Our normal and subscriber login pages are now entirely cookie-free on first hit, and only set session cookies if you actually log in.
The subscriber portal no longer asks for cookie consent as no non-essential, non-session cookies are set at all, and access is not subject to our T&Cs as it’s a statutory requirement.
We’ve tightened our Content Security Policy headers even further, gaining us an excellent set of results on this privacy checker.
strict-origin-when-cross-origin referrer policy means only our domain is passed in referrer headers, and then only to secure pages; it’s important that the full referrer URL is not leaked. In the event that a public page we host contains personal data – such as on personalised web versions which rely on unguessable URLs – outbound links must not point directly back to the page via the referrer header. This is why we don’t use such pages by default, and have always used a referrer policy that does not leak the full URL.
Privacy notices that mention Do Not Track now show whether the current browser has that option set.