News and developments
Turkish Data Protection Authority’s Draft Guidelines on Cookies
Authors: Gönenç Gürkaynak Esq., Ceren Yıldız, Noyan Utkan and Gamze Yalçın, ELIG Gürkaynak Attorneys-at-Law
The Turkish Data Protection Authority (“DPA”) has published Draft Guidelines on Cookies[1] (“the Draft Guidelines”) on January 11, 2022, providing explanations on cookies and practical advices for data controllers who process personal data through the use of cookies.
The Draft Guidelines mainly provides an introductory note on the definition of cookies and provides information as to the types of cookies. Upon providing a general definition of cookies, it categorizes cookies based on (i) timeframe (i.e. session cookies, permanent cookies), (ii) purpose (i.e. mandatory cookies, functional cookies, performance–analytical cookies, ad/marketing cookies), (iii) parties (i.e. first party cookies, third party cookies.)
DPA further assesses the legal basis on the application of the Law No. 6698 on Protection of Personal Data (“DPL”) for processing of personal data through the use of cookies. Even though cookies are not explicitly regulated under the DPL, DPA concludes that Article 51 (3) of Law No. 5809 on Electronic Communications (“Electronic Communications Law”) applies to data controller operators, but does not explicitly apply to “information society services” (which are explicitly regulated in Article 5 (3) of the 2002/58/EC of the European Parliament (“Directive 2002/58/EC”). Therefore, DPA deduces that as Electronic Communications Law does not regulate information society services, DPL applies to processing of personal data through the use of cookies.
In the fourth section of the Draft Guidelines, the DPA elaborates on the conditions that need to be taken into consideration regarding cookies. Draft Guidelines state that personal data may be processed by the use of cookies if, (i) explicit consent is obtained, or (ii) if one of the conditions set forth in Article 5 or Article 6 of the DPL exists. It also recommends that a balancing test should be performed if “legitimate interest of data controller” is the sole basis for data processing, and that when performing such test, the two-fold European Union Criteria[2] are recommended to be taken into account.
In the following sections, the DPA gives some use cases that do and do not require explicit consent. Accordingly, the Draft Guidelines lists the following types of cookies as the ones which do not require explicit consent: (i) cookies created as a result of users signing in and creating submission forms (i.e. when picking items to fill out an online-shopping basket), (ii) cookies that form as a result of identification verification tools, (iii) cookies created by the user’s security preferences, (iv) multimedia player session cookies, (v) cookies that help with network load balancing, (vi) cookies created by user interface personalization, (vii) add-on content for social networking such as liking, sharing, commenting on posts, (viii) cookies used for managing the explicit consent platform, (ix) first-party analytical cookies, and (ix) cookies used for security of the website.
The scenarios which do require explicit consent are listed as (i) social tracing add-ons (such as those used for marketing and behavioral or analytical research tools); (ii) online behavioral advertising cookies.
Furthermore, the Draft Guidelines elucidates the elements that must exist in lawfully obtained consent. Accordingly, a lawful consent must be (i) related to a definite subject; (ii) based on being informed; (iii) expressed with free will.
Moreover, the Draft Guidelines mentions parties’ liability and notes that some websites may utilize “Cookie Walls” (i.e. if the user does not accept the collection of all cookies, the user is prevented from using the website). The Draft Guidelines concludes that a case-by-case evaluation must be made to determine whether such cookie-walls hinder explicit consent; however use of alternative options to cookie walls would be recommendable.
In the eighth section, the Draft Guidelines sets out how obligation to inform should be duly fulfilled before personal data is processed by cookies. By referencing Article 5 of the Communique on Procedures and Principles on Providing Explicit Consent and Article 10 of the DPL, it states that information notice should be clear, plain and easily accessible, and the methods that make it difficult for the data subjects to access it should not be used. Draft Guidelines also states that when a person visits a website for the first time, an information notice on cookies should be provided (e.g. through pop-up messages). It also recommends that the name and purpose of cookies along with the usage period of cookies and information on whether there is a first or third party exists should be included in the information notice.
In the ninth section, the Draft Guidelines cites the decision dated February 27, 2020 with number 2020/173 of the DPA, as an example of how DPA has previously decided in a case which involved the collection of cookies by a website.
Finally, the Appendix section of the Draft Guidelines includes documents for practical use such as “Check List for Use of Cookies”, good and bad examples regarding cookies, and a sample information notice.
As a side note, DPA makes it clear that the Guidelines on Cookies are published as a “draft” version, and welcomes opinions and evaluations from relevant parties in writing or by e-mail messages (ç[email protected]) until February 10, 2022.
[1] https://kvkk.gov.tr/SharedFolderServer/CMSFiles/1336263f-22bb-4da3-a1b9-aabc0e0e8bff.pdf (Last accessed on January 12, 2022)
[2] Criteria A: Cookies are solely used for the purpose of providing communication via the communications network;
Criteria B: Use of cookies is absolutely essential in order for the member or the user to receive the service that they have explicitly demanded.