fbpx

Cookies

Articles -
Data Protection and Privacy

Cookies play a crucial role in personalizing and improving the user experience in the digital world. Although the use of cookies contributes greatly to personalizing the internet experience and remembering users’ online preferences, this process has also raised various privacy and data protection concerns. One of the biggest concerns regarding the processing of personal data through cookies is that users are often unaware of this process or that sufficient transparency is not provided regarding the use of cookies. Since cookie policies and privacy statements are often not presented in a manner that is easily accessible and understandable to users, this situation prevents users from knowing how to protect their online privacy. As a result, they lack sufficient control over their data, which makes it difficult to manage it and restrict their online tracking.

As a result of the privacy and data protection concerns that are frequently discussed among practitioners regarding cookies, in recent years, many countries, including Turkiye, have seen data protection authorities establish rules and principles regarding the processing of personal data through cookies, publish guidelines, and issue decisions imposing penalties on data controllers.

The Board prepared a document titled the “Guidelines on Cookies Applications” (“Guidelines”) with the aim of providing recommendations and guidance to data controllers processing personal data through cookies. This Guidelines was published on the Board’s website in June 2022. The Guidelines generally addresses cookies and their types, and it also classifies cookie types according to their duration, purposes of use, and parties involved. In the Guidelines, the relationship between Law No. 5809 on Electronic Communications ("ECL") and the Personal Data Protection Law is also examined. It explains that if a cookie is used solely for providing communication via an electronic communications network and if the data controller holds the status of an operator within the scope of the ECL, data processing can take place without obtaining explicit consent. The Guidelines states that except for the limited cases mentioned above, where the ECL applies to cookie practices, the provisions of the Personal Data Protection Law will apply, and the principles and legal bases for data processing set forth in the Law must be observed even when personal data is processed through cookies.

The Guidelines also include detailed explanations regarding explicit consent and disclosure for cases where explicit consent is required. Accordingly, when obtaining explicit consent under the Guidelines, a cookie management panel should be displayed to the visitor as soon as they enter the site, offering “accept,” “reject,” and “preferences” buttons in equal color, size, and font. The visitor should have the opportunity to approve or disapprove cookies that cannot be used without explicit consent via the preferences button, and cookie applications based on explicit consent should initially be in a closed/passive state. The Guidelines states that the explicit consent declarations obtained from individuals by data controllers must follow an opt-in system, meaning that individuals must give prior approval for the processing of their personal data through a conscious action. Additionally, to prevent consent fatigue, it is emphasized that explicit consent should not be requested every time the individual visits the site. For visitors who have once rejected cookies requiring explicit consent, reminders should only be made periodically in proportion to the lifespan of the relevant cookie. Furthermore, systems known as "cookie walls," which block access to a website and prevent visitors from using the site unless they consent to cookie applications, are not considered compliant with the Law.

It should be noted that the principles established by the Law regarding the obligation to inform also apply to cookies in the same manner. Regardless of whether data processing through cookies is based on the visitor’s explicit consent or another legal basis, visitors must be informed in compliance with the Law for each data processing activity carried out via cookies.

The Guidelines, sheds light on all aspects of cookie usage, including legal grounds, cases requiring consent, legal conditions for consent, and information processes, also highlights key points that data controllers should pay attention to. Additionally, the subject has been made more concrete with clear and understandable examples.

It is crucial for data controllers to review the compliance of their current cookie practices with the Guide published by the Authority and to ensure that their personal data processing activities through cookies are in line with the law. Indeed, when examining cookie practices, it is observed that some do not provide users with a “reject” option, some do not offer the rejection option as easily as the acceptance option, and some still use the opt-out system. In addition to incorrect implementations, even in cases where cookie practices are designed in accordance with the Guide, it should not be forgotten that ensuring sufficient transparency in cookie usage terms, as well as making access to informative texts difficult through hyperlinks, can undermine the validity of explicit consent.

First published by Gün + Partners in Mar 04, 2025.

Stay Informed

Subscribe to stay up to date on the latest legal insights and events of your choice.

Subscribe Now