Turkey: Recent developments on the processing of personal data via cookies
On 11 January 2022, the Personal Data Protection Authority ('KVKK') published its draft guidelines on cookie applications1 ('the Draft Guidelines') for public consultation, which covers cookies placed on the devices of data subjects and relevant privacy-related obligations. Melis Mert and Kaan İlısu, from BTS & Partners, provide an overview of the Draft Guidelines for data controllers who process personal data via cookies and are subject to the Law.
As to the general legal framework, personal data processing activities via cookies are not separately regulated under the Personal Data Protection Law No. 6698 ('the Law'). However, the Law does not limit its application to a processing method and therefore, in cases of cookie usage resulting with the processing of personal data, the Law and its secondary legislation shall be applicable.
Legal framework for processing personal data via cookies
There is no specific regulation under Turkish legislation addressing cookies and similar tracking technologies that is comparable to Articles 5 and 6 of the EU's Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'), other than Article 51 of the Law No. 5809 of 2008 on the Electronic Communication Law ('the E-Communication Law'), which is only applicable to the electronic communication operators.
Since cookies and similar technologies are considered within the scope of the Law where personal data is being processed, all obligations arising from the Law and secondary legislation must be respected. Within this scope, main requirements are as follows:
- Obligation to inform data subjects (user) via privacy notices in line with the Article 10 of the Law and the Communiqué on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform2 ('the Communiqué'). Despite the fact that the mandatory requirements are outlined in the Law and the Communiqué, the KVKK has additional (format and content related) expectations on privacy notices, which would be important for full compliance. Furthermore, the data subject's acceptance or confirmation for reading the notice is not required, to the contrary, having data subjects accept the notice is considered as unlawful practice.
- Obtaining lawful explicit consent (if required depending on the cookie types and following data processing activities). Unless one of the legal bases specified under the Article 5(2)3 of the Law exists, data controllers must obtain the explicit consent of the data subjects before such processing. The Law does not specify which legal bases would apply to different cookie types. As a result, a legal assessment should be made with respect to each data processing purpose (targeted advertising, profiling etc.). If the data controller determines that explicit consent should be sought, the latter must be freely given, based on being informed and specific. It should be noted that the Law does not accept soft opt-in or blanket consents, and consent should not be prerequisite for the provision of main products and services.
- Ensuring the security of the personal data obtained and processed via cookies. The data controller must take the necessary technical and administrative measures to provide an appropriate level of security.
- Complying with the general principles. The general principles stipulated under the Law are as follows (similar to those found under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')): lawfulness and fairness; being accurate and kept up to date where necessary; being processed for specified, explicit, and legitimate purposes; being relevant, limited, and proportionate to the purposes for which they are processed; and being stored for the period laid down by relevant legislation or required for the purpose for which the personal data are processed.
The Draft Guidelines and the KVKK's recommendations
The Draft Guidelines provide guidance from different perspectives on processing personal data via cookies. As to the scope, the Draft Guidelines are prepared solely to provide guidance on cookies where personal data is processed, and they do not cover similar technologies (pixels, beacon technology etc.), and also do not only address websites but also applications.
It should be noted that the Draft Guidelines have been opened for public consultation (and therefore are not finalised) at the time of publication. Therefore, the Draft Guideline's content (following statements herein) may be changed pursuant to the KVKK's future works. On the other hand, finalised guidelines of the KVKK are not legally binding under the Turkish laws but present the KVKK's approach and expectations on the relevant matter (which are sometimes subject to the KVKK's decisions).
Within the scope of this article, the KVKK's recommendations within the Draft Guidelines are presented below under three main headings;: (i) legal base assessment based on cookie types; (ii) obtaining explicit consent; and (iii) privacy notices.
Legal base assessment based on cookie types
The Draft Guidelines clearly state that explicit consent is required for social plug-in tracking cookies and online behavioural advertising cookies. On the other hand, first party analytics cookies are evaluated by the KVKK and only under certain circumstances such cookies may be used without the data subject's explicit consent: (i) use of first party analytics cookies only to generate anonymous statistics; (ii) user's internet browsing is not used for cross-tracking; (iii) cookie lifetime is reasonable; and (iv) no transmission of data collected via first party analytics cookies to third parties.
Although the Draft Guidelines do not bring absolute rules on legal bases, the following cookie types may be used without the explicit consent of the data subjects: user input cookies; authentication cookies; user centric security cookies; multimedia player session cookies; load balancing session cookies; user interface customisation cookies; social plug-in content sharing cookies; cookies used for the explicit consent management platform; and cookies used for website security.
Obtaining explicit consent
The Draft Guidelines present certain rules and recommendations regarding the platforms' way of obtaining explicit consent for cookie usage. It should be noted that these statements of the KVKK are mainly in line with the explicit consent rules under the Law's general application.
It is underlined that, during obtaining explicit consent regarding personal data processing via cookies, the elements of explicit consent ('specific', 'based on information', and 'expressed with free will') should exist collectively. Therefore:
- the data controller cannot force data subjects to accept all cookies in order to access the platform (i.e. cookie walls);
- privacy notices must be presented; and
- blanket/general consents shall not be sufficient.
The concept of 'consent fatigue' is also discussed within the Draft Guidelines. Accordingly, frequently seeking explicit consent would be unlawful and it is recommended to limit the frequency (of reminding the data subject's consent preferences) in proportion to the lifetime of the relevant cookie (similar to the French data protection authority's ('CNIL') guidelines on cookies and tracking devices). Although CNIL anticipates a six-month interval for the periodic reminder procedure, the KVKK suggests that it should be examined on a case by-case basis before re-asking for consent, by considering the nature of the website or application, as well as the characteristics of the target audience.
The Draft Guidelines also provide guidance regarding the parties' liabilities in cases of third-party cookie usages. In this context, it is determined that the website owner and the third-party cookie provider would be jointly responsible for the personal data processing via the relevant third party cookie.
Use case scenarios of good and bad practices are also presented under the Draft Guidelines, such as:
- Presence of a banner including a cookie management tool ('CMT'), providing the 'accept', 'reject', and 'preferences' options equally in terms of colour, size, and font, and having an icon that enables access to the CMT on the website are deemed as good practices.
- Presenting only the 'accept' button on the banner and using soft opt-in method are deemed as inappropriate.
In addition to the Law, and secondary legislation's provisions on the obligation to inform, certain other principles are presented under the Draft Guidelines while fulfilling this obligation regarding cookie usage. Accordingly, it has been highlighted that the obligation to inform cannot be fulfilled by providing cookie privacy notices which 'have a complex nature and contain information on many other subjects'. More specifically, providing the cookie name, purpose of use, period of use, and information about whether the cookie is first or third party is recommended.
Also, it should be noted that privacy notices and explicit consents cannot be bundled as a general rule. Therefore, the KVKK considers banners not presenting them separately as bad practice.
1. See: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/1336263f-22bb-4da3-a1b9-aabc0e0e8bff.pdf (only available in Turkish)
2. See: https://www.kvkk.gov.tr/Icerik/6637/Communique-On-Principles-And-Procedures-To-Be-Followed-In-Fullfillment-Of-The-Obligation-To-Inform
3. Article 5(2) of the Law presents legal bases as follows: it is clearly provided for by the laws; it is mandatory for the protection of life or physical integrity of the person or of any other person who is incapable of giving his/her consent or whose consent is not deemed legally valid; processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract; it is mandatory for the controller to be able to perform its legal obligations; the data concerned is made available to the public by the data subject himself/herself; data processing is mandatory for the establishment, exercise or protection of any right; it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
4. See: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf