Complete our quick 5-question survey to help us improve our content.

Technology

Working with cookies and similar technologies

Cookies are small data files that a website sends to a user’s computer. They’re used to store information about how users browse a website.

This guidance is about how to use cookies, but you should also follow it when using any other technologies that store information on a user’s device, like HTML5 local storage.

How to use cookies

Keep use of cookies to a minimum, and be transparent about the ones you do use. You must:

  • use as few cookies as possible, and stop setting any cookies that aren’t needed anymore
  • store the smallest amount of information that you need, for as short a time as necessary
  • publish a cookie policy telling users about the cookies you’re using
  • get users’ consent before you set any cookies that aren’t essential to providing the service

You must publish a cookie policy by the time your service goes into public beta.

The policy must be written in plain English and it must explain:

  • the cookies you use on your service
  • what the cookies do
  • how long you store different types of cookies
  • how users can remove cookies and stop cookies being set on their device

You can use the GOV.UK cookie policy as an example, but you must create a version that’s specific to the cookies your service uses. Don’t link to the main GOV.UK cookies policy.

Link to your cookie policy from:

  • the footer of your website or service
  • a cookie banner

Don’t bury your cookie policy in a ‘terms and conditions’ page.

Have an agreed process for updating the cookie policy when you add or remove a cookie. Make sure your development team knows what the process is.

You must get the user’s explicit consent before setting any cookies - except for cookies that are strictly necessary for delivering the service.

The Information Commissioner’s Office (ICO) has guidance on what types of cookie are likely to be considered ‘strictly necessary’. For example, load balancing cookies are likely to be strictly necessary - but cookies that collect analytics data aren’t.

What service teams should do

We recommend that service teams talk to the privacy expert within their own department about what actions they need to take to meet standards for cookie consent.

To help users understand that the cookies you’re talking about are different from the ones set by the main GOV.UK platform, use the service name in the cookie banner.

For example: ‘We use cookies to collect information about how you use the register to vote service. We use this information to make the service work as well as possible’.

For the main GOV.UK platform, GDS has:

GOV.UK is designed to look like one website. But really it’s made up of the main GOV.UK platform and lots of transactional services, typically hosted on .service.gov.uk subdomains.

At the moment, services hosted on .service.gov.uk subdomains set their own cookies, independent from the main GOV.UK domain.

A typical visit to GOV.UK might begin on a ‘start page’ hosted on the main GOV.UK domain, then move into service hosted on a.service.gov.uk subdomain. This means a user can be asked to consent to cookies multiple times.

The Government Digital Service (GDS) is planning a discovery in early 2020 to look at whether it’s possible to develop a solution that ‘remembers’ a user’s consent settings across different domains and subdomains. We’ll publish updates on the technology in government blog.

Where to apply cookies

Cookies must only apply to your originating domain name. For example, www.servicename.service.gov.uk not .gov.uk.

Don’t use cookies on domains that host only static assets like images or JavaScript - they slow response times for users without providing any benefit.

You should only send cookies with the Secure attribute and, when appropriate, the HttpOnly attribute. These flags provide additional assurances about how browsers should handle cookies.

You might find the guidance on choosing digital analytics tools useful.

Last update:

Updated guidance on how and when to get users' consent to set cookies.

  1. Guidance first published