Website compliance is one of those areas most Irish SME owners know they should address but rarely feel they've fully resolved. The legal landscape around websites has changed substantially since 2018, and it continues to evolve. GDPR brought data protection into sharp focus. The ePrivacy Regulations govern cookie consent. The European Accessibility Act extends obligations to private sector websites. Consumer protection rules dictate how prices and terms must be presented.
The good news is that the core compliance requirements for most Irish SME websites are not particularly complex or expensive to implement. The bad news is that ignoring them creates real exposure — the Data Protection Commission has issued fines to Irish businesses of all sizes, and reputational damage from a data breach or accessibility complaint can cost far more than the compliance work itself.
This guide covers the main compliance areas for Irish SME websites and what you need to have in place.
GDPR and Data Protection
The General Data Protection Regulation applies to any Irish business that collects, processes, or stores personal data — which includes virtually every business website. The core principles that apply to your website:
Lawful basis for data collection
You must have a lawful basis for every type of personal data you collect. For most SME websites, contact form submissions are collected under legitimate interest or consent — both are valid, but the mechanisms differ. Analytics data (which can be personal under GDPR) typically requires consent before collection. Newsletter signups require explicit opt-in consent.
Privacy Policy
You must have a Privacy Policy that is:
- Easily accessible — typically linked in the website footer and from any data collection form
- Written in plain language — not legal jargon copied from a template that nobody reads
- Specific to your actual data practices — not a generic document that doesn't reflect what you actually collect and do
- Up to date — reviewed whenever your data practices change
The Privacy Policy must cover: what data you collect and why, your lawful basis for processing, how long you retain data, whether you share data with third parties (including hosting providers, analytics platforms, and email services), and how users can exercise their rights (access, deletion, portability).
Data Subject Rights
Under GDPR, individuals have rights over their personal data: the right to access what you hold about them, the right to have it deleted, the right to correct inaccuracies, and the right to object to processing. You need a mechanism for handling these requests — typically a designated email address — and you must respond within 30 days.
Data Breach Procedures
If your website is breached and personal data is compromised, you may be required to notify the Data Protection Commission (DPC) within 72 hours and, in some cases, notify the affected individuals. You should have a documented procedure for identifying, assessing, and reporting breaches — even a simple one-page document is better than nothing.
Ireland's Data Protection Commission is one of the more active regulators in the EU, partly because many large tech companies have their European headquarters here. While the largest fines have targeted multinationals, the DPC also investigates complaints against SMEs and issues enforcement notices. The most common SME issues are inadequate cookie consent and non-compliant privacy policies — both are straightforwardly fixable.
Cookie Consent and the ePrivacy Regulations
Cookie consent is the compliance area where most Irish SME websites fall short. The ePrivacy Regulations (implemented in Ireland as the ePrivacy Regulations 2011, as amended) require that you obtain informed consent before placing non-essential cookies on a visitor's device.
Non-essential cookies include analytics cookies (Google Analytics, GA4), advertising cookies (Google Ads, Facebook Pixel), and social media tracking cookies. Essential cookies — those required for the website to function, such as session cookies and shopping cart cookies — do not require consent.
A compliant cookie consent implementation must:
- Appear before non-essential cookies are set — not after, and not via a pre-ticked "I agree" box
- Explain clearly what cookies are being placed and why — vague descriptions like "we use cookies to improve your experience" without specifics are not compliant
- Offer a genuine choice — declining must be as easy as accepting; a "decline" option must exist and must actually prevent non-essential cookies from being set
- Allow consent to be withdrawn — visitors must be able to change their consent preference after the initial choice
- Not use dark patterns — designs that make declining difficult, such as small grey text for the decline option versus a large bright button for accept, are non-compliant
Many SME websites use a cookie banner that looks compliant but isn't — it displays a banner with an "Accept" button but continues to fire analytics and advertising tags regardless of what the visitor chooses. This is non-compliant and can result in DPC complaints.
For Google Analytics specifically, implementing Google Consent Mode correctly means GA4 does not collect identifiable data until consent is granted. This requires technical configuration — not just a banner overlay.
Cookie Policy
In addition to your Privacy Policy, you should have a separate Cookie Policy (or a dedicated cookie section within your Privacy Policy) that lists every cookie your site places, categorises them (essential / analytics / advertising / preferences), and explains what each one does and how long it persists.
This can be linked from your cookie consent banner ("Learn more") so visitors who want the full detail can access it.
Terms and Conditions
If your website sells products or services — either directly through an e-commerce function or via a quote/booking process — you need Terms and Conditions (or Terms of Service). Key elements for an Irish SME:
- Description of the service or product offered
- Pricing, VAT treatment, and payment terms
- Cancellation and refund policy (particularly important under Consumer Rights Act 2022 for B2C transactions)
- Delivery terms (for physical products) or service delivery scope (for services)
- Limitation of liability
- Governing law (should state Irish law and jurisdiction)
- Dispute resolution process
For B2C (business to consumer) transactions, Irish and EU consumer protection law imposes specific obligations around the right to cancel within 14 days for distance contracts, clear pricing disclosure, and mandatory pre-contract information. These apply whether you have a formal e-commerce setup or simply take bookings via your website.
Web Accessibility
Web accessibility is both a legal requirement and a commercial opportunity. The European Accessibility Act (EAA), which fully applies to private sector websites and apps from June 2025, requires that digital services meet WCAG 2.1 AA accessibility standards.
The core WCAG 2.1 AA requirements for SME websites:
- Text alternatives — all images must have descriptive alt text so screen readers can convey them to visually impaired users
- Colour contrast — text must have sufficient contrast against its background (minimum 4.5:1 ratio for normal text, 3:1 for large text)
- Keyboard accessibility — every function on your site (navigation, forms, buttons, video controls) must be usable by keyboard alone
- Focus indicators — keyboard users must be able to see which element currently has focus
- Form labels — every form field must have a label associated with it, not just placeholder text (which disappears when users start typing)
- Error messages — when a form has an error, the error message must clearly identify which field has the problem and what the user needs to do
- Heading structure — pages must use a logical heading hierarchy (H1, then H2, then H3) that makes sense to screen readers
- Link text — links should describe where they go ("Read our VAT guide") rather than using generic text ("click here" or "read more")
Accessibility compliance is often one of the more involved aspects of a website rebuild, but many of the requirements overlap with good SEO and UX practice. A screen reader needs semantic structure for the same reason Google does — good accessibility and good SEO are aligned, not competing.
Approximately 15% of the Irish population lives with a disability of some kind, and many more experience temporary or situational accessibility barriers (using a phone in bright sunlight, recovering from an eye injury, using a slow connection). An accessible website is a more usable website for everyone — and one that doesn't turn away a meaningful proportion of potential customers.
Consumer Rights and Price Transparency
The Consumer Rights Act 2022 and the EU Omnibus Directive (implemented in Ireland in 2023) impose requirements around price transparency that affect many SME websites, particularly those selling products or services online.
Key requirements:
- Prices must be displayed inclusive of VAT for B2C transactions — displaying ex-VAT prices only is non-compliant for consumer-facing websites
- If you display sale or reduced prices, you must show the previous price and it must reflect a genuine prior price (the "prior reference price" rule prevents artificial inflation followed by fake discounts)
- For personalised pricing (prices set based on user data/profiling), you must disclose that personalisation is occurring
- Pre-ticked boxes for additional paid services are prohibited
Legal Pages: What You Need and Where They Should Live
At minimum, an Irish SME website should have the following legal pages:
- Privacy Policy — required under GDPR; must be linked from every data collection point and the footer
- Cookie Policy — required under ePrivacy Regulations; linked from cookie consent banner
- Terms and Conditions — required if you sell anything; should be linked before checkout or booking completion
- Accessibility Statement — required under the EAA for public sector and now extended to private sector; describes your compliance level and how to report issues
These pages should be linked in your website footer on every page — not hidden in a secondary navigation that visitors never find. Footer links for Privacy, Terms, and Cookie Policy are standard practice and expected by both users and regulators.
A Compliance Checklist for Irish SME Websites
- Privacy Policy in place, linked from footer and all data collection forms
- Cookie consent banner that genuinely withholds non-essential cookies until consent is granted
- Cookie Policy listing all cookies placed, their purpose, and duration
- Terms and Conditions covering service scope, pricing, cancellation, and refund rights
- Accessibility Statement describing your WCAG compliance level
- All images have descriptive alt text
- Text and background colour contrast passes WCAG AA minimum
- Forms have proper labels (not just placeholder text)
- The site is navigable by keyboard
- B2C prices shown inclusive of VAT
- Data breach response procedure documented internally
- Contact mechanism for data subject rights requests
This list isn't exhaustive — specific sectors (financial services, healthcare, education) have additional obligations. But for most Irish service businesses, completing this list addresses the vast majority of compliance risk.
Need a Compliance-Ready Website?
Shuppa builds websites for Irish SMEs with GDPR compliance, proper cookie consent, accessibility foundations, and all required legal pages built in from the start — not bolted on as an afterthought.
Get in Touch