Beta This is new guidance. Complete our quick 5-question survey to help us improve it.
Working with cookies and similar technologies
Cookies are small data files that a website sends to a user’s computer.
You can use them to:
- store information about how users browse a site.
- improve your service by tracking its performance and find out where users need help to complete a transaction
Meeting the Digital Service Standard
To pass point 7 (understand security and privacy issues) you need to show how you’ve:
- addressed all legal issues associated with protecting and sharing user data
You’ll have to explain how you’ve done this in your service assessments.
Because most users of a government service have no option but to use the service, you must:
- use as few cookies as possible
- store the smallest amount of information that you need, for as short a time as necessary
- tell users that you’re using cookies
How to tell users about cookies
When telling users that you’re using cookies, you must:
- display a banner following the Government Digital Service (GDS) design patterns to tell users that you’re using cookies
- the cookies you use on your service
- what each cookie does
- how long you store each cookie
- the footer of your website
- a cookie banner
Displaying a cookie banner
You must tell users on their first visit that your service is using cookies by displaying a banner that says you’re using cookies.
Getting consent for cookies that aren’t essential
In these instances, you must tell users before the cookie is set.
Where to apply cookies
Cookies must only apply to your originating domain name. For example, www.servicename.service.gov.uk not .gov.uk.
You should only send cookies with the Secure attribute and, when appropriate, the HttpOnly attribute. These flags provide additional assurances about how browsers should handle cookies.
- Published by:
- Technology community (technical architecture)
- Last update:
Guidance first published