All Eyes of the Data Protection Authorities are on Cookies!
Introduction
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed the balance of the business world, and has critical implications for the global economy-- especially for competition between companies.
Although there are many data collection methods, internet cookies are one of the more remarkable methods of obtaining data. Basically, cookies aim to make users' internet experience easier. When the purposes and benefits are considered, cookies can be deemed as useful, practical, and essential for both web servers/websites and users. However, even though cookies do not have the characteristics of personal data by nature, the data obtained as a result of their usage could be specified as personal data. Given the rise of data-driven companies, the volume of data obtained and the personal nature of that data, the usage of cookies raises serious concerns regarding data security and privacy. Recently, data protection authorities from all over the world, including from Turkey, have been determining the rules and principles regarding the usage of internet cookies, making regulations, publishing guidelines, and even imposing penalties against some companies.
In this Newsletter, internet cookies, their usage and purposes, the practices of data protection and legislative authorities, and the current developments in this area will be examined briefly.
What Are Cookies?
Cookies (also called as HTTP[1] cookies, web cookies, internet cookies, or browser cookies) are defined as small blocks of data created by a web server while a user is browsing a website, and are placed on the user's computer or any other device such as smartphones or tablets. When a user visits a website, that user's web browser sends the user's access request to the server. The server then transmits the requested data and the information of this user to the web browser. By means of cookies in HTTP communications, the actions, information and preferences of the user during past visits can be recognized by the server, and certain information about the user may be stored by combining the actions and information of the user on other websites visited with the same web browser.[2]
Cookies are commonly used to identify specific users and to improve such users’ web browsing experience by enabling the web servers to automatically display login and/or payment details, to auto-fill form fields, to keep items added in an online shopping cart, to re-load previously reviewed content, etc. They also allow websites to show advertisements specific to a user’s past preferences.
Considering the characteristics of cookies, it could be argued that internet cookies do not constitute personal data on their own since the cookies are basically text files, containing a combination of numbers and letters. Yet, when cookies are combined with other data, it is possible to make the person identifiable.[3] For instance, cookies that collect and process IP addresses of users and collect information such as name and e-mail address entered in a registration or sales form on a web page should be considered personal data.[4]
Types of Cookies
Cookie types vary according to (i) their source, (ii) the length for which they are retained, and (iii) the purposes for which they are used. Within this scope, these could be classified as “first-party cookies - third-party cookies”; “temporary cookies (session cookies) - persistent cookies”, "mandatory cookies - functionality cookies - performance cookies (analytical cookies) - advertising / marketing cookies".
Mandatory cookies are cookies that are absolutely necessary for the website to work and be used as intended. If mandatory cookies are blocked, some parts of the website will not work. Functional cookies, on the other hand, allow individualizing the site content for users based on their preferences. Through these cookies, the website operator can store information such as which region the user is in, or which username and password the are using. It is possible to block such types of cookies.
Third-party cookies, one of the popular topics recently, (e.g. if the website contains images, advertising, social media plug-ins of other sites), are created by third parties, such as business partners or service providers, rather than by the website owner. The personal data obtained by institutions such as Google through third-party cookies, can be matched, analyzed, and profiled by combining them with data received from different sites. This possibility, naturally, raises privacy concerns all over the world.
Determining the type of internet cookies is crucial in terms of data protection legislation, since the circumstances that require explicit consent vary according to the type of cookie.
How are Cookies Regulated under Turkish Law?
Pursuant to Article 51/3 of Electronic Communications Law No. 5809, electronic communication networks may only be used by operators[5] to store information on terminal devices of subscribers/users or to access stored information provided that the relevant subscribers/users are clearly informed and their explicit consent is obtained. Providing communication services for subscribers/users is regulated as an exception to this rule.
Other than the above, there is no particular regulation that regulates the use of cookies in Turkey and which is applicable to all cookie users. However, cookies could fall within the scope of Turkish Personal Data Protection Law No. 6698 to the extent that they can be associated with an identifiable person. As a matter of fact, in 2020, the Personal Data Protection Authority (“Authority”) imposed an administrative fine on Amazon Turkey on the grounds that the obligation to inform was not fulfilled at any stage of data processing, although personal data began to be processed through cookies as soon as a user entered the website.[6]
The Authority has recently published a draft guideline on cookies explaining the cookies and their types, the rules to be considered according to the cookie usage scenarios, the details of obtaining explicit consent and obligation to inform.[7] The annex of the guideline includes a checklist for the use of cookies, application examples, and examples of appropriate and inappropriate use – all of which should be very useful for all cookie users. It is noteworthy that the practices and rules included in the guide are similar to the European Union regulations.
The guideline also sheds light on the relationship between Law No. 6698 and Law No. 5809, and defines the legal scope of the application of these laws. The Authority remarks that Law No. 5809 is limited to data controller operators; in cases where Law No. 5809 is not specifically regulated, Law No. 6698 could be applied to personal data processing activities through cookie usage. The Guideline has been published as a draft version and opened for public comment, thus the final version may vary.
What is Happening in the European Union?
The European Union’s data privacy regime currently consists of the General Data Protection Regulation (“GDPR”) and the ePrivacy Directive (“ePD”) of 2002. The ePD is an EU directive on data protection and privacy in the digital age.[8] In 2009, the ePD was amended with the addition of regulations regarding cookies and thus, it has been referred to as “the EU Cookie Law” as of that date.
The studies of the Article 29 Data Protection Working Party, and the Planet49 Decision of the European Court of Justice[9] also provide guidance on how consent should be obtained for the use of cookies, how users should be informed regarding cookies, and comprehensively explains mandatory cookies which are not subject to the consent rule.[10] In the recent period, due to the fact that cookie regulations are required to be changed in line with technological developments, the first draft of a new E-Privacy Regulation was published on January 10, 2017, and finalized on February 10, 2021 by the EU Council. This draft provides a different framework from the previous directive and a more comprehensive list of exceptions to cookie usage. However, it is still not certain when the draft will be in force and/or take effect.
In addition to all these developments, the recent decisions of different data protection authorities with regard to the use of cookies demand attention.
On January 6, 2022, the French Data Protection Authority (“CNIL”) announced fines against Google and Facebook due to non-compliance with cookies legislation.[11] As a result of an investigation, CNIL found that while the websites google.fr, youtube.com, and facebook.com offer a button to immediately accept cookies, they do not offer an equivalent solution enabling the user to refuse cookies as easily. Accordingly, it was judged that the methods of collecting consent proposed to users, along with the lack of clarity of information provided to them, constituted a breach of applicable data protection legislation.
Furthermore, the Austrian Data Protection Authority (“DSB”)[12] recently determined that the use of Google Analytics (a system that uses cookies) by an Austrian website involved the collection and transfer of personal data to Google in the U.S., including user identification numbers, IP addresses and browser parameters. More importantly, DSB concluded that the Standard Contractual Clauses (“SCC”) could not provide an adequate level of protection under the GDPR since the SCCs do not eliminate the possibility of surveillance of, and access to, personal data by U.S. intelligence agencies. Consequently, the transfer of data was deemed to be in breach of the GDPR. Immediately after this decision, the Dutch DPA also declared that there are ongoing investigations regarding the use of Google Analytics that are planned to be concluded in early 2022, and which will help to determine whether the usage of Google Analytics is permitted in the Netherlands.
Conclusion
Recent developments regarding the use of cookies in Turkey, the European Union and the rest of the world are of great interest for both internet users and data controllers. The decisions and perspectives of data protection authorities are certainly a wake-up call to all online website owners as well as third-party service providers. It is obvious that the current developments on cookies must be closely followed, the rules and principles in legislation, decisions and published guides should be strictly followed, and cookie practices should be reviewed without any delay.
- The Hypertext Transfer Protocol (HTTP) is an application protocol in the internet protocol suite model for distributed, collaborative, hypermedia information systems that allows users to communicate data on the World Wide Web. Hypertext Transfer Protocol Secure (HTTPS), on the other hand, is an extension of the HTTP, and is used for secure communication over a computer network, and is widely used on the Internet.
- Aksoy, H. C. / Halıcıoğlu, M.: “AB ve Türk Hukuklarında Çerezler”, Kişisel Verileri Koruma Dergisi. 3(1), 61-88.
- Çekin, Mesut Serdar: Avrupa Birliği Hukukuyla Mukayeseli Olarak 6698 Sayılı Kanun Çerçevesinde Kişisel Verilerin Korunması Hukuku, On iki Levha Yayıncılık, p. 248.
- Aksoy/Halıcıoğlu: p. 63.
- An “operator” is defined as a company that provides authorized electronic communication services and/or provides electronic communication networks and operates its infrastructure.
- Summary of the Decision of the Personal Data Protection Board dated 27/02/2020 and numbered 2020/173 on the application regarding Amazon Turkey, https://www.kvkk.gov.tr/Icerik/6739/2020-173, (Access Date: 05.02.2022).
- The Personal Data Protection Authority’s draft guideline on cookies, https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/1336263f-22bb-4da3-a1b9-aabc0e0e8bff.pdf, (Access Date: 05.02.2022).
- Directive 2002/58/Ec Of The European Parliament And Of The Council, https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:PDF, (Access Date: 05.02.2022).
- The Judgment of the Court, https://curia.europa.eu/juris/document/document.jsf?docid=218462&doclang=EN, (Access Date: 05.02.2022).
- Article 29 Working Party Archives, https://ec.europa.eu/justice/article-29/documentation/index_en.htm, (Access Date: 05.02.2022).
- https://www.cnil.fr/en/cookies-google-fined-150-million-euros , https://www.cnil.fr/en/cookies-facebook-ireland-limited-fined-60-million-euros, (Access Date: 05.02.2022).
- Original decision, https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_DE_bk_0.pdf ; Machine translation of the decision https://noyb.eu/sites/default/files/2022-01/E-DSB%20-%20Google%20Analytics_EN_bk.pdf, (Access Date: 05.02.2022).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
On September 2025, the Court of Justice of the European Union (“CJEU”) delivered its judgment in Single Resolution Board (SRB) v. European Data Protection Supervisor (EDPS), providing some clarification on the identifiability of data under the EU data protection regime. The case examined whether information that...
In Türkiye, it has recently become increasingly common, especially in retail stores, to send verification codes to data subjects by SMS during the provision of goods and services and to process personal data in this way. In the complaints submitted to the Personal Data Protection Board (“Board”), it has been...
In contemporary workplaces, employers frequently implement surveillance systems for reasons such as ensuring occupational health and safety, maintaining workplace order, operating internal control mechanisms, and preventing potential misconduct. However, such monitoring practices often raise significant...
Although the Turkish Personal Data Protection Law No. 6698 (KVKK) stipulates certain rules on cross-border personal data transfer, the effective functioning of the transfer rules was limited over time due to some difficulties in practice. In particular, until late 2024, the application process for permission to transfer...
Personal Data Protection Law numbered 6698 (“PDPL”) was first drafted based on the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals about the processing of personal data and on the free movement of such data, and entered into force in 2016...
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague...
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
