Cookie consent on GOV.UK
This is technical documentation for the GOV.UK team in the Government Digital Service (GDS).
Overview
GOV.UK sets 4 types of cookies: essential (also called “strictly necessary”); website usage; communications and marketing; settings. These are detailed on the cookie settings page on GOV.UK.
Users can manage their consent via the banner or cookie settings page. “Strictly necessary” cookies cannot be switched off by users as they’re essential to site functionality.
Cookie consent is set to last for 1 year, after which the consent cookie will expire and users will be shown the cookie banner and prompted for consent again.
Cookie consent mechanism
The cookie consent mechanism is made up of 4 main pieces:
- Cookie banner component (see the cookie banner code in
govuk_publishing_components
) - Public layout component which pulls in the cookie banner (see the public layout code in
govuk_publishing_components
) - Cookie settings page (published as a special route; see the cookie settings page code in
frontend
) - Cookie details page (a standard help page, created in Publisher)
When a user first lands on GOV.UK, they are given a default consent cookie that looks like this:
cookies_policy = { "essential": true, "settings": false, "usage": false, "campaigns": false }
This cookies_policy cookie is the key to the GOV.UK cookie consent mechanism. If any of these values read as false, cookies of that type will not be set.
For example, the below cookie will result in Google Analytics tracking being disabled for that user:
cookies_policy = { "essential": true, "settings": true, "usage": false, "campaigns": true }
If the user clicks “Accept cookies” within the cookie banner or changes their cookie settings on the settings page, they get an additional cookie that ensures they don’t see the cookie banner again:
cookies_preferences_set
Users can still change their consent via the cookie settings page.
Special Cases
Youtube
Some pages on GOV.UK contain embedded Youtube videos. On these pages, Youtube sets third-party cookies which we are unable to delete.
If a user does not consent to campaign cookies, we swap the embedded video for a link to the video on Youtube. This means that Youtube does not set any third-party cookies because the video is no longer embedded.
No Javascript
If Javascript is turned off, the “accept” button is removed from the banner and the cookie settings form is removed. A message is shown instead.
Adding a new cookie
If your cookie is set using Javascript:
- Decide which category the cookie falls into
- Add the cookie to the list of known cookies
- When reading and setting the cookie, make sure you use the cookie helper functions within govuk_publishing_components, e.g:
window.GOVUK.cookie('please set this cookie', 'to this value')
window.GOVUK.cookie('please fetch this cookie')
Regardless of how your cookie is set, you need to update the cookie details page to list the new cookie. A content designer should be able to help with that.
Changing a cookie’s category
If your cookie is set using Javascript:
- Decide which category the cookie falls into
- Change the category the cookie is associated with, in the list of known cookies
Regardless of how your cookie is set, you need to do the following:
- update the cookie details page to list the cookie under the correct section. A content designer should be able to help with that.
- Update the category descriptions on the cookie settings page if they are no longer correct
- Reset the banner for all users. Otherwise the consent cookie will stay as the old value reflecting the user’s previous decision, which could change given the new category.
Adding a cookie category
- Add the new cookie category by changing the cookie settings page code
- Add the new cookie category to the cookie details page using Publisher.
- Add to the default consent cookie
- Add to ‘approve all’ consent cookie function
- Add relevant cookies within the list of known cookies
- Reset the banner for all users. Otherwise the consent cookie will stay as the old value (without the new category) for people who already have the consent cookie, so setting cookies of that new type will fail for those users
Removing a cookie category
- Remove the cookie category by changing the cookie settings page code
- Remove the cookie category from cookie details page using Publisher. Delete cookies or move to another relevant category
- Remove the cookie category from default consent cookie
- Remove the cookie category from ‘approve all consent cookie’ function
- Remove cookies from known list OR move to another relevant category