The University’s cookie consent approach is changing
The University’s cookie consent approach has been under review and has now changed, shifting to a stricter approach against web analytics’ cookies, specifically those set by the Google Analytics platform. This change has been reflected by the introduction of a new cookie consent overlay and an updated guidance for our web publishing community.
What is changing?
Stop setting web analytics’ cookies by default
The previous approach was allowing Google Analytics cookies to be set by default, treating them as “necessary” based on their importance to the business. This was supported by the way Google’s platform, Universal Analytics, was setting these cookies, taking measures to anonymise each website visitor. Since the shift to the new platform, Google Analytics 4 (GA4), earlier in the year, this stopped being the case. So, we have taken action to stop setting analytics cookies by default, and introduced an explicit ask for website visitors to decide whether they want these to be set or not.
Ask for website visitors’ consent more explicitly
Understanding the importance of having a clear and easy way for our audiences to make informed choices about which data they want to share, we have moved our cookie consent from a 2-step to a 1-step approach. To further support clarity, we have moved from a headaer banner to an overlay which appears in front of the website content. We expect our website visitors to make a choice before accessing website content. This overlay will only appear for those visiting our website for the first time, or after a reasonable period of 1 year, when they will be required to revisit their choices.
Guidance for applying these changes across our web estate has been updated
To inform and empower our University’s web publishing community to understand and proceed in appropriate changes for their websites, we have updated our relevant guidance, and presented in the Web Publishers’ event in November 2023.
UK GDPR compliance guidance for websites – University login required
Global cookie consent guidance – University login required
The new cookie consent overlay
Our new cookie consent overlay follows a single step approach that allows visitors to understand and set their cookie preferences. Website visitors have to interact with the options before they can access the content. The content explains the purpose of cookies, what will be set by default and links to more information about each cookie group. The 2 options allow the website visitor to choose whether analytics data and/or advertising data will be collected or not. The overlay can only “hide” when a choice is made and then saved by clicking on the button at the end of the content. All website visitors will continue to be able to change their choices by clicking in a discreet “change cookie settings” button, appearing in all website pages.
This cookie overlay has been deployed in EdWeb. We are currently focussing to deploy this in websites hosted in EdWeb 2, too.
Why did we need to make this change?
Since its introduction in the University Website, following the introduction of European Union’s General Data Protection Regulation (GDPR) in 2016, our cookie consent banner has enjoyed several updates. EU and UK legislation and regulations, since then, haven’t stayed idle, but evolved. Equally, the understanding and approaches of applying these across the web and digital estates have matured, with time. The University has followed a measured, but constantly informed, approach, and we have taken action when necessary, being respectful to our audiences’ privacy. Our last update to the cookie banner took place in 2020. Since then, the United Kindom has left the European Union, which has had an impact on the regulations we need to comply with.
Evolution of our platforms, tools and strategic approaches has influenced our approach, too. The main triggers were:
- The move of our central University Website from EdWeb to EdWeb 2, which included a move to a cloud hosted environment.
- The shift from Google’s Universal Analytics to Google Analytics 4.
- The development and release of the University’s Web Analytics Strategy.
It’s every website owner’s responsibility
There are significant risks associated with data privacy regulations compliance. The Information Commissioner’s Office (ICO), which is responsible for enforcing data protection regulations in the UK, can take action which may include fines of up to higher of £17.5million or 4% of annuyal global turnover. Even though we have a highly devolved web estate governance, which has resulted in more than 1,500 websites, each with their separate ownership, the ICO treats the University as a single entity. Any potential breach of the regulations, anywhere in our web estate, could result in the most severe course of action by the ICO.
All content published using the central University Website service (EdWeb or EdWeb 2) is covered by the published privacy notice. Each owner of websites using another platform or service must take appropriate action, based on the published guidance, reflecting on their individual set up.
Our team will continue to follow a careful and informed approach, and ensure the University’s centrally provided platforms, and web publishing community are on top of further changes.
It would be wrong to think that this current approach will stay the same for ever. Privacy laws, along with accessibility, are not totally clear cut issues. Privacy legislation is not the same as road traffic speeding laws where you can get points on your licence for doing 34mph in a 30mph zone. There are many more complexities and grey areas.
Bruce Darby, “EdWeb cookie banner is changing” blog post, February 2020
EdWeb cookie banner is changing – Blog post by Bruce Darby