Background

Processing personal data through cookies is not specifically regulated under the Law on Protection of Personal Data No. 6698 ('the Law'). However, the Turkish Personal Data Protection Authority ('KVKK') has touched upon the topic in certain decisions and recently published its guidelines on cookies applications ('the Guidelines') on 20 June 2022¹, following a public consultation. The Guidelines regulate the protection of personal data within the process of the use of cookies, with evaluations on the requirement to obtain consent and the methods of informing data subjects.

What is the definition of cookies?

In the Guidelines, the KVKK defines a cookie as a 'text file placed on the user's device by the website operators and is transferred as part of the HTTP (Hyper Text Transfer Protocol) query', similar to the definition of the European Commission. An alternative definition of cookies set out in the Guidelines is 'small sized rich text formats, which allow certain information about users to be stored on terminal devices when a web page is visited', similar to the definition by the French data protection authority ('CNIL').

What are the principles for processing through cookies?

The Guidelines divide cookies into three subsections based on their:

• duration of use (session cookies and persistent cookies);
• purpose (strictly necessary cookies, functional cookies, performance/analytic cookies, and ad/marketing cookies); and
• parties (first party cookies and third-party cookies).

The appropriate legal basis for processing personal data through the use of cookies is determined based on the above classifications.

Legal basis for processing personal data through cookies

The Guidelines do not go into detail regarding the legal bases for processing data other than explicit consent, and set out basic principles and examples in line with relevant EU practice. Principles and examples relating to legitimate interest (Article 5(f) of the Law) and execution or performance of a contract (Article 5(c) of the Law) as examples of legal bases other than explicit consent are briefly set out in the Guidelines.

Further, the KVKK adopts certain criteria to determine the requirement to obtain consent. The criteria adopted by the KVKK for exemption from informed consent practice are in line with EU practice, allowing an exemption:

• for the sole purpose of carrying out the transmission of a communication over an electronic communications network ('Criterion A'); and/or
• where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user ('Criterion B').

Criterion A

Due to partial compliance with Article 51(3) of Law No. 5809 of 2008 on the Electronic Communication Law ('the E-Communication Law') and Article 5 of the EU's Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), the KVKK assesses that the E-Communication Law may be partially applicable in terms of data controller operators with respect to cookies. In terms of information society services which are not regulated by the E-Communication Law, the Law may apply to the processing of personal data through cookies.

Criterion B

In the Guidelines, the KVKK sets out that consent is required unless the use of cookies is 'strictly necessary' for the data controller to provide the services requested by the data subject. This is in line with the KVKK's summary decision dated 2020, which imposes penalties on an e-commerce company for not duly obtaining consent for the use of cookies.

In this respect, the KVKK provides in the Guidelines that certain cookies are exempt from the requirement to obtain explicit consent, such as use input cookies, authentication cookies (based on their purpose), cookies used for security, and first-party analytics (if they are used for the operation and daily management of a website).

On the contrary, social media plug-in and tracking cookies and third-party advertising cookies are set out in the Guidelines as types of cookies that must be used based on explicit consent. Data subjects should be provided with the right to withdraw their consent, and a cookie management panel must be made available for this purpose.

Cookie management panels

In order to provide data subjects the right to manage their consent, a cookie management panel must be displayed with the 'accept', 'reject', and 'preferences' buttons. These buttons must be in the same format in terms of colour, size, and font on the panel; therefore, formatting that would induce the data subject to give consent is prohibited. The KVKK also set out during its Wednesday Seminar, on 6 October 2021, that the common practice of displaying 'accept' buttons in different sizes or colours is defined as 'nudging', with such practice being unlawful.

Notice requirement

As a general principle under the Law, data controllers must duly inform the data subjects before all personal data processing activities relating to their personal data. The Guidelines underline this requirement to provide a privacy notice and include a template cookie policy as an annex in which the name, duration, purpose, party, and legal grounds for the use of the cookies are specified.

Cookie walls

Cookie walls are not regarded as an appropriate cookie practice in the Guidelines, although the wording does not suggest a strict prohibition. To that end, it is understood that the KVKK will evaluate the lawfulness of cookie wall practices on a case-by-case basis.

Cookie lifespan and retention periods

The KVKK does not set out in the Guidelines or its decisions specific lifespans or retention periods for cookies. Accordingly, cookie lifespans and retention periods must be determined in accordance with the Law and, consequently, must be proportional and fit to the purpose of use of cookies.

Conclusion

Cookies have become of prominent importance for online platforms and, accordingly, providing legal compliance relating to the use of cookies has become a priority for many industrial players, such as e-commerce companies, media platforms, gaming companies, marketing agencies, and other entities that use websites, mobile applications, and other online tools.

Moreover, cookie pop-ups and complex data processing policies may lead users to make quick and unconscious choices about the processing of their personal data. It is important that cookie consent is 'meaningful' and gives users control over their data.

In light of the above, the KVKK engages in certain actions for regulating the protection of personal data through the use of cookies with the Guidelines constituting a significant step on this matter. While cookie practices are not yet uniform, the Guidelines set out a detailed roadmap for all concerned entities using cookies, signalling that this matter is one of the top items on the KVKK's agenda to provide conformity with the EU regulators' approach on the matter.

İlay Yılmaz Partner
[email protected]
Can Sözer Senior Associate
[email protected]
Aybüke Gündel Solak Senior Associate
[email protected]
Berfu Öztoprak Associate
[email protected]
Esin Attorney Partnership, Istanbul

1. Available at: https://kvkk.gov.tr/Icerik/7353/Cerez-Uygulamalari-Hakkinda-Rehber (only available in Turkish)