Pages

Cookies page
Experimental

This pattern is currently experimental because more research is needed to validate it.

Tell users about the cookies you’re setting on their device and let them accept or reject different types of non-essential cookies.

A screenshot showing an example cookies page, with information about what cookies the site uses.

When to use this pattern

Use a cookies page to tell the user about any cookies your service uses - or any other technologies that work in a similar way and store information on the user’s device. For example, HTML5 local storage or service workers.

How it works

A cookies page helps you to be transparent about the cookies you’re using. The Service Manual has guidance on how and when to use cookies.

Preparing your cookies page

You must publish a cookie page by the time your service goes into public beta. The cookie page must be unique to your service: don’t link to the cookie policy for the main GOV.UK website.

Follow the steps below to create a cookie policy.

  1. Audit your cookies.
  2. Categorise your cookies.
  3. Write your cookie page.

Auditing and categorising your cookies

List all the cookies you’re using in the service. Divide the list into:

  • essential cookies - these are cookies you need to set so the service will work
  • functional cookies - the service will work without them, but the user won’t be able to take advantage of some functionality (for example, remembering the settings they’ve chosen between different visits)
  • analytics cookies - cookies that let you collect analytics data to use within your own organisation
  • any other types of cookie you’re using

Writing your cookies page

Work with your organisation’s privacy expert to write the cookie page.

The cookie policy must be written in plain English and it must explain:

List the cookies individually on the cookie page, under the relevant category. For each cookie, give:

  • the cookie name
  • a brief description of what the cookie does
  • for third party cookies, who is setting the cookie (for example, social media websites may require users to accept their cookies in order to provide their functionality as part of your service)
  • when the cookie will expire

You can see an example on the GOV.UK Notify cookie page.

Don’t bury your cookie policy in a ‘terms and conditions’ page.

Have an agreed process for updating the cookie policy when you add or remove a cookie. Make sure the relevant people on your team know what the process is.

You do not need the user’s consent to set essential or ‘strictly necessary’ cookies. A cookie is ‘strictly necessary’ if the service won’t work without it.

The Information Commissioner’s Office (ICO) has guidance on what types of cookie are likely to be considered ‘strictly necessary’. For example, load balancing cookies are likely to be strictly necessary - but cookies that collect analytics data are not.

You must get the user’s consent before you set any cookies that are not strictly necessary.

You can get the user’s consent:

  • by using a cookie banner
  • by letting the user change and save their settings on the cookie page

Publishing your cookies page

Link to the cookies page from the service footer and from the cookie banner.

Use radios and a button to let users accept or reject non-essential cookies.

Load the page with the radios set to ‘no’ on the user’s first visit. If they’ve previously used the service and set their preferences, load the page with those preferences selected.

Use a green notification banner to confirm that you’ve updated the user’s cookie settings.

If you depend on JavaScript to ask users to accept or reject cookies

If you depend on JavaScript to ask about cookie preferences and the user’s device is not running JavaScript, show them a different version of the cookies page.

Replace the radios with a section of text explaining what the user needs to do in order to change their cookie settings.

<div class="govuk-grid-row">
  <div class="govuk-grid-column-two-thirds">
    <h2 class="govuk-heading-l">Change your cookie settings</h2>
    <p class="govuk-body">We cannot change your cookie settings at the moment because JavaScript is not running in your browser. To fix this, try:</p>
    <ul class="govuk-list govuk-list--bullet">
      <li>turning on JavaScript in your browser settings</li>
      <li>reloading this page</li>
    </ul>
  </div>
</div>
<div class="govuk-grid-row">
  <div class="govuk-grid-column-two-thirds">
    <h2 class="govuk-heading-l">Change your cookie settings</h2>
    <p class="govuk-body">We cannot change your cookie settings at the moment because JavaScript is not running in your browser. To fix this, try:</p>
    <ul class="govuk-list govuk-list--bullet">
      <li>turning on JavaScript in your browser settings</li>
      <li>reloading this page</li>
    </ul>
  </div>
</div>

Update your cookies page when you change the cookies you’re using. Check with your organisation’s privacy expert:

  • how you should classify the new cookie
  • whether you’ll need to ask for new consent from all users (including those who’ve already consented to the cookies you were previously using)

It’s likely you’ll need to ask for new consent if:

  • you start using a type of non-essential cookie you haven’t used before (for example, if you start using functional cookies for the first time)
  • you start using cookies which could be considered intrusive (for example because they collect sensitive information which could be associated with an individual, like health information)
  • you start doing something with the data you’re collecting through cookies which is significantly different to what the user originally consented to

Do not set any new non-essential cookies until the user has given their consent again.

Help improve this page

To help make sure that this page is useful, relevant and up to date, you can:

Need help?

If you’ve got a question about the GOV.UK Design System, contact the team.