Click the button to listen to our legal alert now!
On 11 January 2022, the Personal Data Protection Authority (“Authority“) published the Draft Guideline on Use of Cookies and on 20 June 2022, it published the Guideline on Use of Cookies (“Guideline“). With the Guideline, the Authority aims to bring forward recommendations to ensure compliance of cookie usage procedures followed by data controllers with the Personal Data Protection Law (“Law“).
New development
On 11 January 2022, the Authority opened the draft guideline for public consultation until 10 February 2022. The Guideline sets forth cookie types, the relationship between the Electronic Communications Law No. 5809 (“ECL“) and the Law, various cookie implementation cases,explicit consent and informing mechanisms and the analysis of the Authority’s decision dated 27 February 2020 numbered 2020/173 from a cookie use perspective and further elaborates on cross-border data transfers through cookies. The Guideline also provides a checklist for the use of cookies in its attachment and brings examples of different uses of cookies. The relevant decision is available online here. The Guideline is available online here. Further information on the draft Guideline is available here.
What’s new
The Guideline aims to ensure website operators’ compliance with the Law when using cookies[1] and covers only cookies used for processing personal data. The Guideline does not cover technologies such as pixels, user fingerprints, local storage and beacons. The Guideline applies to desktop and mobile websites and applications.
Definitions and types of cookies
In the Guideline, “cookie” is defined as “a type of text file placed on the user’s device by the website operators and is transferred as part of the HTTP (Hyper Text Transfer Protocol) query.” Another definition given by the Guideline is as follows: “cookies are small sized rich text formats, which allow certain information about users to be stored on terminal devices when a web page is visited.”
The Guideline explains the types of cookies based on three main characteristics: (i) duration of the cookies; (ii) purpose of the cookies; and (iii) parties of the cookies. With regard to their duration, cookies are classified as session cookies and persistent cookies. As to their purpose, cookies are classified as strictly necessary (mandatory), functional, performance-analytical and advertising/marketing cookies. As regards parties, cookies are categorized into two — as first-party and third-party cookies, depending on whether the cookie is placed by the website or the domain visited by the user.
Relationship between the ECL and the Law
According to the Guideline, the Law will be applicable to information society services as, unlike the EU Directive 2002/58/EC, this topic is not regulated under the ECL. In this context, the decision dated 27 February 2020 numbered 2020/173 is highlighted. Additionally, the ECL may partially be applicable to the data controller operators.
Rules regarding explicit consent for the use of cookies
The Guideline emphasizes the two criteria that are used in the EU to determine whether explicit consent is required for the use of cookies. Accordingly, either of the following questions should be answered: “Are cookies used only for providing communication over an electronic communication network?” or “Are cookies strictly necessary for the information society services that are explicitly requested by the subscriber or user?” For cases that do not fall under these two scenarios, either the explicit consent of the data subject must be obtained or another legal basis stipulated under the Law must be reliable. As stated, the explicit consent of the data subject is not required for the use of cookies if one of the legal basis set forth under the Law exists.
The Authority emphasizes that when the use of cookies requires explicit consent of the data subject, the data subject must be provided with clear and specific information and the consent must be obtained based on active action (i.e., opt in) and free will of the data subject in order for the consent to be deemed legitimate. The Authority stated that requesting consent frequently may lead to “consent fatigue” and may compromise the free will of the data subject. Hence, as per the Guideline, instead of obtaining consent every time a user accesses the website, it is sufficient to remind the explicit consent preference of the data subject proportionally throughout the lifetime of a cookie. Finally, the Authority emphasized that obtaining consent for cookies through cookie walls that block the view of the website itself compromises free will since explicit consent will be deemed as a prerequisite for the use of services.
In cases where third-party cookies are used, both the website owner and the third party are responsible for clearly informing the data subjects and obtaining explicit consent in accordance with the Law. The Guideline recommends that the rules regarding the obligation to inform and obtaining consent be regulated in the agreement between the website owner and the third party since it is more difficult for third parties to establish a connection with the data subjects compared to the website owner.
Conclusion
In the Guideline, the Authority aims to guide website operators and those that process personal data through cookies to bring cookie practices in line with the legislation. Stakeholders should review this important Guideline and ensure their compliance with the Law in light of the Authority’s guidance.
[1]The term “website” referred to in the Guideline includes websites or media (such as mobile phones or tablets).