The Personal Data Protection Authority (“Authority”) has updated the “Guidelines on Cookie Practices” (“Guidelines”), which were first published in July 2022, and reissued them in 2025. The updated Guidelines provide important instructions for data controllers regarding the processing of personal data through cookies and set forth the scope of compliance obligations under Law No. 6698 on the Protection of Personal Data (“Law” or “KVKK”) and its secondary legislation.
1. Types of Cookies and Scope
a. In addition to strictly necessary cookies, functional cookies, and marketing/advertising cookies, the Guidelines also introduce analytical and measurement cookies as a separate category.
b. The obligations of data controllers with respect to third-party cookies have been further detailed, and it has been emphasized that consent must be obtained for user profiling and behavioral advertising practices.
c. The functions and purposes of cookie categories have been clarified individually, highlighting the principles of specificity and transparency.
2. Consent and Obligation of Information
a. The Guidelines state that consent for the processing of personal data through cookies cannot be validly obtained via pre-ticked boxes or default settings.
b. Preference interfaces presented to users must ensure equal visibility of “accept all” and “reject all” options, and designs that restrict user choice (e.g., dark patterns) must be avoided.
c. In line with the obligation of information under Article 10 of the Law, the use of a layered information method has been referenced; the first layer should include essential information, while further layers should provide more detailed explanations of processing activities.
3. Retention and Renewal of User Preferences
a. The responsibility to prove and demonstrate compliance with user preferences lies with data controllers. In this regard, user consent must be properly recorded, retained, and made available to the Authority upon request.
4. Cross-Border Data Transfers
a. For transfers of personal data abroad through cookies, the requirements of Article 9 of the Law must be observed. Accordingly, one of the following mechanisms must be in place:
-
- An adequacy decision,
- Standard contractual clauses + Board approval, or
- Consent of the data subject.
b. It has been highlighted that transfer risks should be carefully managed, particularly since providers of advertising technologies and analytics services are predominantly established outside Türkiye.
5. Compliance, Supervision, and Sanctions
a. The updated Guidelines will be taken into account by the Authority during inspections and supervisory activities.
b. Non-compliance with the provisions of the Guidelines may trigger administrative sanctions under Article 18 of the Law. In particular, in cases of unlawful cookie practices, administrative fines may be imposed on data controllers for violations such as failure to comply with the information obligation, breach of data security obligations, and unlawful transfer of personal data.
Guidelines on Cookie Practices
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert
