With the Christmas holidays fast approaching, it’s time to find the right recipe to bake cookies and sweets and please family and friends. But, there’s one kind of cookies that lives all year long, mostly in the devices you use to access the internet. If you give this permission explicitly. In the University of Edinburgh, we have been working to build the most appropriate approach to provide this option to our website visitors, while ensuring we are not compromising on our areas. Here’s the story of how we achieved this, with the Information Commissioner’s Office (ICO) confirming our compliance earlier this year.

And, if you stick to the end, there’s a Greek Christmas cookie recipe, too.

The University Web Estate: It’s complicated

First, a bit of context. When we talk about “the University of Edinburgh website,” we’re not talking about a single, tidy digital presence. We’re talking about an ecosystem. An iceberg, if you will. The numbers are staggering: our web registry lists an average of 1,500 websites, which are managed by more than 1,000 editors, publishing millions of pages, hosted in multiple platforms.

At the tip of that iceberg? The stuff everyone sees, the University homepage, school websites, alumni platforms, which receive millions of visits. But beneath the surface? A vast network of specialised research, project and departmental websites, which serve highly specific audiences who absolutely need that information.

One very important thing to note, though is that when the regulators, like the ICO, audit the University’s web estate, they don’t see 1,000 website owners making independent decisions. They see one entity. The University of Edinburgh. One door to knock on. That’s why we take web governance seriously. Because when it comes to compliance, we’re all in this together.

The cookie conundrum: finding the sweet spot

Since GDPR landed in 2017, the digital world has been wrestling with a fundamental question: how do we respect user privacy and continue to understand how people use our websites?

For us, that’s not just philosophical, it’s practical. Our marketing teams need web analytics data to know whether their campaigns are working. Are prospective students finding what they need? Is that targeted marketing campaign actually reaching its intended markets? Without data, these questions are impossible to answer.

But we’re also a global university. When someone accesses our website from the European Union (EU), GDPR applies. From California? CCPA matters. From elsewhere? Other regulations might kick in. We can’t realistically adjust our approach country-by-country, so we made a strategic call: comply with the strictest legislation out there, the EU’s GDPR.

The factor of web analytics

The previous iteration of our cookie consent banner was triggered by our move to use GA4 as our Web Analytics platform. Since the cookies that it set required explicit user consent, we need to adjust our banner to ensure full compliance. The message to our users was crystal clear. When someone visited our website for the first time, they had to make explicit choices right there and then, and only after they’d made their choices could they access the content they came for.

The University’s cookie cookie consent approach is changing – Blog post by Stratos Filalithis, November 2023

The result was full compliance, but at the expense of gathering meaningful web analytics from our users. The wasn’t because our website visitors were leaving the website, even though a subset of them visiting on mobile devices via social media probably did. Most of them  were still continuing their journey to our content, but they were now making informed choices (brilliant for our user), and many of those choices were “no thanks to tracking” (less brilliant for our marketing colleagues). Campaigns costing thousands of pounds were running blind. We couldn’t tell what was working, what wasn’t, or where people were coming from and where they were going.

Our marketing community came back to us, understandably frustrated: “How are we supposed to make strategic decisions without data?”

We had to go back to the drawing board.

Striking the balance

We did our homework. We talked to users about their expectations. We researched what other universities and major websites were doing. We worked closely with our marketing community and Data Protection Office to understand what “compliance” really means, not just in legal terms, but in practical, user-friendly terms, and how we can better support the gathering of web analytics.

The result? A simpler approach that respects both user choice and the need for meaningful data.

The updated banner sits quietly at the bottom of the page on your first visit. It doesn’t block your content. having just three clear options: Accept, Reject, or Manage Preferences. None of them is emphasised over the others, since we treat users fairly.

And it’s working. Analytics data has recovered because people are making genuinely informed choices, and many are comfortable with reasonable data collection. Those who aren’t can easily decline. Everyone wins.

We launched this approach in April 2025, confident we’d got the balance right.

Enhancing our cookie banner for better user experience – Blog post by Sonia Virdi, April 2025

The ICO Audit: sweaty palms and sweet validation

Then, shortly after we released the new banner, we got an email: “The ICO would like to audit your website.”

Cue the cold sweats and thoughts of that web estate iceberg metaphor. We sat down with our Data Protection Office and Legal team and we prepared our honest, and transparent, response. A couple of weeks later, the verdict arrived:

“The ICO has noted that you have declared that your website and domain is compliant with the scope of the ICO’s current criteria for investigation.”

That made us one of 415 sites (out of the 1,000 top UK websites audited) that were directly compliant. About 500 others eventually got there after some back-and-forth. Twenty-one still aren’t compliant.

ICO action secures increased cookie compliance, giving millions stronger control over their personal information online – ICO News, December 4th, 2025.

For us? It validated all the research, iteration, consultation, and careful balancing we’d done. Our efforts have paid off.

Why this matters beyond compliance

Cookie compliance isn’t just about avoiding regulatory trouble. It’s about building trust.

When we get this right, we’re telling our audiences: prospective and current students, staff, alumni, research partners worldwide, that we respect their choices. We’re transparent about what data we collect and why. We make it easy to opt in or out, and respect their choices. That trust matters. Especially for a global institution where our digital presence reaches people in dozens of countries, each with their own privacy expectations and cultural norms around data.

Helpful resources: We’ve done the heavy lifting

If you’re managing a University website (or any website within our ecosystem), we’ve created guidance that works. It’s been ICO-tested. It’s been user-tested. It balances compliance with usability.

UK GDPR compliance guidance for websites – University Wiki [Requires Login]

For those using our centrally supported platform, EdWeb, all of this is automatically deployed. For those on other platforms, please follow this  guidance. Because when the ICO comes knocking, they knock on the University’s door, and we need to know that everyone’s doing their bit.

Cookie compliance is just one piece of the puzzle. Over the past month, we’ve soft-launched a new resource covering the broader responsibilities of website owners. From legal requirements like data protection to university guidelines on branding, and best practices for sustainability and content creation.

Web Estate Governance resource – University Sharepoint [Require Login]

We’re a small team supporting a large, complex, evolving web estate, and we’re actively seeking feedback. We welcome colleagues to browse this content. and let us know what works, what doesn’t, and what’s missing. We’re evolving this resource for our community, so your input genuinely shapes what it becomes.

What about the sweet kind of cookies you were promised?

If you made it so far in this blog post, then you deserve the reward that was promised. Christmas in Greece is the time for some traditional baking. One of the favourites is sweet honey cookies, called “melomakarona”. Done right, they have a sweet syrupy cover, topped with walnuts, and a soft taste of orange, honey, cinnamon and cloves. Delicious! Try it and you will come back for more.

Greek Christmas Honey Cookies “Melomakarona” – Recipe by Akis Petretzikis