A review of cookie consent on council websites

Earlier this year I reviewed cookie consent on our public website. This was in advance of an audit of the council by the ICO (Information Commissioner’s Office). I discovered that whilst we met most of the requirements, we fell short of full compliance. This came as a bit of a surprise and it spurred me into changing our approach in advance of the ICO audit. I wrote about what I did next on our Digital Services team blog.

I also checked what other councils were doing to try to find some best practice. I found a few good examples, but in general the experience I found wasn’t that great. So I decided to do some wider personal research into cookie consent on council websites.   

The background to cookie consent

The Cookie Law started as an EU Directive adopted by all EU countries in May 2011. It gave individuals rights to refuse the use of cookies that reduce their online privacy. Each country then updated its own laws to comply. In the UK the Privacy and Electronic Communications Regulations were updated.

The initial guidance around cookie consent was rather vague and confusing. As a result websites met compliance but often failed to safeguard privacy.

In most cases websites added some JavaScript to display a banner when a page is first loaded. The banner would encourage users to continue and accept the cookies on the site. Websites encouraged users to sort out cookies by changing their browser settings. Unfortunately, the average user didn’t have the knowledge, inclination or the time to do this. As a result, most users accepted cookies to continue to use the website.

Cookie guidelines have changed

The good news is that the guidance around cookie compliance is now less ambiguous. The Information Commissioners Office (ICO) has published guidelines on how website owners must comply. The key elements of the guidance are that website owners need to:

  1. Tell people the cookies are there
  2. Explain what the cookies are doing and why
  3. Get a user’s consent to store a cookie on their device
  4. Make sure users have the means to enable or disable non-essential cookies and make this easy to do

It is the latter guideline that is the real game changer with regards to cookie consent. Website owners now have to provide functionality to enable or disable non-essential cookies. Non-essential cookies have to be withheld on a website before a user has made a choice on whether to accept them.

Privacy matters

The changes outlined above should help to improve the privacy of users online. But, this won’t happen overnight and it needs website owners to take some action. Website owners owe it to their users to review and improve their approach to cookie consent. The ICO provides extensive guidance and it should form the starting point of any review.

Website owners also need to consider the user experience of cookie consent. They need to review the approach taken and add information written in plain English.

Reviewing cookie consent across local government

I reviewed cookie consent by checking every council website in the UK (408).  I wanted to find best practice and review cookie consent across the sector. Here are the headline figures:

Cookie guidance Number of councils meeting the guidance
Overall percentage
Tell people the cookies are there 405 99.26%
Explain what the cookies are doing and why 400 98.04%
Get the person’s consent to store a cookie on their device 307 75.24%
Make sure users have the means to enable or disable non-essential cookies and make this easy to do 146 35.78%
Cookie guidance score (0-4) Number of councils Overall percentage
0 3 <1%
1 4 <1%
2 95 23.34%
3 162 39.70%
4 144 35.88%
My research reveals that around a third of councils are compliant. The rest have some work to do to review and improve cookie consent. I suspect that councils may not have revisited cookie consent since the guidelines changed.

User experience is the main thing that concerned me about cookie consent. The user experience of cookie consent is variable and needs attention. On many websites the cookie policy is not referenced from the cookie banner and users have to search for it. Information about cookies should all be in one place to help users to make an informed decision.

Other user experience issues that I found included:
  • referencing the cookie policy from the cookie banner, but not linking to it
  • the cookie banner taking too long to load, often because other popups were also loading
  • poor colour contrast on cookie links on cookie banners, making them difficult to read
  • adding cookie details in a PDF rather than listing them on a page
  • providing insufficient detail about the cookies used on the website

Cookie compliance tips

 

To conclude here are my top ten cookie consent tips:

I am happy to share individual results with local authorities. If this is of interest please contact me. I will aim to review cookie compliance in local government in a year’s time to find out what progress has been made.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.