Cookies are small data files that a website sends to a user’s computer. They’re used to store information about how users browse a website.
- use as few cookies as possible, and stop setting any cookies that aren’t needed anymore
- store the smallest amount of information that you need, for as short a time as necessary
- get users’ consent before you set any cookies that aren’t essential to providing the service
The policy must be written in plain English and it must explain:
- the cookies you use on your service
- what the cookies do
- how long you store different types of cookies
- how users can remove cookies and stop cookies being set on their device
- the footer of your website or service
- a cookie banner
Getting consent for non-essential cookies
You must get the user’s explicit consent before setting any cookies - except for cookies that are strictly necessary for delivering the service.
The Information Commissioner’s Office (ICO) has guidance on what types of cookie are likely to be considered ‘strictly necessary’. For example, load balancing cookies are likely to be strictly necessary - but cookies that collect analytics data aren’t.
What service teams should do
We recommend that service teams talk to the privacy expert within their own department about what actions they need to take to meet standards for cookie consent.
To help users understand that the cookies you’re talking about are different from the ones set by the main GOV.UK platform, use the service name in the cookie banner.
Cookie consent on the main GOV.UK platform
For the main GOV.UK platform, GDS has:
- introduced explicit, opt-in consent for non-essential cookies through a new cookie banner and cookie preferences tool
Discovery into ‘remembering’ consent across domains and subdomains
GOV.UK is designed to look like one website. But really it’s made up of the main GOV.UK platform and lots of transactional services, typically hosted on .service.gov.uk subdomains.
At the moment, services hosted on .service.gov.uk subdomains set their own cookies, independent from the main GOV.UK domain.
A typical visit to GOV.UK might begin on a ‘start page’ hosted on the main GOV.UK domain, then move into service hosted on a.service.gov.uk subdomain. This means a user can be asked to consent to cookies multiple times.
The Government Digital Service (GDS) is planning a discovery in early 2020 to look at whether it’s possible to develop a solution that ‘remembers’ a user’s consent settings across different domains and subdomains. We’ll publish updates on the technology in government blog.
Where to apply cookies
Cookies must only apply to your originating domain name. For example, www.servicename.service.gov.uk not .gov.uk.
You should only send cookies with the Secure attribute and, when appropriate, the HttpOnly attribute. These flags provide additional assurances about how browsers should handle cookies.
You might find the guidance on choosing digital analytics tools useful.
Updated guidance on how and when to get users' consent to set cookies.
Guidance first published