The Guidelines on Use of Cookies (the “Guidelines”) was published by the Personal Data Protection Authority (the “Authority”) on June 20, 2022 which outlines good practice examples to guide data controllers. The Guidelines explain principles on use of cookies for data controllers to process data on legal grounds, use appropriate privacy notices and obtain explicit consent from data subject legally.
Cookie Types
Cookies are defined as low-sized, rich-format texts that allow certain information about users to be stored on users' terminal devices when a website is visited.
In the Guidelines, types of cookies are divided into three categories according to their duration, intended purpose and parties.
i. Cookies according to their duration
a. Session Cookies:
Session cookies are called temporary cookies. When a user closes the internet browser, session cookies are deleted.
b. Persistent Cookies:
Persistent cookies are called tracking cookies. These cookies are not deleted when the user closes the internet browser. They are automatically deleted on a certain date. The processed data of user is transmitted to the server each time when the user visits a website.
ii. Cookies according to their intended purpose
a. Compulsory Cookies:
Compulsory cookies are mandatory not only for the website to work but also for fulfilling the information society services. Filling out forms and remembering privacy preferences and log-in to information society services can be given as examples.
b. Functional Cookies:
The purpose of functional cookies is to increase the function of use on the website.
c. Performance Cookies:
Performance cookies analyze the behavior of the users. Statistical measurement is figured out as a result of analysis. These metrics measure the impact of advertisements on relevant people.
d. Advertising/ Marketing Cookies:
Advertising cookies follow users’ online movements on the internet. Their target is to offer the advertisements to users based on their interests. Behavioral advertising is the most important type of advertising for the advertiser because it allows profiling of the target people.
iii. Cookies according to the parties
These cookies are determined by whether being placed by the URL or not.
Personal Data Protection Law numbered 6698 (“PDPL”) applies to Cookies
Although cookies are not explicitly regulated within the scope of PDPL, it is clear that PDPL applies for information society services, and analysis were made regarding cookies first with the Board decision dated 27.02.2020 and numbered 2020/173 (Amazon Turkey decision).
Legal Grounds for Cookies
The Guidelines outlines certain criteria that data controllers must consider while processing data within the scope of PDPL.
Criteria A: The use of cookies is for providing communication over the electronic communication network.
Criteria B: The use of cookies is strictly necessary for the information society services that the user explicitly requests to receive the service.
General principles of Articles 5 and 6 apply while processing personal data when cookies are used.
The scope of Criteria A and B must also be taken into consideration when the processing condition is based on "legitimate interest" within the scope of Article 5/2/f of PDPL.A balance test should be applied by comparing the fundamental rights and freedoms with the legitimate interest of the data controller and the existence of a legitimate interest must be evaluated.
Use of Cookies Without Explicit Consent
User Input Cookies (Criteria B): These cookies track users' inputs and transmit them to the service provider. These cookies are first-party cookies and expire when the session ends. Typically, these cookies track the user as they fill the shopping cart and keep records of the products the user selects by clicking the button.
Authentication Cookies (Criteria B): These cookies are used to identify the user and created to prevent users from re-entering their names and passwords on every page request when they log into their accounts.
User Centric Security Cookies (Criteria B): Criteria B may be applied to cookies used to increase the security of a service explicitly requested by the user. User security cookies are expected to have a longer lifetime than log-in cookies which expire at session expiration to fulfill security purpose.
Multimedia Player Session Cookies (Criteria B): These cookies which are also known as flash cookies store the technical data needed to replay video or audio content until the session ends. When the user wants to access video or text content, they are considered within the scope of Criteria B since the user explicitly requests the service.
User Interface Personalization Cookies (Criteria B): These cookies are placed to remember service preferences with the explicit request of the user. Aim of these cookies is personalization and their validity may change according to their purpose. For instance, on a multilingual website, a language preference cookie is used to remember which language option has been selected by the user.
Social Plug-in Content Sharing (like, share, comment) Cookies (Criteria B): Social plug-in modules allow social network users to share their favorite content and comments with their friends. When members of the social networks interact with the plugins, cookies are stored for the identification of the members of the social network. Criteria B does not apply to non-members of the social network or members of the social network that have logged out of their account. These cookies have to be session cookies and are recommended to expire with session.
Cookies Used for the Explicit Consent Management Platform (Criteria B): It is thought that the cookies used to remember the explicit consent for the preferences subject to explicit consent for a certain period of time on the web pages entered by the relevant people does not require an explicit consent.
First-Party Analytics Cookies (Criteria B): These cookies are required to provide the service. Considering that the use of website or application for the operation and daily management is related to the requested service, it is thought that first-party analytics can be considered within the scope of Criteria B. However, the use of these cookies for cross-tracking between different websites or applications for profiling will not comply with the principle of being relevant, limited and proportional to the purpose for which the data is processed.
Cookies Used for the Security of the Website (Criteria B): Cookies used for the security of the website are definitely necessary for the service requested by the user. For example, if firewalls are intended to limit the number of user requests per session by identifying the user, it may be considered a strictly necessary cookie for the service requested by the user under Criteria B. Other data processing conditions excluding explicit consent may also be in question for cookies serving this purpose.
Cookies Use Examples With Explicit Consent
Social Plug-in Tracking Cookies: Social networks offer social plug-in modules that can be integrated into websites to provide certain services that may be considered "explicitly requested" by their members. However, these modules can enable tracking of members/non-members for purposes such as behavioral advertising, analytics or market research.
Online Behavioral Advertising Cookies: Cookies used for behavioral advertising require explicit consent of the data subject. Since none of the advertising purposes fall within the scope of the information society services explicitly requested by the user, the explicit consent requirement contains the relevant cookies used for advertising purposes.
Explicit Consent Elements
Explicit consent must be related to a specific matter. Open-ended and indefinite consent cannot be accepted as explicit consent. The relevant person must be informed in advance. In addition, the consent must be given with an active affirmative action, therefore it is not accepted that the relevant person gives explicit consent to cookies by only accessing the website. Consent must be freely given. In addition, the explicit consent given in terms of cookies must be revocable.
Another important point is not to create consent fatigué, meaning that periodic reminders can be placed instead of obtaining the consent of the relevant person continuously.
In addition, while obtaining explicit consent within the scope of data processing through cookies, it is stated as a good practice example that a cookie management panel appears as soon as the website is entered and the "accept", "reject" and "preferences" buttons that are equal in terms of color, size and font are presented on the panel. Data processing activities that are not directly related to the performance of the basic service subject to the processing of personal data should not be based on the agreement that is made with the user. In the use of online advertising cookies, explicit consent should not be attached to documents such as "Terms of Use and Agreement" or "Privacy Statement".
Privacy Notice Elements
According to Article 10 of the PDPL and the provisions of “Communique on Principles and Procedures to Be Followed in Fulfillment of the Obligation to Inform” appropriate informing must be provided to the relevant data subjects for the use of cookies
In all cases where personal data is obtained, the obligation to inform must be fulfilled by the data controller at the latest when the data is obtained. The proof of fulfillment of this responsibility lies with the data controller.
When third-party cookies are placed on the website, both the website owner and the third party must ensure that the users are clearly informed about the cookies before obtaining their explicit consent.
Information should be placed at the first entrance to the relevant website or platform for users visiting websites. Otherwise, there will be a violation of the obligation to inform since there is no informing in accordance with the law. Especially, the submission of privacy statements providing information on many other subjects does not mean that the obligation to inform is fulfilled.
Attention should be taken to ensure that the information texts for cookies are easily accessible and noticeable, and methods that make it difficult for the relevant people to access the information must be avoided.
Quick Take-Aways
It is recommended that the name of the cookies, the purpose of use, and the duration of use and whether the cookie is first or third party should be clearly included in the informing text.
If the obligation to inform is related to a service for children, the informing should be provided with a clear and understandable informing text which is supported by visuals if necessary and at a level that children can understand.
While processing personal data through cookies; explicit consent within the scope of the conclusion or performance of an agreement cannot be imposed on the relevant person as a precondition of the agreement.
In this context, systems (opt-out) that allow later withdrawal of consents of people by assuming that individuals automatically consent to the processing of personal data without prior consent of them should not be used. Instead, systems (opt-in) must be used in which the individual will give prior consent to the processing of his or her personal data with his or her conscious action.
The rules for data transfer abroad must be complied if data transfer abroad is carried out with the use of cookies. Explicit consent is required for the transfer for the time being considering the PDPL. In addition, the data can be transferred abroad if there is a commitment for adequate protection in the relevant country and the Authority grants authorization stating that the data can be transferred abroad without obtaining explicit consent.