The Decision of the Personal Data Protection Board Regarding the Cookies
Since there is no particular legislative regulation on the personal data processing through the cookies within the scope of the Law on Protection of Personal Data No. 6698 (“Law”), it brings to mind the question of how this processing activity will be carried out. Recently, with the Guideline on Cookie Practices published on the website of the Personal Data Protection Board (“Board”), the processing of personal data through cookies has been clarified for the website operators. In addition, some principles on the processing policies of cookies have been determined by the decisions made by the Board. In this article, we aim to examine the most recent decision of the Board regarding the data processing activities made through cookies.
The following issues were briefly mentioned in the complaint petition which is the subject of the Board’s decision dated 10.03.2022 and numbered 2022/229, regarding the unlawful processing of personal data through cookies used on the website/mobile applications by the data controller company operating in the e-commerce sector:
- Although the personal data processed within the scope of the activities of the website or the cookies used are transferred abroad, the explicit consent of the data subject is not obtained in this context;
- It is not specified to which data subject group the data subject belongs, the processing purposes of data categories and data types are not fully explained and their scope is not understandable;
- It is not clear which type of data is processed from the explanations under the marketing information data category; although the data subject has not given explicit consent for a commercial electronic message, targeting and analysis cookies are active in the browser and in the application.
In this regard, the Board was requested to take necessary action.
In the letter sent by the data controller to the Board upon the complaint of the data subject, the following issues were addressed:
- Personal data processed through cookies on the browser in order to identify the data subject are in the form of cookies that are not strictly necessary cookies, and they are processed under the condition that data processing is mandatory for legitimate interests in accordance with the Law;
- Other cookies, other than those that are not strictly necessary cookies, are cookies that are absolutely necessary for the provision of the electronic commerce service offered to users as an information society service provider, and it is not necessary to obtain explicit consent from the website or mobile application users in terms of these;
- Analytics, user behavior tracking, and other online advertising cookies, which are not strictly necessary cookies are used, and in this context, a pop-up privacy notice appears after users first visit the website;
- The cookies used are not put forth as a prerequisite for the service, and the provision of the electronic commerce service is not subject to the acceptance of these cookies, unlike the applications called cookie walls or tracking walls in the European Union.
You may access the Decision by this link.