On January 11th, 2022, Personal Data Protection Authority (‘’Authority’’) has published a ‘’Draft Guideline on Cookie Policies’’ (‘’Guideline’’) on its website. The Authority presented the guideline to the public until February 10th, 2022, in order to have opinions of the related parties. Accordingly, opinions and evaluations regarding the Guideline may be sent to the Authority in writing and/or by e-mail to cerez@kvkk.gov.tr until February 10th, 2022.
With the Guideline, the Authority makes recommendations for the compliance with the Personal Data Protection Law numbered 6698 (‘’PDPL’’) relating to the use of cookies by data controllers who operate a website which process personal data through cookies.
The guideline is regarding topics such as, definition of cookies and type of cookies in general, relation between the Electronic Communication Law numbered 5809 (‘’ECL’’) and PDPL, rules to be considered when using cookies, and cookies requiring or not requiring the granting of explicit consent.
Cookies are not specifically regulated within the Law, and the provisions of E-Privacy Directive numbered 2002/58/EC regarding information society services are not included in the ECL. Since ECL only applies to the companies which provide electronic communication services and/or electronic communication networks and operate their infrastructure, ECL may only be applied to data controller operators.
In the Guideline, cookies are defined as ‘’rich text format files with small blocks of data which store certain information about users in the terminal devices of the users while a user is browsing a website’’ and types of cookies are classified according to their duration, purpose of use and parties.
According to the Guideline, regarding the use of cookies which require explicit consent, the following criteria of European Union should be considered while processing personal data through cookies:
According to the Guideline, explicit consent is required for the cookies which are not within the scope of the above-mentioned criteria (Criteria A and Criteria B) and which do not meet any of the data processing conditions stipulated under the PDPL.
According to the Guideline, for the personal data processing activity through cookies to be realized (i) an explicit consent or (ii) data processing conditions stipulated under PDPL Article 5 and/or 6 are required.
According to the Guideline, entering a website shall not be considered as granting explicit consent for the data processing via cookies on that website. Besides, according to the Authority, obtaining consent at frequent intervals may cause consent fatigue and defect the will of the data subject and instead of obtaining consent at every log in to the website, the explicit consent preference of the data subject may be reminded periodically within the duration of the cookies.
Lastly, pursuant to the Guideline, regarding the data controllers obligation to inform the data subject regarding cookies, Article 10 of the PDPL and the Communique on the Rules and Procedures to be Followed in the Fulfilling of the Obligation to Inform must be complied with. |