This article will analyze websites’ use of cookies to process personal data concerning the personal data protection law.
What are Cookies?
Cookies are text files that website operators place on a user’s device. In other words, they are small files in rich text format that allow certain user information to be stored on a user’s terminal device when they visit a website.
Cookies are categorized based on (i) their period of storage, (ii) their purpose of use, and (iii) the parties.
Cookies are divided into session cookies and permanent cookies by their storage period. As for their purpose of use, they are divided into strictly necessary cookies, functional cookies, performance-analytics cookies, and advertising/marketing cookies. Finally, they are separated by the party as first-party and third-party cookies.
Personal Data Processing Terms for Cookies under Personal Data Protection Law
Websites may use cookies to process personal data by obtaining the data owner’s explicit consent or without needing explicit consent if fulfilling the data processing conditions stipulated in articles 5 and 6 of the Personal Data Protection Law (“Law”). We may give the following example for processing personal data without explicit consent: If a customer’s data are processed via cookies when they add an item to the cart on an e-commerce website, a sales agreement is entered into or enforced by subparagraph (c) of paragraph 2 in article 5 of the Law[1], thus eliminating the need for explicit consent.
Certain factors must be considered to obtain explicit consent for processing personal data via cookies. The unambiguous consent to be accepted for cookies must clarify the cookies’ usage purpose and storage period based on that purpose and whether the cookies are first-party or third-party. Moreover, explicit consent must be revocable.
In short, if third-party cookies are placed on a website, the website owner and the third party must inform users about the use of cookies and obtain their explicit consent. This duty must be fulfilled under the Law and the guidelines published by the Authority.
The Personal Data Protection Board’s decision no. 2020/173 of 27/02/2020 focuses on the following matters regarding the processing of personal data via cookies:
- A deliberate action is required to get express consent since visiting a website does not automatically imply granting express permission to the use of cookies by that website.
- The data owner must be informed before or at least during the processing of their data.
- While obtaining express consent for processing personal data via cookies, the data owner must be separately asked whether they have read the enlightenment text and, thus, give their express consent to the procedure.
Websites should respect and consider various factors depending on whether they use cookies to process personal data for themselves or third parties. Although the decisions and guidelines of the Authority provide a road map for the subject in question, it is still essential to properly inform the data owner and obtain their express informed consent.
[1] https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/fb193dbb-b159-4221-8a7b-3addc083d33f.pdf
