Government Websites Are Not Exempt from Cookie Rules
Public sector organisations sometimes assume that their status as government bodies grants them a special exemption from cookie consent requirements. It does not. The GDPR applies to any organisation that processes personal data of individuals in the EU, and Article 5(3) of the ePrivacy Directive covers all websites regardless of whether they are operated by a private company or a government ministry.
The ICO in the UK, the CNIL in France, and the Dutch Autoriteit Persoonsgegevens have all taken enforcement action against public sector bodies. In the first half of 2025, the ICO enforced against six public sector organisations, with police forces featuring prominently in those figures. The Dutch DPA expanded its focus to municipal websites in early 2026.
Government websites often handle sensitive citizen data, making proper cookie consent even more critical than on a standard commercial site.
Why Public Sector Cookie Compliance Differs from the Private Sector
The legal framework is identical, but the practical considerations diverge. Government websites typically serve captive audiences. A citizen renewing a passport or filing a tax return cannot simply choose a competitor. This creates a power imbalance that regulators take seriously when assessing whether consent is freely given, as required by GDPR Article 7.
The EDPB has been clear that consent must be freely given, and where a significant imbalance of power exists between the data subject and the controller, consent is unlikely to be a valid legal basis for data processing. Public authorities should therefore rely on consent for cookies only where refusing consent carries no negative consequences for the citizen.
This means that cookie walls on government websites are almost certainly unlawful. A citizen cannot be denied access to essential public services because they declined analytics cookies.
Accessibility requirements add another layer. Under the European Accessibility Act and WCAG 2.2 standards, government websites must ensure that cookie banners are fully accessible to users with disabilities, including keyboard navigation, screen reader compatibility, and sufficient colour contrast.
Which Cookies Government Websites Commonly Set
A typical government website sets fewer cookies than a commercial site, but the ones it does set still require proper classification and, in most cases, consent.
| Cookie Type | Examples | Consent Required? | Notes |
|---|---|---|---|
| Strictly necessary | PHPSESSID, authentication tokens, CSRF tokens | No | Must be genuinely essential to deliver the service |
| Analytics | _ga, _ga_*, Matomo cookies | Yes (EU/UK) | Measures site performance and usage patterns |
| Functional | pll_language, accessibility preference cookies | Depends on jurisdiction | Language selectors may qualify as strictly necessary if core to the service |
| Marketing/advertising | _fbp, ad retargeting pixels | Yes | Rare on government sites, but sometimes present via embedded social content |
Many government websites embed third-party content without realising the cookie implications. A YouTube video embed on a council website sets Google tracking cookies unless privacy-enhanced mode is used. Social sharing buttons from Facebook or Twitter set social media cookies the moment the page loads.
Analytics on Government Websites: Consent or Exemption?
The question of whether analytics cookies require consent on government websites has been debated across multiple jurisdictions. Under the current ePrivacy Directive, analytics cookies are not exempt from consent requirements. Article 5(3) only exempts cookies that are strictly necessary for the service explicitly requested by the user.
The CNIL in France introduced a limited exception for audience measurement tools, provided they meet specific criteria: first-party only, no cross-site tracking, aggregated data, and limited retention. The CNIL's own guidance lists Matomo (in a specific configuration) and AT Internet as qualifying tools. Google Analytics does not qualify for this exemption because of its cross-site tracking capabilities.
The UK's Data Use and Access Act, passed in mid-2025, introduced a broader analytics cookie exemption that could benefit public sector websites. Under this framework, analytics cookies that meet certain conditions may no longer require prior consent in the UK.
The EDPB's own website sets an example. Europa Analytics, used across EU institution websites, is configured so that visitor browsing is not tracked by default, and users must actively opt in.
How to Structure Consent on a Government Website
A government cookie banner must follow the same rules as any other. The EDPB Cookie Banner Taskforce report established that if an "accept all" option appears on one layer of the banner, a "reject all" option must appear on the same layer with equal visual prominence. Pre-ticked boxes for non-essential cookies are prohibited.
Government websites should adopt a consent-first approach:
- Block all non-essential cookies until the visitor makes an active choice
- Provide a clear "reject all" button with the same visual weight as "accept all"
- Avoid dark patterns such as colour-biased buttons or hidden reject options
- Make withdrawal of consent as easy as giving it, via a persistent link or floating icon
- Ensure the banner meets WCAG 2.2 accessibility standards
Given the power imbalance between government bodies and citizens, legitimate interest is generally not available as a legal basis for placing non-essential cookies on public sector websites. The GDPR recitals specifically note that public authorities should generally not rely on legitimate interest for processing carried out in the performance of their tasks.
Enforcement Risks for Public Sector Bodies
Regulators are no longer treating public sector non-compliance leniently. The ICO launched a dedicated cookies enforcement strategy in January 2025, reviewing the top 1,000 UK websites for compliance. Its first sweep of 200 sites revealed widespread issues, with 134 organisations warned and given approximately 30 days to fix problems.
The UK's Data Use and Access Act raised the maximum fine for PECR breaches from GBP 500,000 to 4% of global annual turnover, matching the GDPR penalty ceiling.
In France, the CNIL sanctioned 21 entities in 2025 specifically for cookie violations, with total cookie-related fines reaching EUR 486 million that year. While the largest fines targeted private companies, the precedent applies equally to public bodies.
Government departments should also consider reputational risk. A public authority found to be non-compliant with privacy rules it may itself administer sends a damaging signal to citizens.
Practical Steps for Public Sector Cookie Compliance
Run a comprehensive cookie audit
Start with an automated scan to identify every cookie and tracker on your website. Many government sites have accumulated third-party scripts over years of development by different teams. A thorough cookie audit often reveals tracking scripts that no one on the current team authorised or even knew existed.
Classify cookies accurately
Do not label analytics cookies as "strictly necessary" simply because they feel important. The test under Article 5(3) is whether the cookie is strictly necessary for the service explicitly requested by the user. Performance measurement does not meet that threshold. Review cookie categories using a clear framework for cookie classification.
Choose privacy-preserving analytics
Consider switching to privacy-preserving analytics tools that can operate without cookies or with first-party cookies that may qualify for the CNIL exemption. Tools such as Matomo in cookieless mode or Plausible Analytics can provide useful traffic data without requiring consent in certain configurations.
Document everything
Keep records of your cookie audit results, consent mechanism configurations, and the legal basis for each cookie category. If a DPA opens an investigation, having a clear audit trail demonstrates that your organisation takes compliance seriously.
Frequently Asked Questions
Do government websites need a cookie banner?
Yes. GDPR and the ePrivacy Directive apply to all organisations, including public sector bodies. If a government website sets non-essential cookies, it must obtain prior consent through a compliant cookie banner.
Can a government website use Google Analytics without consent?
Under EU rules, Google Analytics requires prior consent because it processes data across sites and shares data with Google. The CNIL has explicitly stated that Google Analytics does not qualify for the limited analytics exemption. Some UK rules may differ following the Data Use and Access Act.
Are cookie walls allowed on public sector websites?
Cookie walls are effectively prohibited on government websites. Because citizens often have no alternative provider for public services, regulators consider that consent given under such conditions is not freely given and therefore not valid under GDPR.
What fines can government bodies face for cookie non-compliance?
Under GDPR, fines can reach EUR 20 million or 4% of annual turnover. In the UK, the Data Use and Access Act raised PECR fines to match the GDPR ceiling at 4% of global turnover. Regulators may also issue reprimands and enforcement notices.
Does legitimate interest apply to analytics cookies on government websites?
Generally not. GDPR Recital 47 notes that public authorities should not rely on legitimate interest for processing carried out in the performance of their tasks. For non-essential cookies, consent remains the required legal basis under the ePrivacy Directive.
How should government websites handle embedded social media content?
Embedded content from platforms like YouTube, Facebook, or Twitter often sets tracking cookies. Government websites should use privacy-enhanced embed modes, load embeds only after consent, or replace them with static links to avoid setting third-party cookies without permission.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
