EVALUATION ABOUT THE KVKK COOKIE APPLICATIONS GUIDE
I. Introduction
The Draft Guideline on Cookie Applications, which was submitted to the public's opinion on January 11, 2022, by the Personal Data Protection Authority ("Authority"), was published on the Authority's website on June 20, 2022 with the title of Guide on Cookie Applications ("Guide").
In the first part of this published Guide; Its purpose is “It is aimed to create a guiding document as practical advice for all data controllers operating a website”, and its scope is “It covers the processing of personal data through cookies, and cookies that are not used in personal data processing are out of the scope of this guide”. In addition, it has been regulated that similar technologies such as pixels, user fingerprints, local storage, beacon are not covered by the Guide, but the Guide will also be valid for desktop and mobile websites or web applications.
II. Cookies and Types of Cookies in General
In the second part of the Guide, the definition of cookies is made as “Low-sized rich text-formatted text formats that allow some information about users to be stored on users' terminal devices when a web page is visited”. Types of cookies are examined under 3 headings: According to their Duration, According to the Purpose of Use and According to the Parties.
TYPES OF COOKIES
Cookies by Duration
According to their duration, cookies are also divided into Session Cookies and Persistent Cookies. In the Guide, it is stated that Session Cookies are also called temporary cookies, they are used to ensure the continuity of the session, and session cookies are also deleted when the user closes his internet browser. It has been stated that Persistent Cookies can also be called tracking cookies, and unlike session cookies, they are not deleted directly when the internet browser is closed, but are automatically deleted at a certain time or date. Since persistent cookies are sent to the server each time a website is visited, they can be used for advertising purposes or for remembering user login information.
Cookies by Purpose of Use
Cookies according to their intended use are explained under 4 headings as Strictly Necessary Cookies (Mandatory Cookies), Functional Cookies, Performance – Analytical Cookies, Advertising/Marketing Cookies.
Strictly necessary cookies are mandatory cookies that are necessary for the healthy functioning of the website. In addition, it is stated in the Guide that processing conditions other than express consent are generally used for strictly necessary cookies and that these cookies should not be used for marketing purposes. Functional cookies, on the other hand, are defined as "Cookies used for personalization and remembering preferences used in websites or applications (including applications on desktop, mobile or IOT devices)". In addition, it is regulated that functional cookies should be based on explicit consent for the purpose of providing functionality in websites or applications used other than strictly necessary cookies, and unlike strictly necessary cookies.
Performance-analytical cookies are cookies that allow the analysis of the behavior of users browsing websites with statistical measurements. It is stated in the Guide that these cookies have areas of use such as improving websites and the effects of advertisements on people. The purpose of cookies for advertising/marketing purposes is explained as "following the online movements of the users on the internet, determining their personal interests and displaying advertisements to the users on the internet for these interests". In addition, it is stated in the Guide that the type of advertising made in this context is online behavioral advertising. The implementation stages of the specified ad type are explained as "monitoring the activities of the people on the internet, analyzing and profiling these activities, matching the profiled person with the appropriate ads and showing the said ads to the relevant person".
Cookies by Party
According to their parties, cookies are divided into first-party and third-party. First-party cookies are cookies placed directly by the URL displayed in the address bar of the website visited. Third-party cookies, on the other hand, are defined as cookies placed by a third party different from the website visited by users.
The Relationship Between the Electronic Communications Law No. 5809 and the Law No. 6698 on the Protection of Personal Data
Although the subject of cookies is not explicitly regulated within the scope of the Law on the Protection of Personal Data No. 6698 (“Law”), Article 51/3 of the Electronic Communications Law No. 5809 (“EHK”) is included in the Guide. It is evaluated that the Law No. 5809 may find a limited application area for data responsible operators regarding cookies, since it partially complies with the third paragraph of Article 5 of EU Directive 2002/58/EC. In addition, 51/3 of the EHK in the Guide. Only the companies that provide electronic communication services and/or provide electronic communication networks and operate their infrastructure are closed, and other data controllers are not included in this scope.
Rules to Consider About Cookies
In the Law, the terms of processing of personal data regarding the terms of data processing have been regulated with Article 5 and Article 6 regarding the terms of processing of personal data of special nature. In these articles, it is stated that the processing of personal data is based on explicit consent, except for exceptional cases. In the rules that should be taken into account regarding cookies in the Guide; It has been regulated that if the processed data of the person concerned is a data that requires explicit consent, explicit consent must also be obtained for cookies, and if there are exceptional circumstances other than express consent, there is no need to obtain explicit consent for cookies. However, if the processed data is not based on explicit consent and does not meet any of the other processing conditions specified in the Law, the requirement for the explicit consent of the person concerned has been regulated for the subject of cookies.
Comparison of the fundamental rights and freedoms of the data subject and the legitimate interests of the data controller, in case the provision of "Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject" regulated in Law 5/2-f in the Guide. A balance test is recommended.
Cookie Usage Scenarios Under Other Processing Conditions Except for Express Consent
There are two criteria to be considered in the Guidelines. These,
- “Criterion A: The use of the cookie only for the purpose of providing communication over the electronic communication network,
- Criterion B: The use of cookies is strictly necessary for information society services that the subscriber or user explicitly requests to receive services.
User Input Cookies (Criteria B)
In the Guide, such cookies are described as "session cookies that track the user's inputs and transfer them to the service provider". First-party user-input session cookies are cookies that track the user while filling out a shopping cart, and keep track of the products the user selects by clicking the button or the information entered in the form. As stated in the example, since the function of this type of cookies must be explicitly requested by the user, it has been evaluated as Criterion B within the scope of the Guidelines and it has been stated that express consent is not required.
Authentication Cookies (Criteria B)
In the Guide, such cookies are explained as "they are used to identify the user when he/she logs on to a website". For example, such cookies can be used when logging into a social media platform or a bank account. In addition, in the Guidelines, the fact that such cookies are requested for the purpose of providing the functionality of the website entered by the user, and if it is not requested, the user name and password must be re-entered on each page of the website, which has been evaluated within the scope of Criterion B and it has been stated that express consent is not required.
User Centric Security Cookies (Criteria B)
It shows that express consent is not required since the necessary security measures provided for accessing the websites are considered as a service explicitly requested by the user -Criteria B-
Multimedia Player Session Cookies (Criteria B)
Examples of the use of such cookies, also known as flash cookies, can be shown as replaying video or storing technical data on audio content. Cookies that disappear automatically when the session is terminated are considered as Criterion B since they are requested by the user in cases such as watching a video, and it has been stated that express consent is not required.
Load Balancing Session Cookies (Criteria A)
In the Guidelines, load balancing is defined as "a technique that allows the distribution of web server requests over a pool of machines rather than a single machine". These types of cookies need to be persistent for the duration of the session, which is called a session cookie. Since it is necessary for uninterrupted communication on the network, it has been evaluated that it is not necessary to obtain explicit consent within the scope of Criterion A.
User Interface Personalization Cookies (Criteria B)
These types of cookies are mostly used in the form of customizing their own interfaces regarding the service offered on the website entered by the user. Since the user selection and explicit request are required for interface customizations, it has been evaluated that it is not necessary to obtain explicit consent within the scope of Criterion B for these types of cookies.
Social Plugin Content Sharing (like, share, comment) Cookies (Criteria B)
Social add-on modules, which are available as add-ons from a web page, are within the scope of Criterion B, which can be used if requested by users, and it has been evaluated that it is not necessary to obtain explicit consent. However, it is recommended in the Guide that the scope of not requiring explicit consent is valid for users who have logged in (log-in), and for users who have logged out of the account or who are not members, it is necessary to obtain explicit consent when such an add-on service is used.
Cookies Used for the Open Consent Management Platform (Criterion B)
In the Guide, an arrangement has been made that the cookies used to remember the preferences for a certain period of time regarding the explicit consent given by the person on the website he/she accesses are also within the scope of Criterion B and are not considered to require explicit consent. In addition, it is recommended that the lifetime of the cookie be determined by considering the general principles in Article 4 of the Law.
First-Party Analytics Cookies (Criteria B)
The necessity of such cookies is explained in the Guide as "Using traffic and/or performance statistics to manage the website or application, producing these statistics, the proper functioning of the site or application and therefore providing the service".
Its purpose has been shown as "cookies limited to measuring the target audience of the site or application", and it is thought that these cookies, which are kept for the operation and daily management of the website or mobile application for the service requested by the user, can be considered as Criterion B within the scope of the Guidelines.
In addition, it is recommended in the Guide that the cookies kept in order to achieve the above-mentioned purpose should be "processing of personal data in connection with the purpose, limited and measured, and anonymization of personal data that is not essential for processing".
Finally, in the Directory, these cookies should only be used to produce anonymous statistics and should not be used for any other purpose. It is stated in the article that it does not comply with the principle of being connected, limited and proportional to the purpose they operate.
Cookies Used for the Security of the Website (Criterion B)
It has been considered that such cookies are absolutely necessary for the service requested by the user, since the inability of the website entered by the user to serve due to security weakness will cause the user to be unable to access the service requested by the user. For this reason, these cookies, which are necessary for the user to reach the service in a healthy way, have been evaluated within the scope of Criterion B and it has been regulated that processing conditions other than express consent can be applied.
COOKIE USE SCENARIOS WITHIN THE EXPRESS CONSENT PROCESSING CONDITION
Cookie Usage Scenarios Not Covered by Criteria A or BELEMENTS OF EXPRESS CONSENT TO BE OBTAINED IN ACCORDANCE WITH LAW
Explicit consent needs to be obtained through active affirmative action, by specifically and separately informing the persons concerned about what they are asked to consent to.
For example; Just because the user has entered the website does not mean that explicit consent has been given to the cookies running on that site.
The matters of obtaining explicit consent are as follows;
- Be on a particular subject
- Don't rely on information
- Freewill
Explicit Consent Processing Conditions
Relating to a Specific Subject
The open-ended and ambiguous consent of the data subject as "I accept the processing of my personal data" with a general statement of will cannot be considered as "explicit consent" in the context of the Law.
In order to meet the "related to a specific subject" element, it is necessary to specify the purpose of the cookie, the duration of the cookie determined proportionally for this purpose, and whether the cookie is first or third party.
Based on Information
Users must be properly illuminated.
Free Will Disclosure
In this section, it is particularly noteworthy that users can withdraw their explicit consent whenever they want, and that taking consent too often can lead to "consent fatigue".
Verilen Rızanın Geri Alınması;
Considering that the data subject can withdraw the explicit consent given to the data controller at any time, the express consent given in terms of cookies should also be revocable. In this respect, it is necessary to ensure accessibility to the cookie management panel or the tool for which explicit consent is obtained, and it can be considered as a good example that the consent management platform is turned into an icon or a small band that does not block the content, in a small corner of the web page, in order to easily withdraw the explicit consent.
Consent Fatigue;
Taking consent too often can lead to consent fatigue in users. For this reason, considering that the free will of the person concerned may injure, it is considered appropriate not to obtain explicit consent for each site access of the person concerned, but to periodically remind the explicit consent preference (in proportion to the lifetime of the cookie in question). In determining the lifetime of the cookies in question, the basic principles specified in Article 4 of the Law titled general principles should be taken into consideration.
Another important issue is that when express consent is obtained within the scope of cookies, a cookie management panel (applications such as pop-up or 31 bands111) appears as soon as the site is entered, and "accept", "reject" equally (in terms of color, size, font) in the said panel. ” and “preferences” buttons.
Example of how it should be in the guide;
Pursuant to Article 10 of the Law, the obligation of disclosure must be fulfilled during the acquisition of personal data, and it will be an example of correct practice to put an explanation or, if necessary, a link on the processing of personal data through cookies in the said cookie management panel. In this context, it is important that the cookies that need to be processed with explicit consent are first handed passively in the management panel.
In the use of online advertising cookies, it is not possible to obtain explicit consent by bundling documents such as terms and conditions of use, because relying on the contract in the processing of personal data that is not directly related to the fulfillment of the basic service provided under the contract will mean misleading the data subjects.
So, considering this point, two important issues are important:
- Express consent in online advertising cookies cannot be attached to documents such as "Terms of Use and Agreement" or "Privacy Statement".
- Explicit consent is not required for the processing of personal data through cookies, as a prerequisite for the conclusion or performance of the contract.
Çerez Duvarları
Cookie walls are applications that prevent a visitor from viewing the content of the website unless they approve the use of all cookies on the website. In cases where consent to cookies by placing a cookie wall for access to the site is imposed on the person concerned as a prerequisite for the service, it may be possible for the cookie wall to injure the free will of the person concerned, and in this case, the explicit consent obtained will not be a valid express consent. It may be possible to offer certain fair alternatives other than the cookie wall in order for the persons concerned to obtain a service.
Responsibility of the Parties
In cases where third-party cookies are placed on the website, both the website owner and the third party are responsible for ensuring that users are clearly informed about cookies and to obtain their consent (although they are known to have less direct control over the connection to the user).
Third parties who want to place cookies or those who want to provide a product that requires the use of cookies can add a provision to the contract between them and the website publishers. This can provide assurance that appropriate measures will be taken to inform and consent to third-party cookies.
TRANSFER ABROAD
The transfer of personal data abroad is stipulated in Article 9 of the Law No. 6698, and according to the first paragraph of the said article, the first condition for transfer is the explicit consent of the person concerned. Except for the express consent condition, provided that the processing conditions specified in the second paragraph of Article 5 or the third paragraph of Article 6 of the Law No. 6698 are present, or in the absence of sufficient protection, the data controllers in Turkey and in the relevant foreign country must provide adequate protection in writing. The personal data of the person concerned can be transferred abroad, provided that they commit themselves as a company and have the permission of the Personal Data Protection Board.
MAKING SUITABLE LIGHTING
Regardless of the reason for compliance with the law, in all cases where personal data is obtained, the obligation to inform must be fulfilled by the data controller at the latest when the data is obtained, and the proof of fulfillment of the said obligation belongs to the data controller.
Attention should be paid to the fact that the lighting is easily accessible and noticeable, and methods that make it difficult for the relevant people to access the lighting should not be used.
Considering that it is not certain whether a person who visits a website for the first time will enter into a contractual relationship with the data controller or whether he/she will have explicit consent to the processing of his/her personal data, he/she can express his/her express will for the processing of his/her personal data only by entering the website. declared will not be considered. In this case, in order to start the processing of personal data with the site visit, clarification must be made at the stage of entering the website, regardless of the personal data processing requirement, and no notification is presented that the personal data is processed when entering the website (e.g. pop-up messages). ) cases, the violation of the obligation to inform may come to the fore.
In addition, it is recommended that the name of the cookie, its purpose and duration of use, and whether it is a first or third party information should be clearly included in the clarification text.
If the audience that the product and service will appeal to is children, informative texts suitable for the perception level of children should be prepared within the scope of the obligation to illuminate, and a more understandable, plain and clear language supported by pictures and visual effects should be used if necessary.
This point, which is included in the preparation of the text of the obligation to inform about children in the guide, is remarkable.
Companies should pay attention to the points specified in products and services related to children, and if personal data processing is carried out based on the explicit consent condition for adults, the obligations of disclosure and obtaining explicit consent must be fulfilled separately.
In the content of the Decision of the Personal Data Protection Board dated 27/02/2020 and numbered 2020/173 regarding the application about a company given in the guide; It is concluded that there is a violation of both the explicit consent and the obligation to inform.
The conclusions drawn about the decision are strongly indicated in all the headings in the guide.
Illumination must be done in a clear, simple and understandable manner, including all elements, and the presence of complex Privacy Notices on the website that provide information on many other issues cannot be interpreted as fulfilling the obligation to enlighten. |
In the event that personal data processing is based on the condition of explicit consent, the obligation to inform and obtaining explicit consent must be fulfilled separately. |
Regarding the processing of personal data through cookies; 40 express consent within the scope of the establishment or performance of a contract cannot be imposed on the person concerned as a precondition of the contract. |
During the acquisition of personal data -at the latest-, that is, at the moment of accessing the website, the illumination must be made. Clarification should be done when the data is not yet being processed or at the latest when the data is being processed. |
In order for express consent to be obtained, an active action must have taken place, just the fact that the website has been entered does not mean that express consent has been given to the cookies used by the site in question. |
In the decision, it is considered that there may be a legal reason other than express consent for the processing of personal data through cookies. |
In the event that personal data processing is based on the condition of explicit consent, the obligation to inform and obtaining explicit consent must be fulfilled separately. |
To reach the guide and the sample Illumination Text in the guide;
https://www.kvkk.gov.tr/Icerik/7353/Cerez-Uygulamalari-Hakkinda-Rehber
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.