Managing custom cookies

Introduction

The Mosaic platform uses the CivicUK Cookie Control module, which allows users to choose what type of cookies they want to enable when browsing your site.  

Your Cookies page (at /cookies) is pre-populated with details of all platform-level cookies; these are cookies which are set by Mosaic and are essential for the running of the platform. You do not need to register them, and you should not delete the information about them. 

Platform-level Mosaic cookies are categorised as one of the following: 'Essential', 'Analytical', 'Functional', or 'Other'. Each of the three non-essential categories will only be enabled if a user consents to that category via the Cookie Control popup. (The ‘Essential’ category will always be enabled.) 

 If you set custom cookies on your own site (as a result of embedding third-party apps or services) then these also need to be managed through the Cookie Control module so users can accept or reject them according to their category; the Site Owner or a Site Administrator will need to register these cookies with us.  

Important: compliance and responsibility

Mosaic Site Owners must register any additional cookies that their site sets, and once registered they must add details of them to the site’s Cookies page. Any cookies not added via our Cookie Management process will be in breach of cookie compliance. 

Mosaic takes measures to make the platform and its functionality as compliant as possible, but there are limits to the control that Mosaic can exercise over third-party cookies, and the Site Owner ultimately has responsibility for compliance with cookie legislation. 

 

How do I know if my site is setting cookies?  

Your site will only be setting additional custom cookies if you have added custom scripts, or embedded third-party content in iframes. If you are not sure whether your embedded content is setting cookies, you can check this in your web browser. Please note: the methods described below will identify what cookies are in place on the page you are viewing, not the entire site.  

Chrome: 

  1. In an ‘Incognito’ tab, navigate to your intended inspection page 
  2. Right click anywhere on the page (e.g. the header logo) 
  3. Click “Inspect” 
  4. In the “DevTools” window/section that appears, navigate to the “Application” tab. This may be collapsed under the “>>” icon if the window is small enough. 
  5. In the side-panel, under Storage, expand the “Cookies” accordion and click on the domain for your site. 

Edge: 

  1. In an ‘InPrivate’ tab, navigate to your intended inspection page 
  2. Right click anywhere on the page (e.g. the header logo) 
  3. Click “Inspect” 
  4. In the “DevTools” window/section that appears, navigate to the “Application” tab. This may be collapsed under the “+” icon if the window is small enough. 
  5. In the side-panel, under Storage, expand the “Cookies” accordion and click on the domain for your site. 

Firefox: 

  1. In a ‘Private’ tab, navigate to your intended inspection page 
  2. Right click anywhere on the page (e.g. the header logo) 
  3. Click “Inspect” 
  4. In the “DevTools” window/section that appears, navigate to the “Storage” tab. This may be collapsed under the “>>” icon if the window is small enough. 
  5. In the side-panel, under Storage, expand the “Cookies” accordion and click on the domain for your site. 

In each case you will be shown a table containing data on all cookies currently set on the page you are viewing. These cookies may be set by other domains (e.g. .ox.ac.uk) but are still present on this page. 

The value in the “Name” column is what you need to supply in the “Cookie name” field when registering a custom cookie. 

Acceptance/rejection code 

When registering a cookie for your Mosaic site, you are asked to provide the Acceptance code and Rejection code for the cookie. These are the snippets of code which will run when a user either accepts or rejects the category that your cookie belongs to (either Functional or Analytical). 

Acceptance code 

We need to know this so we can reliably set the cookie when the user accepts the relevant category. This can either happen on the initial page load, or after previously rejecting the category. Without this code, Mosaic cannot reliably set the cookie, which may affect the functionality of your content. 

Rejection code 

We need to know this so we can reliably remove the cookie when a user rejects the category. This is a compliance requirement. If the Rejection code is not provided, Mosaic will attempt to remove the rejected cookies, but this is on a “best effort” basis with no guarantees of compliance with cookie legislation. 

If the Acceptance and/or Rejection codes cannot be provided, the Mosaic team will not add your cookie to your site, as doing so would be a breach of cookie legislation. If you set your cookies in any way other than via the Mosaic team, these cookies will be in breach of cookie legislation, and the cookie management tools will do the following: 

  • Assign any unknown cookies to the “Other” category 
  • Disable the “Other” category by default 
  • Delete all cookies within the “Other” category 

If a site visitor accepts the “Other” category, the cookies will be reset to their original values at the time of deletion, but not via the actual cookie acceptance code (as it won’t be recorded anywhere). 

YouTube: guidelines 

If you embed a video via an iframe or as a video background in a Banner widget, a number of cookies are set automatically by YouTube. YouTube does not offer a way of controlling these cookies, making them incompatible with modern cookie consent compliance legislation, and with the Mosaic implementation of cookie control.  

There are 2 parts to the cookies set by YouTube: 

  1. Cookies set by visiting the YouTube domain (even via an embed of a video) 
  2. Cookies set by playing a YouTube video (these are set as soon as the video begins playing) 

When embedding a video, it is possible to avoid YouTube’s cookies by using https://www.YouTube-nocookie.com/ as the domain. This means that if a user loads a page with an embedded YouTube video, and the video does not play, Cookie consent compliance has been achieved. The moment a YouTube video plays, cookies are set; this is only compliant if the user has already accepted Analytics cookies. 

Registering a custom cookie  

This must be done by the Site Owner or a Site Administrator.

  1. Submit a Service Request to the Mosaic team (Site Settings > Cookies > Request Cookie change) giving details of your cookies. You’ll need to provide the following information for each custom cookie:  
    1. Cookie name (required). This is the coded cookie name (if known) which will be activated/deactivated. Providing the name of the third-party service is also fine if the coded name isn't known.  
    2. Cookie acceptance code. This will activate and set the cookie when the relevant category has been accepted.  
    3. Cookie rejection code. This will deactivate/remove the cookie when the relevant category has been declined.  
    4. Description of the cookie (required). This is to allow the Mosaic team to understand the need for the cookie, and will help us add the cookie if some information is missing. It will also allow us to categorise the cookie, so that it is correctly toggled on or off to reflect the end-user's consent for that category.  
    5. URL of the cookie provider (required). This is to help the Mosaic team add cookies if some information is missing.  
  2. Check that the requested change has been completed correctly. You will be notified when your cookie has been added; it will then be visible in the Site Settings > Cookies tab, where the cookie name, acceptance and rejection code will all be visible in read-only fields for you to check. Please note: for the Cookie acceptance/rejection code, an automatic process will check that the code is well-formed and will not cause errors once added to a page. However, it will not check that the code works functionally as intended, so you are advised to check this.  

We will run a clean-up script to identify any cookies which are not in the Cookie Management area and add them to the “Other” category, but if your site sets cookies outside our Cookie Management process you will still be in breach of cookie compliance, even once these are added to the “Other” category, regardless of whether they work, as they will have been set without the consent of the user.