Bottom of the class: UK universities failing on cookies

Universities and higher education institutions stand accused of a widespread failure to comply with the laws covering online tracking via cookies, amid claims they are putting both the data of students and website visitors at risk.

According to a new study by digital agency 7Dots, based on a detailed analysis of 335 websites operated by UK universities and higher education colleges, 81% are in breach of UK GDPR over cookie consent.

The research, conducted using a custom cookie compliance testing tool developed by 7Dots, reveals low (32%) implementation rate of consent management platforms, which are a crucial component for GDPR adherence.

The prevalence of Google Analytics on 82% of non-compliant sites and the use of paid social platforms with embedded tracking mechanisms were identified as significant contributors to lack of compliance.

Alongside Google Analytics, other well known storage vendors frequently present on non-compliant sites are Facebook, Google, LinkedIn and TikTok, meaning visitor data is being sent to these third-party platforms without their consent.

This could, in turn, result in these visitors being targeted for advertising despite not giving permission, the report claims.

Even among the 109 institutions employing cookie consent management platforms, two-thirds (66%) were found to be inadequately processing website visitors’ data in alignment with GDPR standards. This is likely being caused by web editors hardcoding scripts/assets (eg, YouTube videos) into websites, preventing content security policy restrictions on loading.

7Dots insists that this improper configuration of consent management platforms and tag management platforms means even if users decline cookies, communication between the two is lacking, rendering tracking preferences ineffective as data is still being shared with third parties.

The report follows fresh controversy over the enforcement of advertising cookies. Just 24 hours after being slated for failing to enforce the laws, the Information Commissioner’s Office released a statement claiming it had warned many of the UK’s top websites they face action if they do not make changes, and threatened to name and shame them, too.

7Dots demand generation director Nick Williams said: “The results of our study reflect a concerning pattern of non-compliance within higher education institutions, raising significant questions about the safeguarding of student and other website visitor data.

“The lack of implementation and proper utilisation of GDPR-mandated measures indicates an urgent need for immediate action. The clock is ticking.

“Too many digital experiences are built without thinking about the needs of the end user, creating frustration. Any captivating digital experience needs to start from a place of trust and students today will want to know their data is being protected. This research should serve as a wake-up call for universities to prioritise data protection and compliance.”