Cookie Requirement Regimes from the EU and Turkish Data Privacy Regulations Perspectives

Data is doubtlessly one of the most valuable assets today. Companies in all sectors are leaning towards data-driven business models, and are trying to collect and monetize data through various methods. As data-based business models emerge, it has become a hot topic for legislators to regulate data processing methods and preserve the privacy and security of data subjects.

Cookies are one of the most efficient and sophisticated methods that companies use to process data. As data protection regulations enter into force around the globe, questions arose as to how these regulations will respond to the use of cookies. Accordingly, many regulatory authorities, including the ICO, CNIL and CJEU, published guidelines and opinions on how cookies should be handled in the scope of data protection regulations.

Before setting the regulatory framework regarding the cookies, it is important to understand what cookies are, how they work and how they relate to data subjects' personal data.

What are Cookies and How do They Work?

Briefly, cookies are small files containing data stored on users' devices, including computers, smartphones or tablets. When a user visits a website, the website server places cookies on the user's browser. Every time the user re-visits the website or navigates to different pages or content within the website, the browser sends the cookies back to the website server, allowing the website to recognize the user and store certain information on the user's login details, website activities, interests and preferences. The website server then uses this information to improve the user's experience on the website (e.g. automatically displaying login details or re-loading the content the user previously reviewed) or showing advertisements based on the users' interests or browsing history. Cookies are undeniably crucial for target advertising and providing personalized services[1].

As explained above, the use of cookies may be invasive to the privacy of data subjects as they collect significant amount of personal data. Given the intricate functions of cookies, data subjects may often overlook the extent of information collected through cookies and may even be unaware of the existence of cookies in their devices. For this reason, the use of cookies has been subject to heated discussions in many jurisdictions regarding data privacy.

The ICO and the UK

On July 3, 2019, the Information Commissioner's Office (the "ICO") published its new guidance on the use of cookies and similar technologies[2]. The guidance explains the cookie requirements in detail, mainly focusing on obtaining consent for the use of cookies. The ICO stresses that the consent requirements are applicable to non-essential cookies. Cookies (i) that are strictly necessary for the provision of a service requested by the user or (ii) used for the transmission of communication through a network are exempt from such requirements. In this respect, with regard to non-essential cookies (such as analytics or advertising cookies):

  • The use of cookies and similar technologies is based on the data subject's consent and the General Data Protection Regulation's (the "GDPR") standards of consent are directly applicable to cookies.
  • Consent must be freely given, specific and informed.
  • There must be unambiguous and affirmative indication that the data subject confirms the data processing by a statement or positive action. For this reason, consent mechanisms such as pre-ticketed boxes and sliders defaulted to "on" are unacceptable.
  • Similarly, implied consent is also not acceptable (e.g. consent mechanism containing the wording "By continuing to use the website, you agree to our use of cookies").
  • "Cookie walls", a functionality that makes access to a website conditional on giving consent, is not acceptable. The ICO assesses that the consent is not "freely given" if the data subject has no other option but to accept cookies. However, cookie walls that limit access to a specific content on a site may be permitted.
  • Consent is only required on the first visit to the website. However, such consent must be reconfirmed by the user at certain intervals.
  • Legal grounds other than consent (such as legitimate interest) cannot be relied on to place cookies.
  • Operators using third party cookies are as responsible as the data controller. Therefore, websites using third-party cookies must provide information on such third parties and their purposes of processing. The ICO also suggests that third parties have a contract in place with the website operator that obliges the operator to obtain consent and inform data subjects accordingly.
  • After the cookies are set, subsequent processing of personal data may rely on a legal basis other than consent (such as legitimate interest, contractual necessity, complying with legal obligations, etc.). However, the ICO states that consent would still be the appropriate legal ground for processing personal data after the setting of cookies, in particular where the data is used for profiling and targeted advertising.

The CNIL and France

On July 19, 2019, the French Data Protection Authority (the "CNIL") also published new guidelines on cookies and trackers. The CNIL introduced similar requirements to the ICO, establishing consent as the legal basis for the use of non-essential cookies. The CNIL, however, differs from the ICO rules with respect to the below[3]:

  • Unlike the ICO, the CNIL provides a grace period for data controller companies to comply with the CNIL's final guidelines. Accordingly, companies will have six months from the publication of the CNIL's opinion on consent requirements. The CNIL is expected to publish its final guidelines in 2020.
  • The CNIL adopts a strict approach contrary to the ICO with respect to cookie walls and expressly finds them non-compliant with consent requirements.
  • The ICO does not expressly make a distinction among analytic cookies, meaning that these cookies are also subject to consent requirements. The CNIL, on the other hand, exempts certain analytic cookies from consent requirement if they fulfill certain criteria.
  • The CNIL does not suggest anything that the consent is only appropriate legal basis for the processing of data after cookies are set.

The Planet49 Case and the CJEU Decision

On October 1, 2019, the Court of Justice of the European Union (the "CJEU") issued a ruling regarding consent requirements upon the request of the Federal Court of Justice in Germany. The case concerns Planet49, an online gaming company that organized an online lottery and presented the website visitors two pre-ticked checkboxes during the participation process. One of the pre-ticked boxes granted consent to the use of cookies[4].

In line with the opinions of the ICO and the CNIL, the CJEU ruled that valid consent should not be obtained through pre-ticked boxes, since the consent must be provided with a clear, affirmative act. Additionally, the CJEU stated that website operators must provide comprehensive information to users regarding the use of cookies. In particular, such information must include the duration of cookies and the identity of third parties, if such parties have access to cookies[5].

No Cookie Recipe in Turkey

Currently, there is neither a specific provision nor a guideline applicable to cookies in Turkey.

However, the Law No. 6698 on Personal Data Protection Law (the "Law") provides a broad definition of personal data to allow data subjects to exercise control over the data that may identify them. In this respect, if the cookies allow direct or indirect identification of a device, and thus the individual using that device, they might qualify as personal data and be subject to the Law.

Similar to the GDPR, the processing of personal data must rely on a legal ground set forth under the Law (such as consent, legitimate interest, performance of the contract or complying with legal requirements). Theoretically, the Personal Data Protection Board (the "DPA") may require data controllers to obtain explicit consent for certain types of cookies, similar to EU practice, or may consider any other processing ground under the Law for the use of non-essential cookies sufficient. However, for the "strictly necessary" cookies, the DPA may follow the ICO and the CNIL's approach and may not strictly require the existence of a legal ground for data processing under the Law.

Since the Law's enforcement, the DPA has closely followed up on the EU's developments, publishing certain guidelines and decisions that are in line with EU regulations and practices. Even though there is still no guidance on the use of cookies in Turkey, it is expected that the DPA would issue rule a decision or publish guidelines in line with the EU practice.

Comparison Chart

Cookie Requirements

The UK


Legal ground to place non-essential cookies

Consent only

Consent only

Obtaining consent for strictly necessary cookies

Not required

Not required

Is consent obtained via cookie walls valid?

Likely invalid


Is "continued use of the website" regarded as giving consent?



Obtaining consent for analytic cookies


Not necessarily, if they fulfill the CNIL's criteria

Grace period


6 months from the publication of final guidelines

Legal ground for subsequent processing of personal data


Legitimate interest is not recommended

No specific provision

[3] ICO, CNIL and German DPA revised cookies guidelines:


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.