The DPA prepared draft guidelines (“Guidelines”) on January 11, 2022, explaining cookies and practical advice for data controllers who process personal data through cookies. The Guidelines was published on the official website of the DPA on January 11, 2022, to gather views on the same.
Within the scope of the Guidelines, which is still at the draft stage, cookies in general and their types are regulated. It also categorises cookies based on their timeframe, intended purpose and parties.
In the Guidelines, clarifying explanations are also made on the explicit consent and information notice in cases where explicit consent is required. Accordingly, in obtaining explicit consent within the scope of the Guidelines, a cookies management panel should be displayed to the visitor upon visiting the website for the first time, providing the “accept”, “reject”, and “preferences” options equally in terms of colour, size and font. Visitors should be provided with the opportunity to grant/deny consent regarding the cookies, which cannot be used without explicit consent and the cookies applications based on explicit consent, should be displayed in a closed/passive manner at first.
It is stated in the Guidelines that the opt-in system, namely a system where the data subject grants his/her consent for processing personal data with a conscious act, should be used in respect of the explicit consent statements to be obtained by data controllers from the data subjects. Also, to prevent consent fatigue, asking for explicit consent at every visit of the data subject should be avoided, and it is recommended to limit the frequency of reminding the consent preferences to the person, who has rejected the use of the cookies for once, periodically in proportion to the lifetime of the relevant cookies. Also, systems called “cookie walls” that prevent access to a website, and visitors from accessing a website without accepting cookies applications, are considered against the Data Protection Law.
It should be noted that the principles outlined in the Data Protection Law with the obligation to inform shall also apply to cookies, and the visitor should be informed per the Data Protection Law about the data processing activity conducted via each cookie, independently from explicit consent of the visitor or any other condition sought for processing data.
The Board’s decision dated February 27, 2020, with the number 2020/173, is also reviewed in the Guidelines regarding cookies. In this respect, the most critical points outlined in the referred decision can be summarised as follows:
- Information notice must contain all elements, and it must be worded in a clear, comprehensible and straightforward manner. The inclusion of cookies privacy notices would not mean that the obligation to inform has been fulfilled.
- In cases where data is processed based on explicit consent, the obligation to inform and explicit consent requirements should be separately fulfilled.
- Data must not be processed by obtaining consent as a prerequisite for establishing a contract.
- A mechanism that enables obtaining explicit consent for each different purpose is required in processing personal data.
- Information notice must be displayed upon entering the website at the latest.
- Active action is required. Solely visiting a website shall not be considered as granting explicit consent.
- Legal grounds other than explicit consent may also be taken as a basis.