GDPR Consent in Ireland: When You Need It and How to Get It Right (2026)

Consent is one of the most misunderstood concepts in GDPR compliance. Many Irish businesses assume they need consent for everything — they don’t. Others collect consent incorrectly and don’t realise it’s invalid. This guide clarifies exactly when consent is needed, what makes it valid, and when other lawful bases may be more appropriate.

Consent Is Only One of Six Lawful Bases

Under GDPR, you must have a lawful basis for every type of personal data processing you carry out. Consent is just one of six options:

  1. Consent
  2. Contract — processing necessary for a contract with the individual
  3. Legal obligation — required by law
  4. Vital interests — necessary to protect life
  5. Public task — for public authorities
  6. Legitimate interests — your interests don’t override the individual’s rights

Choosing the right basis is important — and consent is often not the most appropriate choice.

When Is Consent the Right Basis?

Consent is most appropriate for processing that is entirely optional — where there is a genuine choice and the individual’s decision does not affect the service you provide. Common uses include:

  • Marketing emails to existing customers (though soft opt-in rules may apply)
  • Newsletter subscriptions
  • Non-essential cookies and tracking
  • Processing of special category data (health, religion, ethnicity, etc.) where no other basis applies

Do not use consent for processing that is necessary to perform a contract — use the contract basis instead.

What Makes Consent Valid Under GDPR?

For consent to be valid under GDPR, it must be:

  • Freely given: No bundling of consent with terms of service, no “take it or leave it” — there must be a genuine choice
  • Specific: A separate consent for each distinct purpose — not blanket consent for “marketing and related purposes”
  • Informed: The individual must know who is collecting the data, what it will be used for, and their right to withdraw
  • Unambiguous: A clear affirmative action — ticking a box, clicking “I agree”, or a clear oral statement. Pre-ticked boxes are not valid consent

Withdrawing Consent

Individuals must be able to withdraw consent at any time, as easily as they gave it. If withdrawal is more difficult than giving consent — for example, if signing up is one click but unsubscribing requires writing a letter — the consent mechanism is non-compliant.

Cookie Consent

Non-essential cookies — including analytics (Google Analytics), advertising, and social media trackers — require valid prior consent under GDPR and the ePrivacy Regulations. Key requirements:

  • No cookies placed before consent is given
  • Refusing must be as easy as accepting
  • No dark patterns (pre-ticked boxes, hidden reject options)
  • Consent must be renewed periodically

The DPC has taken enforcement action against non-compliant cookie banners — this is an active enforcement priority.

Need your consent mechanisms reviewed? Our GDPR Privacy Policy service covers consent notices, lawful bases, and cookie policies. Also see our GDPR guide for small businesses. Book a consultation to discuss your data protection compliance today.

This article is for informational purposes only and does not constitute legal advice.

Need help with this? Fixed-fee help from regulated Irish solicitors: Fixed-Fee Conveyancing · Talk to a Property Solicitor.