April 13, 2022

Turkey’s Data Protection Authority Published Draft Cookie Guidelines

The Turkish DPA published draft cookie guidelines on 11 January 2022 for public consultation. The draft guidelines set out requirements related to the use of cookies and provide recommendations for website operators. Check out the cookie guidelines of Turkey’s DPA here.

Turkish DPA - KVKK has published its draft cookie guidelines in early 2022. The draft guidelines aim to shed light on how the supervisory authority would treat the use of cookies by website operators and operators of mobile applications. 

What is the Data Protection Law in Turkey?

Turkey’s Personal Data Protection Law No. 6698 (Kişisel Verileri Koruma Kanunu - KVKK) came into force on 7 April 2016. The KVKK is the first specific law in Turkey that regulates the protection of personal data in Turkey. Until the KVKK, data protection was regulated by sectoral laws as well as the Constitution of Turkey and the Turkish Penal Code. 

What is the Turkish DPA?

Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) is the national data protection authority in Turkey. The Turkish DPA is a public legal entity and has administrative and financial autonomy. It has been established to carry out duties conferred on it under the Turkish Data Protection Law, KVKK. 

What are the Turkish DPA Cookie Guidelines?

On January 11, 2022, the Turkish DPA published draft guidelines on the use of cookies for public consultation (“Draft Guidelines”). The Draft Guidelines are not final yet and may be subject to changes based on the comments received from other stakeholders. 

The main part of the Draft Guidelines is about assessing whether the use of various cookie types requires explicit consent of the data subjects. The assessment is based on two criteria:

  • The first criterion covers the use of cookies for the sole purpose of carrying out or facilitating the transmission of communication over an electronic communications network; and
  • The second criterion covers the use of cookies that is strictly needed to enable the information society service explicitly requested by the user. 

According to the assessment, the Turkish DPA sets out the types of cookies that require explicit consent and those that do not require prior consent. 

The following cookies require prior explicit consent of the data subjects:

  • Social media plug-in tracking cookies.
  • Online behavioral advertising cookies

The following cookie types may be used without prior explicit consent of the data subjects:

  • user input cookies; 
  • identity authentication cookies; 
  • user-centric security cookies; 
  • multimedia player session cookies; 
  • load-balancing session cookies; 
  • user interface customization cookies; 
  • social plug-in content-sharing cookies; 
  • cookies used for the explicit consent management platform; 
  • cookies used for website security; and
  • first-party analytics cookies

First Party Analytics Cookies

According to the Draft Guidelines, the first-party analytics cookie may be used without prior explicit consent of data subjects only under certain circumstances. These include: 

(i) use of first-party analytics cookies concerns only the generation of anonymous statistics; 

(ii) user's internet browsing is not used to tracking them across different websites; 

(iii) cookie lifespan of cookies is reasonable; and 

(iv) data collected through the use of cookies must not be communicated to third parties.

How to obtain explicit consent?

The Draft Guidelines set out requirements for obtaining explicit consent. The Turkish DPA specifies that the consent must be specific, informed, freely given.

Specific consent. The purposes of cookies, their duration, and information about whether they are first or third-party cookies must be provided before the collection of consent. Providing generic information such as “I consent to the processing of my personal data” would not be specific and thus not valid.

Informed consent. The information must be provided before or at the time of collection of personal data and must be easily accessible and noticeable and the content of the information must be simple, easy to understand, and comprehensible.

Freely given. It must be easy to withdraw consent at any time. It is recommended to have a tiny icon or button that is linked to the cookie settings page remain visible all the time on the website. 

It is recommended that the frequency of re-presenting to the users the cookie banner to obtain their cookie consent preferences should be limited. The Turkish DPA states that this would cause “consent fatigue” and affect the free will of users. However, it is not suggested how many months must be elapsed before you should ask for renewal of consent. 

It is further recommended to have an “Accept”, “Reject” and “Preferences” button presented of the same color and size. 

Besides, the cookie banner should include a link to the privacy policy, and cookies that require prior consent must be un-ticked. 

Cookie walls

The Turkish DPA considers the use of cookie walls to be unlawful. This is because the cookie walls prevent the users from making a free choice based on their free will. 

Are Draft Guidelines Binding?

The Draft Guidelines are not legally binding under Turkish law but they are important in the sense that they present the Turkish DPA’s approach and expectations on the relevant matter and they shed light on the logic behind the decisions of the DPA.

Examples of Cookie Banners

The Draft Guidelines provide examples of compliant and non-compliant cookie banners:

1) The following 2-layer cookie banner is provided as an example of good practice by the Turkish DPA:

Layer 1

text

Layer 2

text

2) The following cookie banner is an example of a non-compliant cookie banner:

There is no option to reject the cookies

It is not clear whether the “More information” link redirects to the cookie preference panel or cookie policy (it must be clearly distinguishable)

text

3) The following cookie banner is an example of a non-compliant cookie banner:

  • There are no accept, reject, and cookie preference buttons
  • There is no possibility to give granular consent
  • The consent cannot be considered to be freely given
text

4) The following example is a non-compliant cookie banner:

  • The preference center includes pre-selected slide bars (similar to pre-ticked boxes)
text

How Secure Privacy Can Help You Comply with Turkish DPA Cookie Guidelines?

Secure Privacy comes packed with enterprise-level features that will help you fully comply with Draft Guidelines cookie guidelines and the GDPR in general.

The main features are:

  • Advanced ongoing website scanning which allows you to see all of the cookies on your website
  • Cookie consent banners that are highly customizable and stylish, with a universal preference center for users to opt-in and opt-out of the cookies and other tracking technologies
  • Unique cross-domain consent capability that allows your users to manage their cookie preferences across different domains in a single step
  • A privacy policy generator that automates the creation of your cookie notice in order to meet GDPR disclosure requirements
  • Over 70 languages supported
  • Real-time logs and consents tracking to ensure you maintain records of the consent you receive from users in case CNIL requests it
  • A future-proof GDPR compliance solution that is also compliant with CCPA in California and LGPD in Brazil.

Book a call today if you would like more information about Secure Privacy and GDPR Cookie Consent compliance, or if you would like our data protection expert to perform a quick 'check-up' of your website, cookie consent banner, or cookie policy.

Alternatively, you can sign up for a free trial of our complete GDPR compliance solution here.

Relevant Links

Turkey DPA official website

Turkey DPA Draft Cookie Guidelines (available in Turkish)