Beta This is new guidance. Complete our quick 5-question survey to help us improve it.

  1. Service manual
  2. Technology
  3. Working with cookies and similar technologies

Cookies are small data files that a website sends to a user’s computer.

You can use them to:

  • store information about how users browse a site.
  • improve your service by tracking its performance and find out where users need help to complete a transaction

This guidance is about how to use cookies, but you should also follow it when using any other technologies that store information on a user’s device, like HTML5 local storage.

Meeting the Digital Service Standard

To pass point 7 (understand security and privacy issues) you need to show how you’ve:

  • addressed all legal issues associated with protecting and sharing user data
  • created an appropriate and up-to-date cookie policy

You’ll have to explain how you’ve done this in your service assessments.

How to use cookies

Because most users of a government service have no option but to use the service, you must:

  • use as few cookies as possible
  • store the smallest amount of information that you need, for as short a time as necessary
  • try to only use cookies that are essential to the way the service works or improves user experience
  • tell users that you’re using cookies

How to tell users about cookies

When telling users that you’re using cookies, you must:

  • publish a cookie policy that explains how and why you use cookies
  • display a banner following the Government Digital Service (GDS) design patterns to tell users that you’re using cookies

You must publish a cookie policy by the time your service goes to public beta. The policy must be written in plain English and it must explain:

  • the cookies you use on your service
  • what each cookie does
  • how long you store each cookie

You can use the GOV.UK cookie policy as an example, but you must create your own version that’s specific to your service. You must not link to the main GOV.UK cookies policy.

You must link to your cookie policy from:

  • the footer of your website
  • a cookie banner

You must tell users on their first visit that your service is using cookies by displaying a banner that says you’re using cookies.

You must then remind them on a regular basis. For example, GOV.UK displays a blue information banner to each user every 3 months that tells them the site uses cookies.

If your service uses the govuk_template, you should set the cookie_message template block to link to your own cookie policy. See the documentation on template blocks to find out how to do this.

You need to get users’ permission to use cookies that aren’t essential for your site to work. This is called ‘explicit consent’.

In these instances, you must tell users before the cookie is set.

Where to apply cookies

Cookies must only apply to your originating domain name. For example, www.servicename.service.gov.uk not .gov.uk.

Don’t use cookies on domains that host only static assets like images or JavaScript - they slow response times for users without providing any benefit.

You should only send cookies with the Secure attribute and, when appropriate, the HttpOnly attribute. These flags provide additional assurances about how browsers should handle cookies.

Published by:
Technology community (technical architecture)
Last update:

Guidance first published