Everyone who connects to the internet is used to seeing a pop-up window when visiting a website.
But what are cookies and why are they important?
Cookies are essentially small text files that are placed on the device (i.e., the user's PC or mobile phone) of the website visitor and allow the website to track certain activities of that person.
Cookies are important because this tracking function is essential to the core operation of many websites and applications.
For example, an e-commerce website would remember the contents of a user's shopping cart if they had previously added an item to the cart and then continued shopping for other items without purchasing the first items in the cart.
Categorization of cookies
Cookies can be pided into different categories, e.g., functional, advertising, session, persistent, flash, zombie and targeting cookies.
There is a more important distinction that relates to the entity that places the cookies on the inpidual's device: First-party cookies and third-party cookies.
First party cookies
First-party cookies are usually placed on user's devices by the owner of the websites/apps concerned and serve the purposes of the owner of that website.
These purposes include the collection of analytical data about visitors to the website in question or the storage of the language preferences of each inpidual user.
Third party cookies
Increasingly, cookies are set on websites not only by the owners of the website but also by third parties.
Third-party cookies primarily serve the interests of third parties, e.g., to target advertising to inpiduals based on their specific interests: a phenomenon known as online behavioral advertising.
In accordance with the e-Privacy Directive, the user's consent must be obtained before cookies can be placed on the user's device.
However, there is an exception for cookies that are necessary for the performance or facilitation of the transmission of a communication over an electronic communications network (i.e., the communications exception) and for cookies that are strictly necessary for the provision of information society services (i.e., the strict necessity exception), for which no consent requirement applies.
While determining cookies that fall within the communications exception is a rather straightforward matter, what is strictly necessary is usually a contextual question and is sometimes hotly debated.
In general, however, strictly necessary cookies are those that are necessary for the website to fulfil its basic functions or legal obligations (e.g., managing a shopping cart in e-commerce or preventing fraud when using the website).
In most cases, a strictly necessary cookie is a first-party cookie that serves the basic website needs mentioned above.
In cases where none of the above exceptions apply, the consent of the user concerned must be obtained for the placement of cookies on their devices.
The e-Privacy Directive refers to Directive 95/46EC, the predecessor of the General Data Protection Regulation, on obtaining such consent. All references to Directive 95/46EC are now deemed to be references to the GDPR.
As a result, consent under the e-Privacy Directive must now be obtained based on the provisions of the GDPR. This means that the cookie owner must meet all the criteria of the GDPR to obtain consent to set a cookie on the device of the user concerned.
Finally, there is an ongoing debate as to whether obtaining consent to cookies based on the GDPR would only allow the cookie owner to place cookies on the inpidual's device or whether it would allow them to process further personal data obtained from the cookies.
However, if the further processing is carried out on a different legal basis (e.g., legitimate interest), a second consent may not be required, although all other criteria of the GDPR, such as the information requirements, still apply.
In general, the GDPR regulates the processing of personal data. Since personal data is collected and processed via cookies, the GDPR also becomes relevant in various ways when cookies are used.
In addition to the application of the information and consent requirements, the general data processing principles of the GDPR apply in full to the extent that personal data are processed via cookies.
Accordingly, cookie holders must comply with the data processing principles listed in the GDPR, such as lawfulness, transparency, purpose limitation, data minimization, purpose limitation and accuracy.
If the cookie holders intend to process further data via cookies after setting such cookies, they must also create a legal basis for this processing.
If the legal basis in this case is consent (necessary for intrusive processing such as online behavioral advertising), then separate consent must be obtained based on the GDPR. If an alternative basis for such further processing can be established, consent may not be necessary.
In addition, the Turkish Data Protection Authority has published guidance on cookies (“Guideline”), which must also be considered.
You will find further explanations below:
Electronic Communications Law
The Electronic Communications Law defines certain obligations regarding the placement of cookies on terminal equipment. However, these obligations apply primarily to the operators of electronic communications networks and not to other entities that might place cookies on terminal equipment.
There is a single provision in the Electronic Communications Act that governs cookies, and this provision is like Article 5/3 of the e-Privacy Directive (which lists the above-mentioned communications exception and the strict necessity exception).
Based on this provision (Article 51 of the Electronic Communications Law), providers of electronic communications networks may store information about subscribers' or users' devices and access this information for the sole purpose of providing communications services without obtaining the consent of the user concerned.
While the above-mentioned communications exception (as also provided for in the e-Privacy Directive) appears to be applicable under the Electronic Communications Act, the strict necessity exception does not apply.
This means that providers of electronic communications networks should not automatically be able to rely on the strict necessity exemption for setting cookies on devices.
As mentioned above, the Electronic Communication Law applies to operators and therefore the consent requirement and the exemption from this obligation regulated in this Act apply to operators and not to other entities that might place cookies on devices.
Turkish Data Protection Act
As a result, it has been argued that in cases where cookies are strictly necessary, cookie holders do not need to obtain the consent of the user concerned for the placement of these cookies. Such placement could be based on various other legal provisions (e.g., legitimate interest or legal obligation).
On the other hand, it was argued that in cases where privacy-invasive processing (e.g., profiling) could be considered, it could only be done based on consent.
Although these discussions and interpretations of the Law have provided guidance to practitioners on how to deal with cookies in Turkish legal practice, there is still a lack of clarity in this area.
This prompted the Turkish Data Protection Authority (“Authority”) to recently publish a guide on cookies, as explained above.
While this Guideline is not a binding legal instrument like the Law, it clarifies various issues on how cookies should be regulated under Turkish law.
The Guideline refers to the two cookie exemptions: the communications exemption and the strict necessity exemption (as also defined in the e-Privacy Directive).
The Guideline also recognizes that Turkish law does not expressly provide for these exceptions. Therefore, the Guideline lists cases where these exceptions might interact with the provisions of the Law (i.e., whether such consent exceptions might apply based on the actual provisions of the Law).
For example, the Guideline states that load balancing cookies could be placed on devices based on the legitimate interest criterion and could also fall under the communications exception.
However, even if the basis for processing is not consent (which means that the exemptions under the Guideline could apply), the other provisions of the Law would apply.
As a result, cookie holders would be obliged to comply with their information obligations (i.e., to inform data subjects about the relevant data processing activities) and to respect the general data processing principles of the Law, such as lawfulness and proportionality.
Although the recognition of the two exemptions in the Guideline is useful, it should be remembered that the Guideline is not a binding instrument in the sense of the Law.
This means that the exceptions provided for in the Guideline are not always compatible with a legal basis for processing under the Law. Therefore, any processing based solely on the provisions of the Guideline that disregards the provisions of the Law could be challenged before the authorities. Consequently, controllers should ensure that their processing complies with the Law and does not rely solely on the exceptions provided for in the Guideline.
Finally, the Guideline does not provide clarification on the distinction between the placement of cookies and their further use for data processing (as regulated in the EU under the e-Privacy Directive and the GDPR).
Turkish Data Protection Law has been heavily influenced by Directive 95/46EC and various decisions by the authority have confirmed that Turkish legal practice follows in the EU's footsteps.
The new guideline further strengthens this understanding.
However, as mentioned, the Guideline is not a binding legal instrument under Turkish law. While it is possible to refer to the Guideline to resolve certain ambiguities, it should not be considered strictly binding on controllers and cookie holders.
This means that cookie holders must continue to comply with the principles of the Law when placing and using cookies.
We also expect that the Turkish Data Authority will continue to monitor developments in this area and that both guidelines and legal acts will come into force in the coming days.
For more information on data protection laws and data privacy in Turkey, please contact your CMS client partner or local CMS experts: Sinan Abra.