Cookies policy and consent

[cathydutton]

What

Help users manage their personal data by telling them when you store cookies on their device.

Why

We must have users consent to store cookies or similar technologies on their device

How

• Ask users for consent
• Provide information on cookies used
• Allow users to set preferences
• Allow users to change preferences
• Inform users of any changes

[cathydutton]

[matthewsolle]

Reference

https://www.gov.uk/service-manual/technology/working-with-cookies-and-similar-technologies

https://docs.publishing.service.gov.uk/manual/cookie-consent-on-govuk.html

https://github.com/alphagov/govuk-design-system-backlog/issues/12

https://github.com/alphagov/govuk-design-system-backlog/issues/13

[tomf87]

Just so everyone's aware, on the design system call I took part in I heard that GDS have no plans to work on a pattern for cookie banners until after they've looked at a technical solution to share cookies across departmental sites, which could take up to two years from now.

[tomf87]

Pretty sure pattern 6 would be non-compliant under a stricter interpretation of GDPR, as the button design leads the user towards accepting cookies.

[cathydutton]

Pretty sure pattern 6 would be non-compliant under a stricter interpretation of GDPR, as the button design leads the user towards accepting cookies.

Thats the one Gov.uk blogs are now using

[cathydutton]

This is from the DWP backlog, I think its a good way of communicating the different flows and messages.

The part I'm unsure about is how users update their preferences. Is it enough to have that option buried in the cookies page?

[tomf87]

Pretty sure pattern 6 would be non-compliant under a stricter interpretation of GDPR, as the button design leads the user towards accepting cookies.

Thats the one Gov.uk blogs are now using

Yeah I think it depends how you interpret the policy, I'm just mentioning it because where I worked before we decided to avoid using different button styles as we wanted to avoid introducing any bias.

[cathydutton]

Pretty sure pattern 6 would be non-compliant under a stricter interpretation of GDPR, as the button design leads the user towards accepting cookies.

Thats the one Gov.uk blogs are now using

Yeah I think it depends how you interpret the policy, I'm just mentioning it because where I worked before we decided to avoid using different button styles as we wanted to avoid introducing any bias.

Good point, theres a thread on dark patterns around consent here - https://twitter.com/yahoo_pete/status/1230562192144994307.

I wonder if we need 3 buttons Accept all, Reject all and manage preferences?

[jOnoNe]

With the absence of cookie sharing across urls, is there anything we can do to reduce the need for users clicking multiple banners in the same cross-domain journey?

[cathydutton]

Collated examples of current designs from across Gov

[peter-jordan]

Going back to the comments on the GOV.UK blogs design. A quick and crude comparison of the 'before' and 'after' volume of sessions shows that www.gov.uk is getting around twice as much acceptance of cookies compared to the blogging platform.

So you could argue words as much as button styles.

[peter-jordan]

@cathydutton What URL got you the 'Can I get Legal Aid?'/ Notify banner? I can't replicate it.

[cathydutton]

With the absence of cookie sharing across urls, is there anything we can do to reduce the need for users clicking multiple banners in the same cross-domain journey?

Is this happening with services using IDM? May be worth asking wider Gov teams to see if anyone else has dealt with this.

[cathydutton]

@cathydutton What URL got you the 'Can I get Legal Aid?'/ Notify banner? I can't replicate it.

I got it from a Slack thread so not sure how you get to it.

[cathydutton]

@jOnoNe - planned work to look into this at GDS - https://www.gov.uk/service-manual/technology/working-with-cookies-and-similar-technologies#discovery-into-remembering-consent-across-domains-and-subdomains

[cathydutton]

DVSA example - using two buttons instead of a link for settings

[cathydutton]

[MalcolmVonMoJ]

In Check if you can get Legal Aid, we were using pattern number 3 until recently.

We have now changed to this pattern as an interim whilst research is ongoing, so it might not be our final decision.

Our reasoning for choosing this was:

• We wanted something that was visibly different from the main GOV.UK cookie banner, so users would recognise that this is not the one they might've just accepted/rejected.
• We wanted something that was more obvious than the then-current banner (number 3 in my image at the top of this thread), so users would be less inclined to just use the service without ignoring it.
• Counter to that, we also didn't want to be too intrusive.
• We didn't want a simple yes/no option as we have mandatory cookies for Welsh language and so to say no was misleading and to say accept all and accept mandatory is starting to get a tad wordy.

So, we kept the current choices (yes/settings) and only amended the look and feel of the banner for the now. Our brilliant user researcher and exquisite content designer have not put this to bed yet and are continuing to look at all the above points.

However, the moment we made this change (March 6th, 2 weeks ago today), we noticed a significant increase in users accepting cookies. Approximately double. This still only puts us at 40% of pre-GDPR levels in round figures.

Google Analytics details:

[cathydutton]

Latest update from Gov.uk

[cathydutton]