News and developments

The Decision of the Personal Data Protection Board Regarding the Cookies

Since there is no particular legislative regulation on the personal data processing through the cookies within the scope of the Law on Protection of Personal Data No. 6698 (“Law”), it brings to mind the question of how this processing activity will be carried out.

Recently, with the Guideline on Cookie Practices published on the website of the Personal Data Protection Board (“Board”), the processing of personal data through cookies has been clarified for the website operators. In addition, some principles on the processing policies of cookies have been determined by the decisions made by the Board. In this article, we aim to examine the most recent decision of the Board regarding the data processing activities made through cookies.

The following issues were briefly mentioned in the complaint petition which is the subject of the Board’s decision dated 10.03.2022 and numbered 2022/229, regarding the unlawful processing of personal data through cookies used on the website/mobile applications by the data controller company operating in the e-commerce sector:

  • The cookie policy implemented by the data controller is violative of the fundamental rights and freedoms of individuals and the privacy of private life;
  • Since the policy on the website about the use of cookies contains incomprehensible and unspecified information, the obligation to inform about cookies is not fully fulfilled;
  • The processing activity is not carried out by the data controller based on the explicit consent of the data subject regarding the use of cookies;
  • Although the personal data processed within the scope of the activities of the website or the cookies used are transferred abroad, the explicit consent of the data subject is not obtained in this context;
  • It is not specified to which data subject group the data subject belongs, the processing purposes of data categories and data types are not fully explained and their scope is not understandable;
  • It is not clear which type of data is processed from the explanations under the marketing information data category; although the data subject has not given explicit consent for a commercial electronic message, targeting and analysis cookies are active in the browser and in the application.

In this regard, the Board was requested to take necessary action.

In the letter sent by the data controller to the Board upon the complaint of the data subject, the following issues were addressed:

  • Personal data processed through cookies on the browser in order to identify the data subject are in the form of cookies that are not strictly necessary cookies, and they are processed under the condition that data processing is mandatory for legitimate interests in accordance with the Law;
  • Other cookies, other than those that are not strictly necessary cookies, are cookies that are absolutely necessary for the provision of the electronic commerce service offered to users as an information society service provider, and it is not necessary to obtain explicit consent from the website or mobile application users in terms of these;
  • Analytics, user behavior tracking, and other online advertising cookies, which are not strictly necessary cookies are used, and in this context, a pop-up privacy notice appears after users first visit the website;
  • Users are directed to the Privacy and Cookies Policies on the website; the user is informed in detail about how to manage cookies in the Cookie Policy.
  • The cookies used are not put forth as a prerequisite for the service, and the provision of the electronic commerce service is not subject to the acceptance of these cookies, unlike the applications called cookie walls or tracking walls in the European Union.

As a result of the investigation carried out on the subject, the Board has emphasized that while the explicit consent of the data subject will not be required for the proper functioning of a website, the use of cookies working for advertising, marketing, and performance purposes is subject to the explicit consent of the data subject. Furthermore, the Board has emphasized that the cookies are necessary for the proper functioning of the website are strictly necessary cookies and the personal data processing can be carried out based on one of the data processing conditions in the Law without the explicit consent, but in the case of performing personal data processing activities with cookies that are not strictly necessary cookies, explicit consent is required.

The Board has stated that when the website is accessed, the data subject is directed to the Privacy and Personal Data Protection Policy and the Cookie Policy with a pop-up which is appearing in the corner of the page. However, it has been pointed out that there is no indication that the explicit consent of the data subject was obtained in terms of cookies which are not strictly necessary. Also, the Board has ordered to take the necessary technical and administrative measures and not to obtain the explicit consent of the data controller for operating functional cookies, performance-analytical cookies, and advertising/marketing cookies other than strictly necessary cookies. Additionally, the Board has given the data controller 30 days to establish the required system for obtaining explicit consent according to the ‘opt-in’ mechanism, and to update the Cookie Policy text on the website.

You may access the Decision by this link.

To see our other articles, you may follow the NSN Bulletin via the link.

Authors: Bilge Derinbay, Hande Ülker Pehlivan

Contact: [email protected]