The DPA prepared draft guidelines (“Guidelines”) on January 11, 2022, explaining cookies and practical advice for data controllers who process personal data through cookies. The Guidelines was published on the official website of the DPA on January 11, 2022, to gather views on the same.
Within the scope of the Guidelines, which is still at the draft stage, cookies in general and their types are regulated. It also categorises cookies based on their timeframe, intended purpose and parties.
The relationship between the Electronic Communications Law No. 5809 (“ECL”) and Data Protection Law is also reviewed in the Guidelines. Personal data may be processed without the need for obtaining explicit consent in cases where the cookies in question are solely used for providing communication via the electronic communications network, and the data controller acts as an operator within the meaning of the ECL. Within the scope of the Guidelines; in respect of cookies applications, it is stated that the Data Protection Law shall be applied, and the principles outlined in the Data Protection Law and the grounds for processing data shall also apply to the processing of personal data through cookies other than the exceptional cases, listed above and subject to the provisions of the ECL. Accordingly, in the absence of the legal grounds listed in Articles 5 and 6 of the Data Protection Law, explicit consent of website visitors shall be obtained for using cookies. Within the framework of the Guidelines; in cases where cookies are solely used to provide communication via the electronic communications network (Criteria A) or use of cookies is absolutely essential for the member or the user to receive the service that they have explicitly demanded (Criteria B), cookies may be used without the need for obtaining explicit consent if it is mandatory for the legitimate interests of the data controller as outlined in subparagraph (f) of Article 5 of the Data Protection Law. No restriction has been introduced in the Guidelines regarding the grounds outlined in Articles 5 and 6 of the Law. Therefore, a meticulous case-by-case evaluation must be made, and personal data shall be processed through cookies without obtaining explicit consent if other conditions are also satisfied.
In the Guidelines, clarifying explanations are also made on the explicit consent and information notice in cases where explicit consent is required. Accordingly, in obtaining explicit consent within the scope of the Guidelines, a cookies management panel should be displayed to the visitor upon visiting the website for the first time, providing the “accept”, “reject”, and “preferences” options equally in terms of colour, size and font. Visitors should be provided with the opportunity to grant/deny consent regarding the cookies, which cannot be used without explicit consent and the cookies applications based on explicit consent, should be displayed in a closed/passive manner at first.
It is stated in the Guidelines that the opt-in system, namely a system where the data subject grants his/her consent for processing personal data with a conscious act, should be used in respect of the explicit consent statements to be obtained by data controllers from the data subjects. Also, to prevent consent fatigue, asking for explicit consent at every visit of the data subject should be avoided, and it is recommended to limit the frequency of reminding the consent preferences to the person, who has rejected the use of the cookies for once, periodically in proportion to the lifetime of the relevant cookies. Also, systems called “cookie walls” that prevent access to a website, and visitors from accessing a website without accepting cookies applications, are considered against the Data Protection Law.
It should be noted that the principles outlined in the Data Protection Law with the obligation to inform shall also apply to cookies, and the visitor should be informed per the Data Protection Law about the data processing activity conducted via each cookie, independently from explicit consent of the visitor or any other condition sought for processing data.
Use case scenarios are also presented at the end of the Guidelines to concretise the good and bad cookies applications. In relation to the cookies applications used on their websites, it would be helpful for data controllers to carefully review the case scenarios of good and bad practices provided in the Guidelines to use cookies in conformity with the Data Protection Law.
The Board’s decision dated February 27, 2020, with the number 2020/173, is also reviewed in the Guidelines regarding cookies. In this respect, the most critical points outlined in the referred decision can be summarised as follows:
- Information notice must contain all elements, and it must be worded in a clear, comprehensible and straightforward manner. The inclusion of cookies privacy notices would not mean that the obligation to inform has been fulfilled.
- In cases where data is processed based on explicit consent, the obligation to inform and explicit consent requirements should be separately fulfilled.
- Data must not be processed by obtaining consent as a prerequisite for establishing a contract.
- A mechanism that enables obtaining explicit consent for each different purpose is required in processing personal data.
- Information notice must be displayed upon entering the website at the latest.
- Active action is required. Solely visiting a website shall not be considered as granting explicit consent.
- Legal grounds other than explicit consent may also be taken as a basis.