Data processing activities carried out through cookies have been shaped in the line with the decisions of the Personal Data Protection Board (“Board”) for a while in Turkey. Finally, as of 20.06.2022, the Guideline on Cookie Practices (“Guideline”) was published on the website of the Board for the processing of personal data within the scope of the Code on the Protection of Personal Data numbered 6698 (“the Code”) for website operators that process personal data through cookies. It is seen that the said Guideline has been prepared in parallel with the recent decisions of the Board on cookie practices.
To briefly mention the significant principles in the Guideline:
By this Guideline, cookies are examined by divided into the types. Also, it designates good practice samples to draw a map for the data controllers who process personal data through cookies.
Cookies are defined as low-size rich text-formats that allow some information about users to be stored on users' terminal devices when a website is visited.
Three types of cookies are defined according to their duration, intended use, and respective parties. Cookies are divided into session cookies and permanent cookies according to duration. As for their intended use, cookies are divided into four sub-types: mandatory, functional, performance-analytical, and advertising-marketing. Finally, according to their parties, cookies are divided into first-party and third-party cookies.
The data processing criteria, which are specified in two ways, Criterion A and Criterion B, are clearly indicated for the scenarios specified in Chapter 5 of the Guidelines. To add, Criterion A is defined as the use of the cookie only for the purpose of providing communication over the electronic communication network, while Criterion B is defined as the use of cookies is strictly necessary for information society services that the subscriber or user explicitly requests to receive services. According to section 5 of the Guideline, only “Load Balancing Session Cookies” are referred to under the Criterion A. “User-Input Cookies”, “Authentication Cookies”, “User-Centric Security Cookies”, “Multimedia Player Session Cookies”, “User Interface Personalization Cookies”, “Social Plug-In Content-Sharing Cookies”, “First Party Analytics Cookies”, and “Cookies Used For The Security Of The Website” are expressed under the Criterion B.
As stated in the Board decisions, cookies used for behavioral advertising and social plug-in tracking cookies require explicit consent. The explicit consent requirement naturally covers relevant cookies used for advertising purposes,
including cookies used for impression frequency, financial record keeping, advertising partnership, click fraud detection, research and market analysis, product development and debugging.
In the 7th chapter of the Guideline, the elements of explicit consent are regulated. Accordingly, in order to meet the element of being related to a certain subject, the purpose of use of the cookie, the duration of the cookie determined in accordance with this purpose, and whether the cookie is first or third party should be specified. In addition, explicit consent should be based on informed through the privacy notice. In addition, the explicit consent given in terms of cookies must be revocable. In this respect, the cookie management tab or the tool for which explicit consent is obtained can be included in a part of the website by converting the consent management platform to a band so that the explicit consent can be withdrawn. On the other hand, it is accepted as a good practice example that a cookie management panel appears as soon as the site is entered while explicit consent is obtained and that equally accept, reject, and preferences buttons are presented on the panel.
It has been emphasized in the Guideline that when websites operating in Turkey use cookies and transfer data through companies located abroad, these transactions should be carried out in accordance with the conditions in Article 9 of the Code.
According to the Guideline, if the product or service appeals to children, privacy notices should be written as suitable for the children in a clear language supported with the visuals.
Also, a checklist has been prepared for data controllers in the 1st Annex of the Guideline, making it easier to determine whether the purposes targeted in the Guideline are understandable by data controllers.
In summary, with the Guideline's publication, it is understood that the Personal Data Protection Authority will primarily monitor the personal data processing activities made through cookies. It is recommended for data controllers to take necessary actions to implement their cookie policies on the websites in line with the Guidelines.
You may access the Guideline in Turkish by this link.