Below we summarise the main issues covered in the Guidelines.
Types of cookies
Cookies are typically files that record information on users' website visits generated by the Website during a user's visit. The Guidelines classify cookies under three fundamental groups, as follows:
1. Cookies by their durations
Session Cookies (Temporary Cookies) – which are implemented to ensure the continuity of the user's session on the website and are deleted after the user's session is over.
Persistent Cookies (Tracking Cookies) – which are not deleted when users close their internet browser, but which are automatically deleted after a certain period.
2. Cookies by their usage purposes
Strictly Necessary Cookies – which are necessary for the Website to work properly.
Functionality Cookies (Preference Cookies) – which are used for personalisation by remembering the preferences of users and providing functionality on the Website, apart from strictly necessary cookies.
Analytical/Performance Cookies (Statistic Cookies) – which are used to analyse the behaviour of users and to make statistical measurement on the Website.
Advertising/Marketing Cookies – which are used to track the online movements of users on the Website, determine their personal interests, and present advertisements to users related to their interests.
3. Cookies by parties
First-Party Cookies – which are placed directly by the Website visited by the user.
Third-Party Cookies – which are not placed by the Website visited by the user but by a different, third party.
Rules for processing personal data through cookies
According to the Guidelines, data controllers need to consider the following rules when processing personal data using cookies:
1. Data controllers must have a legal basis for data processing. Accordingly:
- If there is a legal basis to process personal data other than obtaining the explicit consent of data subjects, the implementation of cookies based on this legal basis is legally permissible.
- If there is no legal basis other than obtaining the explicit consent of data subjects, cookies may only be implemented by obtaining the explicit consent of the data subject (i.e. Website user).
2. Data controllers need to consider Criterion A and Criterion B:
- Criterion A: relates to the implementation of cookies solely for the purpose of providing communication over an electronic communication network.
Cookies that may be implemented without obtaining the explicit consent of data subjects
Data controllers need to classify cookies as Criterion A and B in order to implement cookies without obtaining the explicit consent of users. Accordingly, the Guidelines define such types of cookies as follows:
|Type of Cookies|
|User Input Cookies:
||Cookies that keep track of the user's choices on the Website (e.g., selected product, ticked box, etc.).|
|Authentication Cookies:||Implemented to identify and remember the user when they log into a website, e.g., cookies implemented to visit a website or access content (e.g., money transferring).|
|User-Centric Security Cookies:||Implemented to increase the security of the Website in order to provide a service that the user explicitly requests.|
|Multimedia Content Player Cookies:||Implemented to store data in case of playing a video or accessing text or audio content.|
|User Interface Customisation Cookies:||Implemented to store a user's preferences regarding a service on the Website.|
|Social Plugin Content-Sharing Cookies:||Located on the Website, integrated with social network platforms, and implemented through social plugin modules.|
|Cookies Implemented for Explicit Consent Management:||Implemented to remember user preferences regarding the consents provided for the cookies that can be implemented in the presence of explicit consent.|
|First-Party Analytics Cookies:||Used to measure the target audience of the site for the traffic and/or performance statistics necessary for the proper functioning of the Website.|
|Cookies Used for Website Security||Implemented to ensure and protect Website security.|
|Load-Balancing Cookies||Used to ensure that all requests from a particular user are always directed to the same server in the same pool to provide consistency during transactions.|
Cookies that may be implemented based on the explicit consent of data subjects
Data controllers are required to obtain a user's explicit consent for cookies (i) that may not be considered under the scope of Criterion A and B or (ii) will be implemented in a way that exceeds the scope of these criteria. In this context:
- Social Plugin Tracking Cookies: Implemented for behavioural advertising, analytics, or market research purposes beyond the scope of Criterion B – explicit consent of the data subject is required.
- Online Behavioural Advertising Cookies: Implemented for research and market analysis, advertising, financial record-keeping, fraud detection, product development, etc. – explicit consent of data subject
How do data controllers obtain valid explicit consent of data subjects?
According to the Guidelines, data controllers must comply with Turkish DP Law when implementing cookies based on the explicit consent of data subjects. Accordingly:
Data subjects' explicit consent:
- must be obtained by taking their active affirmative will, not by using an opt-out mechanism;
- must be relevant to a specific issue, and the purpose of the cookie, its duration, and whether it is a first- or third-party cookie should be specified;
- needs to be periodically, but not constantly, requested, as frequent intervals may cause "consent fatigue" and may injure the free will of the data subject;
- must not be imposed as a condition to provide a service;
- must not be obtained by using cookie tools that prevent data subjects from accessing the Website's contents.
User visits to a website do not constitute approval of explicit consent to run the cookies on the Website.
The cookie management tool needs to be located in a way that:
- data subjects may withdraw their explicit consent whenever they want, and
Cross-border data flows via cookies
Obligation to inform in cookie Implementation
Data controllers must fulfil their obligation to inform data subjects about the processing of personal data via cookies regardless of whether the data processing activity is based on the explicit consent of the data subject or other legal bases. In this respect:
- in case of privacy notices on a Website that contain information on many subjects collectively, the obligation to inform shall not be considered fulfilled;
- failure to provide information (e.g., by showing pop-up messages) to a user at the first moment of the implementation of cookies constitutes a violation of the obligation to inform;
- the name, purpose, duration, and type of the cookie must be included in the information;
- in cases where third-party cookies are used, both the website owner and the third party are mutually responsible for providing information to the users or obtaining explicit consent in accordance with the law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.