Turkish Data Protection Law: Notes on the Guidelines About Cookie Implementations

On June 20, 2022, the Personal Data Protection Authority (“Authority”) published the Guidelines on Cookie Implementations (“Guidelines”) on its website.

The Guidelines contain recommendations for website operators who use cookies to process personal data for purposes that fall under the scope of the Law No. 6698 on the Protection of Personal Data (“Law’’).

The Authority has explained the types of cookies in the Guidelines after that the rules to be considered regarding cookies are mentioned and cookie usage scenarios are explained within the scope of other processing conditions other than explicit consent.

  1. Cookies and Cookie Types in General

According to the Guidelines, a cookie is defined as a type of text file that website operators placed on a user's computer. Types of cookies are categorized based on their duration, function, and parties.

Cookies by duration; session cookies, permanent cookies

Cookies by the purpose of use; strictly necessary cookies, performance- analytical cookies, functional cookies, targeting cookies

Cookies by parties; first party, third party

  1. Rules to Consider Regarding Cookies

When processing personal data through cookies, data controllers are advised by the guide to consider the following criteria in accordance with Law No 6698:

·The use of the cookie only for the purpose of providing communication over the electronic communication network,

·The use of the cookie is strictly necessary for information society services that the subscriber or user explicitly requests to receive services.

Conditions for the Processing of Personal Data Using Cookies under the Law No. 6698

·Explicit consent or

·Other data processing conditions listed in Articles 5 and/or 6 of the Law should also be considered because of the evaluation the data controller made regarding the personal data processing activity through cookies.

  1. Scenarios of Cookie Usage Under Conditions Other Than Explicit Consent

The purposes of using cookies that can be based on other personal data processing conditions other than explicit consent are highlighted within the context of usage scenarios in the Guidelines.

  1. User-input Cookies

These session cookies track user inputs and transmit them to the service provider. These cookies are typically first-party ones that rely on the Session-ID which is a unique number for identity and are expected to expire at the latest at the end of the session.

  1. Authentication Cookies

When a user logs into a website, authentication cookies are used to identify the user (for example, on an online banking site). These cookies are required to access a website or a piece of content (for example, checking bank accounts, or making money transfers).

These cookies are typically session cookies, though occasionally permanent cookies may also be present.

  1. User‑centric Security Cookies

It is meant to improve security within the parameters of a service that the user has specifically requested. Cookies used to track recurrently unsuccessful login attempts on a website or other cookies intended to guard the login system from abuse are two examples of this.

In order to serve the security purpose, user security cookies should last longer than account login cookies.

  1. Multimedia Content Player Session Cookies

These cookies are used to store the technical data required for audio or video content to be replayed (e.g., image quality, network connection speed, buffer parameters).

  1. Load Balancing Session Cookies

With the aid of a technique called load balancing, it is possible to spread out web server requests among several machines as opposed to one. Thus, a load balancing gateway forwards user web requests to the pool of internal servers that can facilitate them.

All requests from a particular user are always forwarded to the same server in the pool to ensure the consistency of the transaction in this situation, where the redirect needs to be persistent throughout the session. This information is only used to identify communication endpoints and is stored in session cookies (one of the servers in the pools).

There is no need for explicit consent because the cookie is required for network communication.

  1. User Interface Personalization Cookies

These cookies are used to save the user's preferences for a service on web pages and are not linked to persistent identifiers like a username. They can only be added when the user specifically requests them to remember a certain piece of information (such as clicking a button or ticking a box). Such session cookies are considered as cookies that do not require explicit consent.

  1. Social Plug-in Content Sharing (like, share, comment) Cookies

Social network users can share their favorite content or comments with their "friends" by using the "social plug-in modules" that many social networks offer website operators.

In order to allow the social network to identify its users as soon as they interact with the mentioned plug-ins, these social plug-in modules store and access cookies on the terminal equipment of the users.

  1. Cookies Used for the Explicit Consent Management Platform

 

Among the cookies used on internet pages that connected people enter for a certain amount of time, these are the cookies used to remember the preferences regarding the explicit consent required for those who are subject to explicit consent. It doesn't need explicit consent.

  1. First Party Analytical Cookies

The management of a website or application requires the use and generation of traffic and/or performance statistics for the website or application to operate properly and thus provide the service. These cookies are only used to determine the site or application's target audience.

  1. Cookies Used for the Security of the Website

Since the user won't be able to access the requested service if the website is unable to provide services or is shut down due to a security flaw, it is considered that the cookies used for website security are necessary for the service requested by the user.

  1. Cookie Usage Scenarios within the Explicit Consent Processing Condition

The scenarios listed above do not apply to these cookie usage situations. Online behavioral advertising cookies and social plug-in tracking cookies are two examples of these situations.

  1. Key Points Emphasized in the Guidelines

Given that obtaining consent frequently in the guide may result in "consent fatigue" and damage the person in question's free will, it is necessary to periodically remind the person in question of their preference for explicit consent rather than obtaining their consent each time they enter a site (which will be proportional to the lifetime of the cookie in question) highlighted in a certain way.

Additionally, it is stated in the Guidelines that cookie walls may prevent the person in question from making a valid choice while expressing their consent in the context of freely giving explicit consent. Because it may be possible for the cookie wall to breach the person's right to free will in circumstances where consent to cookies is required of the person in question as a condition of the service to access the website, and in these circumstances, the explicit consent obtained will not be a valid explicit consent.

Furthermore, if a website uses third-party cookies, both the website owner and the third party are responsible for making sure that users are aware of them and giving their consent.

Clarification should be provided in a way that is simple to understand, clear to all parties involved, and comprehensive. The existence of lengthy Privacy Notices on a website that cover a wide range of topics cannot be seen as fulfilling the obligation to inform.

Besides this, if obtaining explicit consent is a requirement for processing personal data, both the obligation to inform and obtain explicit consent must be met separately.

  1. Transfer of Personal Data Abroad

Apart from the requirement for explicit consent, the data controllers in Turkey and the relevant foreign country must provide adequate protection in writing if the processing conditions outlined in Articles 5's second paragraph or 6's third paragraph of Law No. 6698 are met. The concerned person's personal information may be transferred overseas if they agree to do so and have the Personal Data Protection Authority's approval.

 

In cases websites based in Turkey use cookies from companies based abroad and conduct data transfer operations through these cookies, it can be said that this data transfer operation must be conducted in accordance with the requirements in Article 9 of Law No. 6698.

You can reach further information here.

Kind regards,

Zumbul Attorneys at Law

info@zumbul.av.tr