July 2022 – On 20 June 2022, the Turkish Personal Data Protection Authority (the "Authority") published guidelines (the "Guidelines") on the use of cookies to collect personal data and the use of personal data on online environments such as websites, mobile applications, smartphones, and tablets (hereinafter referred as the "Website").

Below we summarise the main issues covered in the Guidelines.

Types of cookies

Cookies are typically files that record information on users' website visits generated by the Website during a user's visit. The Guidelines classify cookies under three fundamental groups, as follows:

1. Cookies by their durations

Session Cookies (Temporary Cookies) – which are implemented to ensure the continuity of the user's session on the website and are deleted after the user's session is over.

Persistent Cookies (Tracking Cookies) – which are not deleted when users close their internet browser, but which are automatically deleted after a certain period.

2. Cookies by their usage purposes

Strictly Necessary Cookies – which are necessary for the Website to work properly.

Functionality Cookies (Preference Cookies) – which are used for personalisation by remembering the preferences of users and providing functionality on the Website, apart from strictly necessary cookies.

Analytical/Performance Cookies (Statistic Cookies) – which are used to analyse the behaviour of users and to make statistical measurement on the Website.

Advertising/Marketing Cookies which are used to track the online movements of users on the Website, determine their personal interests, and present advertisements to users related to their interests.

3. Cookies by parties

First-Party Cookies – which are placed directly by the Website visited by the user.

Third-Party Cookies – which are not placed by the Website visited by the user but by a different, third party.

Rules for processing personal data through cookies

According to the Guidelines, data controllers need to consider the following rules when processing personal data using cookies:

1. Data controllers must have a legal basis for data processing. Accordingly:

  1. If there is a legal basis to process personal data other than obtaining the explicit consent of data subjects, the implementation of cookies based on this legal basis is legally permissible.
  2. If there is no legal basis other than obtaining the explicit consent of data subjects, cookies may only be implemented by obtaining the explicit consent of the data subject (i.e. Website user).

2. Data controllers need to consider Criterion A and Criterion B:

  1. Criterion A: relates to the implementation of cookies solely for the purpose of providing communication over an electronic communication network.
  2. Criterion B: relates to when the use of cookies is strictly necessary for information services (i.e. log-in, completing a form, ordering a product, etc.) that the user explicitly requests to receive.

Cookies that may be implemented without obtaining the explicit consent of data subjects

Data controllers need to classify cookies as Criterion A and B in order to implement cookies without obtaining the explicit consent of users. Accordingly, the Guidelines define such types of cookies as follows:

Type of Cookies
User Input Cookies:

 Cookies that keep track of the user's choices on the Website (e.g., selected product, ticked box, etc.).
Authentication Cookies: Implemented to identify and remember the user when they log into a website, e.g., cookies implemented to visit a website or access content (e.g., money transferring).
User-Centric Security Cookies: Implemented to increase the security of the Website in order to provide a service that the user explicitly requests.
Multimedia Content Player Cookies: Implemented to store data in case of playing a video or accessing text or audio content.
User Interface Customisation Cookies: Implemented to store a user's preferences regarding a service on the Website.
Social Plugin Content-Sharing Cookies: Located on the Website, integrated with social network platforms, and implemented through social plugin modules.
Cookies Implemented for Explicit Consent Management: Implemented to remember user preferences regarding the consents provided for the cookies that can be implemented in the presence of explicit consent.
First-Party Analytics Cookies: Used to measure the target audience of the site for the traffic and/or performance statistics necessary for the proper functioning of the Website.
Cookies Used for Website Security Implemented to ensure and protect Website security.
Load-Balancing Cookies Used to ensure that all requests from a particular user are always directed to the same server in the same pool to provide consistency during transactions.

Cookies that may be implemented based on the explicit consent of data subjects

Data controllers are required to obtain a user's explicit consent for cookies (i) that may not be considered under the scope of Criterion A and B or (ii) will be implemented in a way that exceeds the scope of these criteria. In this context:

  1. Social Plugin Tracking Cookies: Implemented for behavioural advertising, analytics, or market research purposes beyond the scope of Criterion B – explicit consent of the data subject is required.
  2. Online Behavioural Advertising Cookies: Implemented for research and market analysis, advertising, financial record-keeping, fraud detection, product development, etc. – explicit consent of data subject

How do data controllers obtain valid explicit consent of data subjects?

According to the Guidelines, data controllers must comply with Turkish DP Law when implementing cookies based on the explicit consent of data subjects. Accordingly:

Data subjects' explicit consent:

  • must be obtained by taking their active affirmative will, not by using an opt-out mechanism;
  • must be relevant to a specific issue, and the purpose of the cookie, its duration, and whether it is a first- or third-party cookie should be specified;
  • needs to be periodically, but not constantly, requested, as frequent intervals may cause "consent fatigue" and may injure the free will of the data subject;
  • must not be imposed as a condition to provide a service;
  • must not be obtained by using cookie tools that prevent data subjects from accessing the Website's contents.

User visits to a website do not constitute approval of explicit consent to run the cookies on the Website.

The cookie management tool needs to be located in a way that:

  • data subjects may withdraw their explicit consent whenever they want, and
  • preference options for the use of cookies are displayed to the user with equal font and size.

Cross-border data flows via cookies

The Guidelines also highlight cross-border data flows through the use of cookies. Accordingly, if a website operator transfers users' personal data by implementing cookies abroad through companies or servers located outside of Turkey, such activity must comply with Turkish DP Law and the decisions of the Authority regulating cross-border data flows.

Obligation to inform in cookie Implementation

Data controllers must fulfil their obligation to inform data subjects about the processing of personal data via cookies regardless of whether the data processing activity is based on the explicit consent of the data subject or other legal bases. In this respect:

  • in case of privacy notices on a Website that contain information on many subjects collectively, the obligation to inform shall not be considered fulfilled;
  • failure to provide information (e.g., by showing pop-up messages) to a user at the first moment of the implementation of cookies constitutes a violation of the obligation to inform;
  • the name, purpose, duration, and type of the cookie must be included in the information;
  • in cases where third-party cookies are used, both the website owner and the third party are mutually responsible for providing information to the users or obtaining explicit consent in accordance with the law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.