Click here to listen to our legal alert now!

The Personal Data Protection Authority ("Authority") has published the Draft Guideline on Use of Cookies ("Guideline"). With the Guideline, the Authority aims to bring recommendations to ensure the compliance of website operators1 with the Personal Data Protection Law ("Law"). The Guideline is open for public consultation until 10 February 2022. Interested stakeholders may convey their opinions and suggestions to the Authority in written form or via email to cerez@kvkk.gov.tr.

New development

On 11 January 2022, the Authority opened the Guideline for public consultation until 10 February 2022. The Guideline sets forth cookie types, the relationship between the Electronic Communications Law No. 5809 ("ECL") and the Law, various cookie implementation cases and explains legitimate explicit consent and informing mechanisms. The Guideline further elaborates on the Authority's decision dated 27 February 2020 numbered 2020/173 from a cookie use perspective, provides a checklist for the use of cookies in its attachment and brings examples of different uses of cookies. The relevant decision is available online here. The Guideline is available online here.

What's new

The Guideline, aiming to ensure website operators' compliance with the Law when using cookies, covers only the cookies used for processing personal data. In addition to websites, the Guideline is applicable to similar online applications connected to networks.

Definitions and types of cookies

In the Guideline, cookie is defined as "a type of text file placed on the user's device by the website operators and is transferred as part of the HTTP (Hyper Text Transfer Protocol) query." Another definition brought by the Guideline is as follows: "cookies are small sized rich text formats, which allow certain information about users to be stored on terminal devices when a web page is visited."

The Guideline explains the types of cookies based on three main characteristics: (i) duration of the cookies; (ii) purpose of the cookies; and (iii) parties of the cookies. According to their duration, cookies are classified as session cookies and persistent cookies. As for their purpose, cookies are classified as strictly necessary, functional, performance-analytical and advertising/marketing cookies. According to their parties, cookies are divided into two categories as first-party and third-party cookies, depending on whether the cookie is placed by the website or the domain visited by the user.

Relationship between the ECL and the Law

As per the Guideline, the Law will be applicable to information society services as, unlike the EU Directive 2002/58/EC, this topic is not regulated under the ECL. In this context, the decision dated 27 February 2020 numbered 2020/173 is highlighted. Additionally, it is stated that the ECL may partially be applicable to the data controller operators.

Rules regarding explicit consent for the use of cookies

The Guideline emphasizes the two criteria that are used in the EU to determine whether explicit consent is required for the use of cookies. Accordingly, the following questions should be answered: either "are cookies used only for providing communication over an electronic communication network? or "are cookies strictly necessary for the information society services that are explicitly requested by the subscriber or user?". For cases that do not fall under these two scenarios, either the explicit consent of the data subject must be obtained or another legal basis stipulated under the Law must be reliable. As stated, the explicit consent of the data subject is not required for the use of cookies, if one of the legal basis set forth under the Law exists.

The Authority emphasizes that when the use of cookies requires explicit consent of the data subject, the data subject must be provided with clear and specific information and the consent must be obtained based on active action (i.e., opt in) and free will of the data subject in order for the consent to be deemed legitimate. The Authority stated that requesting consent frequently may lead to "consent fatigue" and may damage the free will of the data subject. Hence, as per the Guideline, instead of obtaining consent every time a user accesses the website, it is sufficient to remind the explicit consent preference of the data subject proportionally throughout the lifetime of a cookie. Finally, the Authority emphasized that obtaining consent for cookies through cookie walls that block the view of the website itself, damages free will since explicit consent will be deemed as a prerequisite for the use of services.

Conclusion

In the Guideline, the Authority aims to guide website operators and those that process personal data through cookies to bring cookie practices in line with the legislation. Interested stakeholders may review this important Guideline and submit their opinions and suggestions to the Authority until 10 February 2022.

Footnote

1. The term "website" referred to in the Guideline includes websites or media (such as mobile phones or tablets).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.