from Dublin.

Cross-border transfers + Schrems II

The DPC is central to EU–US transfer enforcement because most large US transfers from EU users go through Dublin-based EU establishments (Meta Platforms Ireland, Google Ireland, Apple Distribution International, Microsoft Ireland, TikTok Technology). The Meta €1.2B fine (May 2023) was specifically a transfers-and-Schrems-II decision. Post-DPF (10 Jul 2023), the DPC accepts adequacy for DPF-certified US importers; the EU General Court upheld DPF in T-553/23 (Sep 2025). The DPC has been the gateway for almost every Article 65 EDPB binding decision on transfers.

EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. The DPC publishes guidance on Transfer Impact Assessments and expects controllers to document FISA 702 risk where DPF coverage does not extend (e.g., importers not certified, non-cloud transfers).

Topic: International transfers

Employee data

Key thresholds

Child consent age
16 years
Article 27 representative
Not required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 12 · 6 green · 5 yellow · 1 red
VendorStatusRationale
 GREEN Cookieless by design. EU-routed via Cloudflare. No DPA required for Lite tier (no PII).
 GREEN Self-hosted on your infrastructure. Full data control, configurable IP anon. Meets every jurisdiction with cookieless config.
 GREEN EU-hosted with cookieless mode available. With cookies disabled qualifies for §25(2) exception in Germany.
 GREEN German-hosted, cookieless, GDPR-aligned by design.
 GREEN EU-hosted, no cookies, no PII processed. ePrivacy-exempt for cookieless tracking. No banner required.
 GREEN Open-source, cookieless, fully self-hostable. Default-green when self-hosted.
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW Default config sends data to US infrastructure. Needs Consent Mode v2 + IP anonymization + DPF active + signed DPA + reject-all banner. Server-side EU proxy moves to green.
 YELLOW EU residency available on paid plans; default cloud is US. Identifies users by default — needs config.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Tag managers · 1 · 0 green · 1 yellow · 0 red
VendorStatusRationale
 YELLOW Container only — verdict depends on which tags fire and when. Block until consent. Server-side GTM in EU recommended.
Session replay · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Full session capture — highest-risk category. Explicit consent + DPIA + strict retention.
 RED Session replay — high-risk processing per EDPB Guidelines 3/2019. DPIA + explicit consent required. Cannot run pre-consent.
 RED Session replay + Microsoft tracking. DPIA + explicit consent required.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Ireland vs United Kingdom
COMPARE
Ireland vs Germany
COMPARE
Ireland vs France
COMPARE
Ireland vs Netherlands

Common questions

Why is the Data Protection Commission so important under GDPR?
Under GDPR Article 56 (one-stop-shop), the DPA where a controller has its main EU establishment acts as lead supervisory authority for cross-border processing. Because Meta, Google, Apple, Microsoft, TikTok, X, LinkedIn, Airbnb, Yahoo, and most US Big Tech have their EU HQ in Dublin, the DPC is their lead DPA for the entire EU. That's why the largest GDPR fines on record — Meta €1.2B, Instagram €405M, TikTok €345M, WhatsApp €225M — have all issued from Dublin.
Why do US tech companies have their EU HQ in Ireland?
Three reasons predate GDPR: (1) 12.5% corporate-tax regime, (2) English-speaking common-law jurisdiction, (3) decades of inward-investment infrastructure (IDA Ireland). GDPR added a fourth: under Article 56, all EU users of a Dublin-headquartered controller are regulated through a single Irish DPA, simplifying compliance. The trade-off is that the DPC has become the most-scrutinized DPA in Europe, with EDPB Article 65 binding-decision overrides on multiple occasions raising DPC's proposed fines substantially.
Has the DPC actually issued the largest GDPR fines?
Yes. As of mid-2026, the DPC has issued the four largest GDPR fines on record: Meta €1.2B (May 2023, transfers), Instagram €405M (Sep 2022, children's data), TikTok €345M (Sep 2023, children's data), and Meta €251M (Dec 2024, 'View As' breach). It also issued the €225M WhatsApp fine (Sep 2021). Most were shaped by EDPB Article 65 binding decisions that raised DPC's draft amounts.
What is the digital-consent age in Ireland?
16 — Ireland retained the GDPR baseline rather than lowering it. DPA 2018 §31 fixes age 16 as the threshold below which parental authorisation is required for offered information-society services. The DPC's Fundamentals for a Child-Oriented Approach (Dec 2021) is the binding code for child-directed services and child-likely-audiences.
Is English-only OK for an Irish privacy notice?
Yes. English is one of two official languages and is the working language of business, government, and the DPC. Irish-language notices are encouraged for state bodies and Gaeltacht-targeted services but not required for private-sector controllers. Compare with Germany (German required), France (French required), Spain (Spanish required) — Ireland is the easiest large-population EU market for English-only operators.
Do I need an Article 27 representative if I target Ireland from outside the EU?
Yes — under GDPR Art 27, non-EU controllers offering goods/services to or monitoring behavior of people in Ireland (or any EEA state) must designate an EU representative, unless the small-business exception in Art 27(2) applies. This is a GDPR rule, not Ireland-specific. Once designated, the representative can sit in any EEA state — there is no Ireland-specific representative requirement.
Is GA4 legal in Ireland in 2026?
Yes, conditionally. GA4 requires prior consent under ePrivacy Reg 5(3). Post-DPF (10 Jul 2023), US transfers to Google's servers are lawful while Google LLC remains DPF-certified. The DPC is Google Ireland's lead DPA and has been comparatively permissive on GA4 vs CNIL/AEPD/Garante — no Schrems-II-style ban has issued from Dublin. Consent-layer compliance is the primary risk surface.
Do I need a DPO under Irish law?
Irish law follows the GDPR Article 37 default — mandatory only when (a) a public authority, (b) core activities require regular and systematic monitoring on a large scale, or (c) core activities involve large-scale processing of special-category or criminal data. Unlike Germany's BDSG §38 (≥20 employees), Ireland sets no national headcount threshold. Most Irish SMBs do not need a DPO; designate voluntarily if processing is sensitive.
What does double-opt-in look like under Irish ePrivacy?
Regulation 13(1) of S.I. 336/2011 requires prior consent for unsolicited email/SMS marketing to individuals. Best practice — and the DPC's guidance position — is double-opt-in: form submission + email confirmation click. Soft-opt-in (Reg 13(11)) is narrower than UK PECR — only permits similar products from an existing customer with opt-out at every contact. B2B-to-corporate-email is more permissive than B2C but still subject to Reg 13.
Does Schrems II still affect transfers post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23). For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures required. The DPC's role is uniquely consequential here because the Meta €1.2B (May 2023) was specifically a Schrems II / SCCs / FISA 702 decision, and most Big-Tech EU exports of personal data are still routed through Dublin-based EU establishments.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Ireland's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.