The Personal Data Protection Authority published its Draft Guideline on Cookie Applications on 11.01.2022.
The guideline is an advice and pathfinder for data controllers who process personal data through cookies. The guideline has been shared with the public for a period of 30 days for statement of opinion. Interested parties should send their opinions to the Authority in writing or via e-mail to cerez@kvkk.gov.tr until 10.02.2022.
The guideline only covers the processing of personal data through cookies; cookies that are not used for personal data processing and other online tracking methods such as pixels, user fingerprints, local storage, beacon are excluded from the scope of this guideline. The guideline is not only for cookies used on websites, it will also applyto applications used in smart phones, tablets, etc. that can connect to the internet.
The definition and types of cookies are included in the guideline. A cookie is defined as a type of text file placed on the user device by the website operators.
The interplay between the Electronic Communications Law No. 5809 and the Law No. 6698 on the Protection of Personal Data (“PDPL”) was referred. It has been stated that the subject of cookies is not clearly regulated under the PDPL. However, regarding cookies, since the third paragraph of Article 51 of the Electronic Communications Law No. 5809 partially complies with the third paragraph of Article 5 of the EU Directive 2002/58/EC, it has been evaluated that the Law No. 5809 can find a limited application area in terms of data controller operators.
In the Guideline, within the framework of the rules to be considered regarding cookies, it is regulated in the European Union that if any of the following two criterias are met, informed consent will not be required for cookies.
- Criteria A: The use of the cookie for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- Criteria B: The use of cookies is strictly necessary for the provision of an information society service requested by the subscriber or user.
Within the scope of the PDPL, it is stated that the following conditions should be considered for processing of personal data through cookies:
- Explicit consent or
- As a result of the evaluation of the data controller regarding the personal data processing activity through cookies, other data processing conditions listed in Articles 5 and/or 6 of the Law
Cookie usage scenarios that require/do not require explicit consent are also explained in detail in the Guideline.
It has been also explained that explicit consent should be obtained in accordance with the PDPL and how the explicit consent should be. As defined in the PDPL, explicit consent must be related to a specific subject, be based on information, and be disclosed with free will. Explicit consent should be obtained through active affirmative action, by specifically and separately informing the persons concerned about what they are asked to consent to. It is also stated that the consent of the user, which is not based on any active action cannot be considered as explicit consent.
It is regulated in the Guideline that an appropriate privacy policy should be prepared. Accordingly, regardless of the data processing conditions, in all cases where personal data is obtained, the obligation to inform must be fulfilled by the data controller at the latest when the data is obtained, and it is regulated that the burden of proof is on the data controller. In addition, it was stated that the privacy policy should be easily accessible and noticeable, and methods that would make it difficult for the data subject to access the privacy policy should not be used.