Earlier this year I reviewed cookie compliance on our public website, prompted by an audit of the council by the ICO (Information Commissioner’s Office). I was asked to review our approach to cookies on the website and our compliance with Privacy and Electronic Communications Regulations (PECR). I discovered that whilst we met most of the requirements, we fell short of full compliance. This came as a bit of a surprise and it spurred me into changing our approach promptly and in advance of the ICO audit.
You can find a lot of useful guidance on cookie compliance on the ICO website https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar-technologies/
The basic rules are that you must:
- tell people the cookies are there
- explain what the cookies are doing and why and
- get the person’s consent to store a cookie on their device
What counts as cookie consent?
Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should have the means to enable or disable non-essential cookies, and you should make this easy to do.
It was on this last requirement that I tripped up on. We promoted cookies as a banner on our homepage, provided information about them, but simply invited users to consent by selecting an option to continue to use the website. We needed to go further and provide users with the means to enable or disable non-essential cookies and to make it easy to do.
So that is what I did. I commissioned some work from Microserve, our Drupal development agency, to research what we needed to do to implement a fully compliant cookie service. They reviewed a range of free and paid for cookie compliance modules and services and found nothing that quite fitted our needs or budget. In the end Microserve decided to develop a module themselves and I helped to scope the requirements and to carry out testing.
Microserve also developed a simple user interface (see screenshot below). The new cookie module went live on our website in June and so far it appears to be working well. Some accessibility issues were identified with the user interface but these were promptly fixed. The new module successfully prevents any cookies being added until the user has had the opportunity to review the options and choose what cookies to accept or not.
Cookie compliance and Localgov Drupal
Bracknell Forest Council are part of a MHCLG funded project to develop a Localgov Drupal distribution. The aim of this project is to provide an open source baseline to help UK councils set up public facing publishing platforms, with less cost and less time, in Drupal 8 or 9. Any developments made by participating councils will be freely shared with others. We are planning to redevelop our public website using the Localgov Drupal distribution and I have already agreed to share back our work on cookie compliance once it has been moved to Drupal 8 or 9. Some additional work will be needed for this to happen. Councils who come on board will then be able to use our cookie compliance module if they want to.
Cookie compliance and councils
Whilst reviewing cookie compliance I looked into what other councils are doing to try to find some best practice. I found a few good examples, but in general the experience I found wasn’t that great. I am therefore planning to do some wider personal research into cookie compliance on council websites and will share what I find when it is completed. I hope that this will help to draw attention to cookie compliance and encourage colleagues across local government to review their approach and make improvements where needed.