A brief overview of the current EU and Turkish legislation on cookies

Turkey

Everyone who connects to the internet is used to seeing a pop-up window when visiting a website.

This field usually refers to cookies and often contains an explanation of how and why the website uses cookies and whether the person concerned consents to their use.

But what are cookies and why are they important?

Cookies are essentially small text files that are placed on the device (i.e., the user's PC or mobile phone) of the website visitor and allow the website to track certain activities of that person.

Cookies are important because this tracking function is essential to the core operation of many websites and applications.

For example, an e-commerce website would remember the contents of a user's shopping cart if they had previously added an item to the cart and then continued shopping for other items without purchasing the first items in the cart.

In the EU, the use of cookies is separately regulated by the e-Privacy Directive and the General Data Protection Regulation (“GDPR”). In Turkey, on the other hand, there is no legislation which solely regulates cookies, but there are two (2) pieces of legislation that apply to the placement of cookies on devices and their use.

Categorization of cookies

Cookies can be pided into different categories, e.g., functional, advertising, session, persistent, flash, zombie and targeting cookies.

There is a more important distinction that relates to the entity that places the cookies on the inpidual's device: First-party cookies and third-party cookies.

First party cookies

First-party cookies are usually placed on user's devices by the owner of the websites/apps concerned and serve the purposes of the owner of that website.

These purposes include the collection of analytical data about visitors to the website in question or the storage of the language preferences of each inpidual user.

Third party cookies

Increasingly, cookies are set on websites not only by the owners of the website but also by third parties.

Third-party cookies primarily serve the interests of third parties, e.g., to target advertising to inpiduals based on their specific interests: a phenomenon known as online behavioral advertising.

Provisions of EU law on the use of cookies

In the EU, the use of cookies is separately regulated by the e-Privacy Directive and GDPR.

E-Privacy Directive

In accordance with the e-Privacy Directive, the user's consent must be obtained before cookies can be placed on the user's device.

However, there is an exception for cookies that are necessary for the performance or facilitation of the transmission of a communication over an electronic communications network (i.e., the communications exception) and for cookies that are strictly necessary for the provision of information society services (i.e., the strict necessity exception), for which no consent requirement applies.

While determining cookies that fall within the communications exception is a rather straightforward matter, what is strictly necessary is usually a contextual question and is sometimes hotly debated.

In general, however, strictly necessary cookies are those that are necessary for the website to fulfil its basic functions or legal obligations (e.g., managing a shopping cart in e-commerce or preventing fraud when using the website).

In most cases, a strictly necessary cookie is a first-party cookie that serves the basic website needs mentioned above.

In cases where none of the above exceptions apply, the consent of the user concerned must be obtained for the placement of cookies on their devices.

The e-Privacy Directive refers to Directive 95/46EC, the predecessor of the General Data Protection Regulation, on obtaining such consent. All references to Directive 95/46EC are now deemed to be references to the GDPR.

As a result, consent under the e-Privacy Directive must now be obtained based on the provisions of the GDPR. This means that the cookie owner must meet all the criteria of the GDPR to obtain consent to set a cookie on the device of the user concerned.

Finally, there is an ongoing debate as to whether obtaining consent to cookies based on the GDPR would only allow the cookie owner to place cookies on the inpidual's device or whether it would allow them to process further personal data obtained from the cookies.

Once a cookie holder has obtained consent to place cookies, any further processing to be carried out based on consent (e.g., the use of cookies for profiling) will usually require a second consent.

However, if the further processing is carried out on a different legal basis (e.g., legitimate interest), a second consent may not be required, although all other criteria of the GDPR, such as the information requirements, still apply.

GDPR

In general, the GDPR regulates the processing of personal data. Since personal data is collected and processed via cookies, the GDPR also becomes relevant in various ways when cookies are used.

As mentioned above, the e-Privacy Directive explicitly refers to Directive 95/46EC, the predecessor of the GDPR and states that users must be provided with "clear and comprehensive information" and their consent to the use of cookies must be obtained in accordance with Directive 95/46EC.

As Directive 95/46EC has been replaced by the GDPR, all users must now be informed about the use of cookies in accordance with the GDPR. In addition, their consent must be obtained for the initial placement of cookies in accordance with the GDPR, unless one of the exceptions listed above applies (i.e., the communications exception or the strict necessity exception).

In addition to the application of the information and consent requirements, the general data processing principles of the GDPR apply in full to the extent that personal data are processed via cookies.

Accordingly, cookie holders must comply with the data processing principles listed in the GDPR, such as lawfulness, transparency, purpose limitation, data minimization, purpose limitation and accuracy.

If the cookie holders intend to process further data via cookies after setting such cookies, they must also create a legal basis for this processing.

If the legal basis in this case is consent (necessary for intrusive processing such as online behavioral advertising), then separate consent must be obtained based on the GDPR. If an alternative basis for such further processing can be established, consent may not be necessary.

Provisions of Turkish law on the use of cookies

Unlike the EU, there is no specific legislation in Turkish law that solely refers to the use of cookies in general, but two pieces of legislation should apply to the placement of cookies on devices and their use: the Electronic Communications Law and the Turkish Data Protection Law.

In addition, the Turkish Data Protection Authority has published guidance on cookies (“Guideline”), which must also be considered.

You will find further explanations below:

Electronic Communications Law

The Electronic Communications Law defines certain obligations regarding the placement of cookies on terminal equipment. However, these obligations apply primarily to the operators of electronic communications networks and not to other entities that might place cookies on terminal equipment.

There is a single provision in the Electronic Communications Act that governs cookies, and this provision is like Article 5/3 of the e-Privacy Directive (which lists the above-mentioned communications exception and the strict necessity exception).

Based on this provision (Article 51 of the Electronic Communications Law), providers of electronic communications networks may store information about subscribers' or users' devices and access this information for the sole purpose of providing communications services without obtaining the consent of the user concerned.

While the above-mentioned communications exception (as also provided for in the e-Privacy Directive) appears to be applicable under the Electronic Communications Act, the strict necessity exception does not apply.

This means that providers of electronic communications networks should not automatically be able to rely on the strict necessity exemption for setting cookies on devices.

As mentioned above, the Electronic Communication Law applies to operators and therefore the consent requirement and the exemption from this obligation regulated in this Act apply to operators and not to other entities that might place cookies on devices.

This means that the use of cookies by other entities does not fall within the scope of the Electronic Communications Law and is subject to the Turkish Data Protection Law, as further explained below.

Turkish Data Protection Act

The Turkish Data Protection Law (“Law”) is the general legal provision that regulates data protection issues in Turkish legal practice. Even though the Law does not explicitly regulate cookies, the provisions of the Law are applicable to the use of cookies. Moreover, it is generally accepted that the Law should also apply to the use of cookies, including their placement on devices.

As a result, it has been argued that in cases where cookies are strictly necessary, cookie holders do not need to obtain the consent of the user concerned for the placement of these cookies. Such placement could be based on various other legal provisions (e.g., legitimate interest or legal obligation).

On the other hand, it was argued that in cases where privacy-invasive processing (e.g., profiling) could be considered, it could only be done based on consent.

Although these discussions and interpretations of the Law have provided guidance to practitioners on how to deal with cookies in Turkish legal practice, there is still a lack of clarity in this area.

This prompted the Turkish Data Protection Authority (“Authority”) to recently publish a guide on cookies, as explained above.

Guideline

While this Guideline is not a binding legal instrument like the Law, it clarifies various issues on how cookies should be regulated under Turkish law.

The Guideline refers to the two cookie exemptions: the communications exemption and the strict necessity exemption (as also defined in the e-Privacy Directive).

The Guideline also recognizes that Turkish law does not expressly provide for these exceptions. Therefore, the Guideline lists cases where these exceptions might interact with the provisions of the Law (i.e., whether such consent exceptions might apply based on the actual provisions of the Law).

For example, the Guideline states that load balancing cookies could be placed on devices based on the legitimate interest criterion and could also fall under the communications exception.

However, even if the basis for processing is not consent (which means that the exemptions under the Guideline could apply), the other provisions of the Law would apply.

As a result, cookie holders would be obliged to comply with their information obligations (i.e., to inform data subjects about the relevant data processing activities) and to respect the general data processing principles of the Law, such as lawfulness and proportionality.

Although the recognition of the two exemptions in the Guideline is useful, it should be remembered that the Guideline is not a binding instrument in the sense of the Law.

This means that the exceptions provided for in the Guideline are not always compatible with a legal basis for processing under the Law. Therefore, any processing based solely on the provisions of the Guideline that disregards the provisions of the Law could be challenged before the authorities. Consequently, controllers should ensure that their processing complies with the Law and does not rely solely on the exceptions provided for in the Guideline.

Finally, the Guideline does not provide clarification on the distinction between the placement of cookies and their further use for data processing (as regulated in the EU under the e-Privacy Directive and the GDPR).

It follows that the principles of the Law and the related clarifications in the Guideline apply separately to the placement of cookies and their continued use. This means that cookie holders must comply with the provisions of the Law when placing and continuing to use cookies.

Conclusion

Turkish Data Protection Law has been heavily influenced by Directive 95/46EC and various decisions by the authority have confirmed that Turkish legal practice follows in the EU's footsteps.

The new guideline further strengthens this understanding.

However, as mentioned, the Guideline is not a binding legal instrument under Turkish law. While it is possible to refer to the Guideline to resolve certain ambiguities, it should not be considered strictly binding on controllers and cookie holders.

This means that cookie holders must continue to comply with the principles of the Law when placing and using cookies.

We also expect that the Turkish Data Authority will continue to monitor developments in this area and that both guidelines and legal acts will come into force in the coming days.

For more information on data protection laws and data privacy in Turkey, please contact your CMS client partner or local CMS experts: Sinan Abra.