beta Complete our quick 5-question survey to help us improve our content.

  1. Service manual
  2. Technology
  3. Working with cookies and similar technologies

Cookies are small data files that a website sends to a user’s computer. They’re used to store information about how users browse a website.

This guidance is about how to use cookies, but you should also follow it when using any other technologies that store information on a user’s device, like HTML5 local storage.

How to use cookies

Keep use of cookies to a minimum, and be transparent about the ones you do use. You must:

  • use as few cookies as possible, and stop setting any cookies that aren’t needed anymore
  • store the smallest amount of information that you need, for as short a time as necessary
  • tell users that you’re using cookies

How to tell users about cookies

When telling users that you’re using cookies, you must:

  • publish a cookie policy that explains how and why you use cookies
  • display a banner telling users that you’re using cookies

You must publish a cookie policy by the time your service goes into public beta.

The policy must be written in plain English and it must explain:

  • the cookies you use on your service
  • what each cookie does
  • how long you store each cookie
  • how users can remove cookies and stop cookies being set on their device

You can use the GOV.UK cookie policy as an example, but you must create your own version that’s specific to your service. You must not link to the main GOV.UK cookies policy.

Link to your cookie policy from:

  • the footer of your website or service
  • a cookie banner

Don’t bury your cookie policy in a ‘terms and conditions’ page.

Have an agreed process for updating the cookie policy when you add or remove a cookie. Make sure your developers know what the process is.

You must tell users that your website service is using cookies by displaying a cookie banner on their first visit.

For GOV.UK services, use the service name in the cookie banner. That way users will know that the cookies you’re talking about are different from the ones set by the main GOV.UK site.

For example: ‘The register to vote service uses cookies to make it simpler to use. Find out more about cookies [with a link to the cookies policy]’.

You must remind the user that you’re setting cookies on a regular basis. For example, GOV.UK displays a blue information banner to each user every 3 months that tells them the site uses cookies.

If your service uses the govuk_template, you should set the cookie_message template block to link to your own cookie policy. See the documentation on template blocks to find out how to do this.

Where to apply cookies

Cookies must only apply to your originating domain name. For example, www.servicename.service.gov.uk not .gov.uk.

Don’t use cookies on domains that host only static assets like images or JavaScript - they slow response times for users without providing any benefit. You should only send cookies with the Secure attribute and, when appropriate, the HttpOnly attribute. These flags provide additional assurances about how browsers should handle cookies.

You might find the guidance on choosing digital analytics tools useful.

Published by:
Technology community (technical architecture)
Last update:

Guidance first published