Turkey: Guidelines on cookies applications - What you need to know
What is the definition of cookies?
In the Guidelines, the KVKK defines a cookie as a 'text file placed on the user's device by the website operators and is transferred as part of the HTTP (Hyper Text Transfer Protocol) query', similar to the definition of the European Commission. An alternative definition of cookies set out in the Guidelines is 'small sized rich text formats, which allow certain information about users to be stored on terminal devices when a web page is visited', similar to the definition by the French data protection authority ('CNIL').
What are the principles for processing through cookies?
The Guidelines divide cookies into three subsections based on their:
- duration of use (session cookies and persistent cookies);
- purpose (strictly necessary cookies, functional cookies, performance/analytic cookies, and ad/marketing cookies); and
- parties (first party cookies and third-party cookies).
Legal basis for processing personal data through cookies
The Guidelines do not go into detail regarding the legal bases for processing data other than explicit consent, and set out basic principles and examples in line with relevant EU practice. Principles and examples relating to legitimate interest (Article 5(f) of the Law) and execution or performance of a contract (Article 5(c) of the Law) as examples of legal bases other than explicit consent are briefly set out in the Guidelines.
Further, the KVKK adopts certain criteria to determine the requirement to obtain consent. The criteria adopted by the KVKK for exemption from informed consent practice are in line with EU practice, allowing an exemption:
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network ('Criterion A'); and/or
- where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user ('Criterion B').
Due to partial compliance with Article 51(3) of Law No. 5809 of 2008 on the Electronic Communication Law ('the E-Communication Law') and Article 5 of the EU's Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), the KVKK assesses that the E-Communication Law may be partially applicable in terms of data controller operators with respect to cookies. In terms of information society services which are not regulated by the E-Communication Law, the Law may apply to the processing of personal data through cookies.
In this respect, the KVKK provides in the Guidelines that certain cookies are exempt from the requirement to obtain explicit consent, such as use input cookies, authentication cookies (based on their purpose), cookies used for security, and first-party analytics (if they are used for the operation and daily management of a website).
On the contrary, social media plug-in and tracking cookies and third-party advertising cookies are set out in the Guidelines as types of cookies that must be used based on explicit consent. Data subjects should be provided with the right to withdraw their consent, and a cookie management panel must be made available for this purpose.
Cookie management panels
In order to provide data subjects the right to manage their consent, a cookie management panel must be displayed with the 'accept', 'reject', and 'preferences' buttons. These buttons must be in the same format in terms of colour, size, and font on the panel; therefore, formatting that would induce the data subject to give consent is prohibited. The KVKK also set out during its Wednesday Seminar, on 6 October 2021, that the common practice of displaying 'accept' buttons in different sizes or colours is defined as 'nudging', with such practice being unlawful.
Cookie walls are not regarded as an appropriate cookie practice in the Guidelines, although the wording does not suggest a strict prohibition. To that end, it is understood that the KVKK will evaluate the lawfulness of cookie wall practices on a case-by-case basis.
Cookie lifespan and retention periods
Moreover, cookie pop-ups and complex data processing policies may lead users to make quick and unconscious choices about the processing of their personal data. It is important that cookie consent is 'meaningful' and gives users control over their data.
İlay Yılmaz Partner
Can Sözer Senior Associate
Aybüke Gündel Solak Senior Associate
Berfu Öztoprak Associate
Esin Attorney Partnership, Istanbul
1. Available at: https://kvkk.gov.tr/Icerik/7353/Cerez-Uygulamalari-Hakkinda-Rehber (only available in Turkish)