The Board prepared the Guidelines on Cookies Applications (“Guidelines”) explaining cookies and practical advice for data controllers who process personal data through cookies. The Guidelines was published on the official website of the DPA on June 20, 2022.
Within the Guidelines, cookies in general and their types are regulated. Moreover, the types of cookies are categorised based on their timeframe, intended purpose and parties.
The relationship between the Electronic Communications Law No. 5809 (“ECL”) and Data Protection Law is also reviewed in the Guidelines.
Personal data may be processed without the need for explicit consent in cases where the cookies in question are solely used for communication via the electronic communications network and the data controller acts as an operator within the meaning of the ECL. In respect to cookies applications, it is stated that the Data Protection Law shall be applied, and the principles outlined in the Data Protection Law and the grounds for processing data shall also apply to the processing of personal data through cookies other than the exception mentioned above where the ECL is relevant. Accordingly, in the absence of the legal grounds listed in Articles 5 and 6 of the Data Protection Law, explicit consent from website visitors must be obtained for the use of cookies. Within the framework of the Guidelines, in cases where cookies are solely used to provide communication via the electronic communications network (Criteria A) or the use of cookies is essential for the member or the user to receive the service that they have explicitly demanded (Criteria B), cookies may be used without the need for obtaining explicit consent if it is mandatory for the legitimate interests of the data controller as outlined in subparagraph (f) of Article 5 of the Data Protection Law. The Guidelines contain no restriction regarding the grounds outlined in Articles 5 and 6 of the Law. Therefore, a meticulous case-by-case evaluation must be made, and personal data may be processed through cookies without obtaining explicit consent if these other conditions are satisfied.
The Guidelines also provide clarification of explicit consent and information notice cases where it is required. Accordingly, in obtaining explicit consent within the scope of the Guidelines, a cookies management panel should be displayed to the visitor their first visit to the website, providing “accept”, “reject”, and “preferences” options in the same colour, size and font. Visitors should be provided with the opportunity to grant/deny consent regarding the cookies, which cannot be used without explicit consent. The cookies applications requiring explicit consent should be displayed in a secure/passive manner at first. It is stated in the Guidelines that an opt-in system, namely a system where the data subject grants his/her consent for processing personal data with a conscious act, should be used in respect of the explicit consent statements to be obtained by data controllers from the data subjects. Also, to prevent consent fatigue, asking for explicit consent at every visit of the data subject should be avoided, and it is recommended to limit the frequency of reminders to the person who has rejected the use of the cookies in proportion to the lifetime of the relevant cookies. Also, systems called “cookie walls” that prevent access to a website, and visitors from accessing a website without accepting cookies applications, are considered against the Data Protection Law.
It should be noted that the principles outlined in the Data Protection Law with the obligation to inform also applies to cookies, and the visitor should be informed per the Data Protection Law about the data processing activity conducted via each cookie, independently from explicit consent of the visitor or any other condition sought for processing data.
Use case scenarios are also presented in the Guidelines to differentiate good and bad cookies applications.
In a Board decision published in 2022 regarding the unlawful processing of personal data through cookies, the Board stated that explicit consent of the data subject is required when cookies used by the data controller operating in the e-commerce sector with the aim of advertisement, marketing and performance. The privacy notice regarding the cookies policy must be easily accessible and clearly depict which personal data will be acquired with which methods and the consent of the data subjects regarding the operation of cookies with their voluntary active movements shall be ensured. The Board imposed an administrative fine on the data controller in question due to the unlawful processing of personal data.