Cookies

Earlier this year I reviewed cookie consent on our public website. This was in advance of an audit of the council by the ICO (Information Commissioner’s Office). I discovered that whilst we met most of the requirements, we fell short of full compliance. This came as a bit of a surprise and it spurred me into changing our approach in advance of the ICO audit. I wrote about what I did next on our Digital Services team blog.

I also checked what other councils were doing to try to find some best practice. I found a few good examples, but in general the experience I found wasn’t that great. So I decided to do some wider personal research into cookie consent on council websites.

The background to cookie consent

The Cookie Law started as an EU Directive adopted by all EU countries in May 2011. It gave individuals rights to refuse the use of cookies that reduce their online privacy. Each country then updated its own laws to comply. In the UK the Privacy and Electronic Communications Regulations were updated.

The initial guidance around cookie consent was rather vague and confusing. As a result websites met compliance but often failed to safeguard privacy.

In most cases websites added some JavaScript to display a banner when a page is first loaded. The banner would encourage users to continue and accept the cookies on the site. Websites encouraged users to sort out cookies by changing their browser settings. Unfortunately, the average user didn’t have the knowledge, inclination or the time to do this. As a result, most users accepted cookies to continue to use the website.

Cookie guidelines have changed

The good news is that the guidance around cookie compliance is now less ambiguous. The Information Commissioners Office (ICO) has published guidelines on how website owners must comply. The key elements of the guidance are that website owners need to:

Tell people the cookies are there
Explain what the cookies are doing and why
Get a user’s consent to store a cookie on their device
Make sure users have the means to enable or disable non-essential cookies and make this easy to do

It is the latter guideline that is the real game changer with regards to cookie consent. Website owners now have to provide functionality to enable or disable non-essential cookies. Non-essential cookies have to be withheld on a website before a user has made a choice on whether to accept them.

Privacy matters

The changes outlined above should help to improve the privacy of users online. But, this won’t happen overnight and it needs website owners to take some action. Website owners owe it to their users to review and improve their approach to cookie consent. The ICO provides extensive guidance and it should form the starting point of any review.

Website owners also need to consider the user experience of cookie consent. They need to review the approach taken and add information written in plain English.

Reviewing cookie consent across local government

I reviewed cookie consent by checking every council website in the UK (408). I wanted to find best practice and review cookie consent across the sector. Here are the headline figures:

Cookie guidance	Number of councils meeting the guidance	Overall percentage
Tell people the cookies are there	405	99.26%
Explain what the cookies are doing and why	400	98.04%
Get the person’s consent to store a cookie on their device	307	75.24%
Make sure users have the means to enable or disable non-essential cookies and make this easy to do	146	35.78%

Cookie guidance score (0-4)	Number of councils	Overall percentage
0	3	<1%
1	4	<1%
2	95	23.34%
3	162	39.70%
4	144	35.88%

My research reveals that around a third of councils are compliant. The rest have some work to do to review and improve cookie consent. I suspect that councils may not have revisited cookie consent since the guidelines changed.

User experience is the main thing that concerned me about cookie consent. The user experience of cookie consent is variable and needs attention. On many websites the cookie policy is not referenced from the cookie banner and users have to search for it. Information about cookies should all be in one place to help users to make an informed decision.

Other user experience issues that I found included:

referencing the cookie policy from the cookie banner, but not linking to it
the cookie banner taking too long to load, often because other popups were also loading
poor colour contrast on cookie links on cookie banners, making them difficult to read
adding cookie details in a PDF rather than listing them on a page
providing insufficient detail about the cookies used on the website

Cookie compliance tips

To conclude here are my top ten cookie consent tips:

revisit cookie compliance on your website – privacy matters
periodically carry out a cookie audit and update your cookie policy
read the advice from the ICO and check to see if your website meets PECR guidelines
consider the user experience and make it easy for users
consider ways to improve the prominence of cookie information
test that cookie consent enables users to disable and enable cookies
review the accessibility of your cookie compliance module
banners need to be prominent and easy to read
do not block access until a user accepts cookies
do not emphasize accepting over rejecting cookies as this is a non-compliant approach.

I am happy to share individual results with local authorities. If this is of interest please contact me. I will aim to review cookie compliance in local government in a year’s time to find out what progress has been made.

Colin Stenning

My personal blog

A review of cookie consent on council websites