TR-TR 
EN-US 
The Turkish Personal Data Protection Board (“Board”) published on 11 January 2022, a Draft Guideline on Cookie Practices (“Draft Guideline”). In particular, the Draft Guideline includes recommendations for the protection of personal data within the scope of Law No. 6698 on the Protection of Personal Data (“Law No. 6698”) for website operators processing personal data through cookies.
The Draft Guideline first states the clarifications made in the Draft Guideline are directing data controllers to process data based on correct legal reasons, to inform data subjects per Law No. 6698, and to obtain explicit consent under Law No. 6698. It has been also stated that the Draft Guideline covers the processing of personal data through cookies. The Draft Guideline, on the other hand, shall apply not just to cookies used on websites, but also to apps used on smartphones, tablets, and other devices that may connect to the internet. There is no guidance in the Draft Guideline for related technologies such as pixels, user fingerprints, local storage, and beacons.
Although there are two definitions of cookies in the Draft Guideline, one of these definitions is given as low-size rich text-format text formats that allow certain information about users to be stored on users’ terminal devices when a web page is visited.
Under the Draft Guideline, cookies are categorized in accordance with their duration, purpose of use, and parties. While cookies categorized according to their duration are described as session cookies and permanent cookies, and the cookies categorized according to their intended use are defined as strictly necessary cookies, functional cookies, performance-analytical cookies, and advertising/marketing cookies. It has been further stated that within the scope of cookies according to the parties, whether the cookie is first-party or third-party varies according to the website or domain placing the cookie. While first-party cookies are placed directly by the website the user is visiting, the third-party cookies are placed by a different third party other than the website visited by the user.
As per the Draft Guideline, by referring to the European Union regulations, it is stated that cookies do not require explicit consent if one of two conditions is met. These conditions are given as; (i) The use of cookies only to provide communication over the electronic communication network, (ii) The use of cookies is necessary for information society services that the subscriber or user explicitly requests to receive services.
Pursuant to the Draft Guideline, the personal data processing conditions in terms of cookies are also regulated within the scope of Law No. 6698. In this context, the first of the conditions is processing of personal data based on explicit consent of the data subject. Alternatively, as a result of the evaluation of the data controller regarding the personal data processing activity through cookies, if the processing of personal data is based on one of the conditions other than the explicit consent in Law No. 6698, in this case, there is no need to obtain explicit consent from the data subject. According to the Draft Guideline, the data controller should primarily evaluate whether the purpose of the processing of personal data activity is based on one of the other processing conditions other than explicit consent.
The Draft Guideline indicates the use of cookies that do not require explicit consent are as follows; user-input cookies, identity authentication cookies, user-centered security cookies, multimedia player session cookies, load balancing session cookies, user interface customization cookies, social plug-in content-sharing (like, share, comment) cookies, cookies used for explicit consent management platform, first-party analytical cookies, cookies used for website security. Additionally, the Draft Guideline also present examples for the use of cookies that do not meet with neither of the aforementioned two criteria, therefore require explicit consent such as social plug-in tracking cookies and online behavioral advertising cookies.
Further, in the Draft Guideline, it is emphasized that the consent that is not based on any active action of the user cannot be considered as explicit consent. As such, simply accessing the website does not mean that explicit consent has been given to the cookies running on the said site.
The Draft Guideline also emphasizes that the aspects of being "freely given, specific, and informed" are necessary for acquiring explicit permission. It should be noted in this context that, in addition to the components of explicit consent outlined in Law No. 6698, explicit consent, which is one of the appropriate legal reasons, must be obtained before the placement of cookies.
Finally, the Draft Guideline highlights the necessity of informing the data subject of the personal data processing activities in accordance with the Law No. 6698 with a clear, simple, and understandable text at the moment of acquiring the data at the latest and provides supplementary sources such as a Board resolution regarding the use of cookies, a cookie control list, and examples of good and bad practices.
Kortan Gödekoğlu, Esra Temur
