Cookies, an important part of our digital footprint, are small text files placed in the cache of user devices by website operators. Although they are used to improve user experiences and facilitate use of the sites visited by users, they collect data about us by allowing our online activity to be monitored and tracked. In this respect, it is essential that we pay attention to cookies for the security of our personal data.
Cookie Types
Cookies are generally divided into three main groups.
Cookies According to Purposes of Use:
- Strictly Necessary Cookies: These are cookies that are necessary for the functioning of the website.
- Functional Cookies: These are cookies used for personalization and remembering preferences used on the website.
- Performance Analytical Cookies: These are cookies that enable statistical measurement in order to analyze the behavior of users on websites. These cookies are used to improve the site.
- Advertising and Marketing Cookies: With cookies for Advertising and Marketing purposes, personal interests of users are determined based on their online movements on the internet and advertisements are shown for these interests.
Cookies by Duration:
- Session Cookies: These cookies, also called temporary cookies, are used to ensure the continuity of the session. Session cookies are deleted when the internet browser is closed.
- Persistent Cookies: These are cookies that are not deleted when the internet browser is closed.
Cookies by Parties:
- First Party Cookies:Cookies placed directly by the website the user visits.
- Third Party Cookies: These are cookies placed by a third party other than the website the user visits.
How Do Cookies Work?
- The internet browser sends a request to the website server to access the site.
- The server creates cookies containing data packets and sends them.
- The page loads in the browser, the browser receives cookies and stores them on the user's device.
What Are Cookies Used For?
Cookies are actually very useful text files used to improve our web and application experience. Actions you have performed in the past on a website can be remembered with cookies. Although there are many uses of cookies, our most common examples of cookie usage as a user can be listed as follows:
- You do not have to re-enter your username and password when switching between pages on websites where you can log in with your username and password,
- Remembering the theme you want to use on the website the next time you log in,
- Remembering your preferred language and country,
- The products you add to your cart on shopping sites can be seen on the payment page,
- Being able to see ads that match your interests
Features that make internet use easier and improve the experience, such as, are made possible by the use of cookies.
Advantages and Disadvantages of Using Cookies
Advantages:
- Making it easier to log in to websites
- Remembering the personalizations you have made on websites
- Improving performance by monitoring the performance of websites
- Seeing ads that match your interests
Disadvantages:
- Targeting of ads
- Monitoring of personal data
- Monitoring user behavior
- Possibility of infection with malware
Use of Cookies and KVKK
Cookies are not personal data on their own, but they may contain personal data. The inclusion of IP address, username, password and e-mail information in cookies makes these cookies the subject of KVKK. Personal Data Protection Law No. 6698 deals with the processing of all kinds of information regarding identified or identifiable natural persons, and information processed through cookies can be associated with an identifiable person when used accordingly. In this respect, cookies appear as a subject of KVKK.
Cookies and Explicit Consent
KVKK requests that other data conditions listed in Articles 5 and/or 6 of the Law be taken into account, as a result of explicit consent for cookies to process personal data or as a result of the data controller's evaluation of personal data processing activity through cookies.
The situation where explicit consent is not required for the use of cookies can be summarized as follows:
- User Input Cookies: Explicit consent is not required because the provision of an information society service is explicitly requested by the user by filling out a form or clicking a button. span>
- Authentication Cookies: Persistent cookies that store authentication identifiers between browser sessions and when the user logs into his account has explicitly requested access to content or functionality that is permitted to him. Since there is no need for explicit consent.
- User-Centered Security Cookies: These are cookies created to ensure user security and express consent is not required to ensure user security.
- Multimedia Player Session Cookies: Explicit consent is not required for cookies used for the video display function, as the user clearly requests this service when he/she wants to access video or text content. .
- Load Balancing Session Cookies: These are cookies that are necessary for communication over the network, therefore explicit consent is not required.
- User Interface Personalization Cookies: Explicit consent is not required since the personalization of features is expressly requested by the user by clicking on a button or box.
- Social Plugin Content Sharing Cookies: Accessing and using social activity on a website does not require explicit consent as it is expressly requested by the user.
- Cookies Used for Explicit Consent Management Platform: Although explicit consent is not required for the use of cookies that are necessary to remember preferences regarding explicit consent, this cookie is subject to the Law's It is recommended that it complies with the general principles in Article 4.
- First Party Analytical Cookies: Meeting needs such as performance measurement, detection of navigation problems, optimization of technical performance or ergonomics, estimation of the power of the required servers, that is, a website Explicit consent is not required for these cookies, which enable them to be used for the operation and daily management of the application.
- Cookies Used for the Security of the Website: These cookies are also open as the website's inability to provide service due to security vulnerabilities or its deactivation will result in the user not being able to access the service he/she requested. Consent is not required.
KVKK also lists the cookies for which explicit consent is required, and these cookies are as follows:
- Social Plugin Tracking Cookies: Many social networks provide services that website owners can integrate into their websites in order to provide certain services that can be considered “explicitly requested” by their members. It offers social add-on modules. However, these modules can be used to track members/non-members with the help of third-party cookies for additional purposes such as behavioral advertising, analytics or market research. Explicit consent is required for the use of cookies used for such purposes.
- Online Behavioral Advertising Cookies: Naturally, impression frequency, financial record keeping, advertising partnerships, click fraud detection, research and market analysis, product development and error Explicit consent is required for cookies used within the scope of advertising for purposes such as extraction.
Transfer of Personal Data Abroad via Cookies
Another issue addressed about cookies within the scope of KVKK is the transfer of our personal data abroad through cookies. KVKK expects all data transfers abroad to comply with the provisions of KVKK, regardless of whether the data is transferred abroad through cookies or other means.
Refusing the Use of Cookies
According to Article 11 of the KVKK, personal data owners have the right to request that their personal data be stopped or deleted. Therefore, websites should inform users that they have the right to refuse the use of cookies.
Risks
The biggest risk of using cookies is that our personal data may fall into the hands of a person or persons with malicious purposes through cookies. Although the cookies used on websites and applications are intended to be regulated and made secure by legal regulations such as KVKK, there are also cookies used for malicious purposes. Malicious cookies, which we call zombie cookies, are permanently installed on users' computers. Even if cookies are deleted from computers, they may reappear and are very difficult to remove. Like other third-party cookies, zombie cookies can be produced by web analytics companies or by hackers and can be used to infect systems with viruses and malware.
What we need to do to minimize the risks posed by cookies;
- Not accepting cookies other than mandatory cookies,
- Not entering untrusted sites, not accepting cookies if entered,
- Deleting cookies on our computers with the help of our browser,
- To be aware of the use of cookies.
The use of cookies is included in every step of our internet usage as a result of digitalization. It is extremely important to get to know cookies, which are so integrated with our digital life, and to understand the conveniences and risks they create, to ensure our information security.
SOURCE
[1] Guide on Cookie Applications (KVKK)
https://kvkk.gov.tr/SharedFolderServer/CMSFiles/fb193dbb-b159-4221-8a7b-3addc083d33f.pdf
[2] Personal Data Protection Authority Bulletin Number: 3 “Online Privacy and Cookies”
https://kvkk.gov.tr/SharedFolderServer/CMSFiles/c4cb3fce-4c4d-40af-9410-fe3bdcfae8e9.pdf
[3] Personal Data Protection Law No. 6698
https://www.mevzuat.gov.tr/mevzuat?MevzuatNo=6698&MevzuatTur=1&MevzuatTertip=5
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.