COOKIE APPLICATIONS WITHIN THE SCOPE OF WEBSITE ACTIVITIES
What is a Cookie?
Cookies, as defined in the Guidelines on Cookie Applications published by the Personal Data Protection Authority (‘Authority’); ‘It is a type of text file (software) placed on the user device by those performing website operations and transferred as part of the HTTP(S)3 (’Hyper Text Transfer Protocol’, “Hyper Text Transfer Protocol”) request. In simple terms, cookies are low-dimensional rich text formats that allow certain information about users to be stored on users‘ terminal devices when a web page is visited.’
In this article, the types of cookies used in the processing of personal data, which are on the radar of both the Personal Data Protection Board (‘PDP Board’) within the scope of the Personal Data Protection Law No. 6698 (‘KVKK’) and the Advertising Board within the framework of advertising practices, the retention periods and the prerequisites necessary to ensure compliance with the legislation will be mentioned.
- Types of Cookies
Types of cookies can be analysed under three classes as cookies according to their duration, purpose of use and parties.
Cookies according to their duration
Session Cookies: It is a type of cookie used for the continuity of the visited website/session. Session cookies allow the previous pages visited to be remembered and are automatically deleted when the session is closed.
Persistent Cookies: It is a type of cookie that is not deleted when the internet browser is closed and is automatically deleted on a certain date or after a certain period of time. They are also called tracking cookies. Persistent cookies can save and use information about internet habits for a long period of time and can be used to facilitate logging in to a previously logged in website.
Cookies by Purpose of Use
Strictly Necessary Cookies: If these cookies, which are necessary for the operation of the website, cannot be used, it may be possible that a certain part or all of the website may not work. Since they are mandatory for the website to fulfil its functions properly, it is not mandatory to obtain any explicit consent from the visitor/user in the processing of these cookies. As an example; the products added to the basket on e-commerce sites can be displayed to the user when the payment screen is passed.
Functional Cookies: These are cookies that allow personalisation on websites or applications and ensure that users’ preferences are remembered. In order to use these cookies, which are not mandatory due to their functions, it is mandatory to rely on explicit consent. For example; the website background can be personalised by the user as dark or light colour.
Performance-Analytical Cookies: These are cookies that analyse the behaviour of users and allow statistical measurement of user behaviour. Performance-analytical cookies are used for the improvement of websites as well as for the measurement of the effects of advertisements on individuals. In this direction, it is mandatory to obtain explicit consent in order to use performance-analytical cookies that allow determinations such as the number of daily visitors or which keywords highlight the website .
Advertising/Marketing Cookies: These are cookies that analyse online movements and determine the interests of users and enable the display of advertisements specific to these areas to individuals. Advertising/marketing cookies are used for profiling users by observing which areas are visited on the website and which products are of interest. Explicit consent is mandatory for the use of these cookies .
Cookies by Parties
Cookies can be labelled as first or third party cookies depending on the placement of the website or domain. To explain briefly, first-party cookies can be defined as cookies placed directly by the website visited, while third-party cookies can be defined as cookies placed by a third party other than the website.
Storage Periods of Cookies
Session Cookies: Cookies that are deleted when the browser is closed. These cookies are automatically deleted when the internet session is terminated.
Persistent Cookies: Cookies that are stored on the device until manually deleted by the user or until the expiry date set for the cookie. Pursuant to Article 5 of the Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed Through These Publications, hosting providers are obliged to store traffic information for not less than one year and not more than two years. It is accepted that the relevant article indirectly covers cookies, but there is no clear regulation on the storage period of cookies in Turkish law. Within the framework of the European General Data Protection Regulation (‘GDPR’), it is stated that cookies should be stored only ‘for as long as necessary’. According to the French Data Protection Board (Commission Nationale de l’Informatique et des Libertés, ‘CNIL’), cookies that do not require consent, in other words, cookies that are mandatory for the use of the website, can be stored for up to six months. Although the relevant regulation is not mandatory for countries subject to GDPR, it is considered as an example of good practice.
Performance-Analytical Cookies: The retention periods of Performance-Analytical cookies are based on what is commonly seen in the sector and recommended by regulatory bodies as good practice, rather than a specific legal obligation. These recommended periods are set to allow websites to understand user behaviour and improve their performance, especially in line with the framework of legislation such as GDPR. Relevant deadlines can also be found in guidance issued by regulatory bodies and in the privacy policies of major technology companies. For example, it is observed that tools such as Google Analytics set the default storage period of cookies as four months, but also offer the option to increase this period up to twenty-four months.
Except for the legal regulations and implementation recommendations specified above for session cookies, persistent cookies and performance-analytical cookies; Other cookies, for which there is no specific legal regulation or implementation recommendation in Turkey and the European Union, may be stored until the purpose of use ends or until the person concerned withdraws his consent, and they must be irreversibly deleted or anonymised after the relevant conditions are met.
Elements of Explicit Consent in the Processing of Cookies
In cases where explicit consent is required from the persons concerned for the processing of cookies placed on websites, certain conditions must be met in order for the consent to be considered valid. It is essential that the person concerned is clearly informed about what he/she consents to when giving explicit consent, and that the explicit consent must be obtained through an active action. Consent that is stated to be obtained based on scenarios such as default consent will not be accepted as a valid explicit consent.
In this context, the following elements of explicit consent must be present together in cookies processed on websites that require explicit consent:
- Explicit consent must be related to a specific subject.
- Explicit consent must be obtained based on information. In this context, it will be important to present the Cookie Information Text to individuals.
- Explicit consent must be based on free will, must be given with an active movement and must be revocable at any time .
In addition to the above conditions, there are some additional rules that must be followed when obtaining explicit consent from users in accordance with the guidelines published by the Authority, the decisions of the PDP Board and the practices of the Advertisement Board. For example, the ideal practice in cookie panels used for obtaining explicit consents on websites is to include ‘preferences’ or ‘manage settings’ options next to the ‘accept’ or ‘reject’ options and to present the options in the same colour, size and font.
Practices that cripple the free will of users and force them to give explicit consent are also explicitly prohibited. The presence of a cookie panel that covers the entire screen when entering the website and the inability to view the content of the website unless consent is given can be given as examples of practices that cripple the free will of the person and are therefore prohibited. As another practice recommendation, CNIL emphasises that the process of withdrawal of explicit consent should not be more difficult and complex than the process of granting explicit consent.
Dark Pattern Practices
Dark design is defined as design tricks used to attract the attention of users in a certain direction in order to make them perform the desired actions and is used to influence consumers or users to make decisions in favour of the seller or provider by restricting their free will.
Frequently encountered dark designs:
- Explicit/selective submission of consent keys for cookies that must be processed with explicit consent in cookie panels (opt-out),
- Directing the user to the accept option in cookie pop-ups with different colours and designs, such as presenting the accept option in green and the reject option in red, or presenting the accept option in vivid colours and the reject option in a vague manner,
- Making it impossible to view the page without consenting to cookies (cookie wall) due to the design of the pop-up/panel design related to cookies to cover the entire screen,
examples can be given. Since the use of dark designs has become quite widespread recently, various authorities, especially the Authority, take measures against dark designs and publish guidelines and recommendations.
Dark design practices, which are also included in Annex-A/22 of the Regulation on Commercial Advertising and Unfair Commercial Practices, are defined in the relevant regulation as using methods that adversely affect the will of consumers to make a decision or choice by means of tools such as guiding interface designs, options or expressions regarding a good or service on the internet, or aiming to cause changes in favour of the seller or provider in the decision they would make under normal conditions, and are considered within the scope of deceptive commercial practices.
Similarly, within the scope of the Cooperation Protocol (‘Protocol’) signed between the Authority and the Ministry of Trade of the Republic of Turkey (‘Ministry of Trade’), it is stated that joint policies will be developed against dark designs within the framework of the objective of increasing consumer awareness on digital advertisements and applications and strengthening the control of consumers over their personal data. In the Protocol, dark designs are defined as ‘an unlawful practice that is designed to ensure that users engage in a certain behaviour, restricts free will and directs users to a specific target ’.
In its announcementpublished last year, the Advertisement Board stated that it has taken dark designs under scrutiny and defined dark designs as ‘manipulative interface designs that negatively affect consumers’ will to make decisions or choices in digital environments, aiming to change the decision they would normally make in favour of the seller or provider, offering pre-selected options and making other options difficult in order to direct consumers to certain preferences’. It is also stated in the announcement that injunction and access blocking decisions will be taken against websites where dark design practices are detected.
When we look at the reflection of the dark design and non-compliant cookie applications in the eyes of the PDP Board, it is observed that, in parallel with our explanations, importance is attached to the existence of all conditions of explicit consent and dark design applications are faced with instructions or penalty decisions. For example, in the Summary of the Decision of the PDP Board dated 23/12/2022 and numbered 2022/1358 on ‘Failure to provide clarification and explicit consent texts regarding cookies on a website’, the PDP Board determined that the data controller did not provide explicit consent for cookies that are not mandatory and track user movements, and that the clarification text was not provided to the users visiting the site; The PDP Board determined that these cookies should be provided to users as disabled by default when entering the website/mobile application and that it is mandatory for users to give an opt-in consent to activate these cookies and imposed an administrative fine of 300. 000 TL administrative fine and instructed the data controller to correct the practice.
The PDP Board emphasised the importance of the opt-in mechanism by including similar evaluations in theSummary of the Decision of the PDP Board dated 10/03/2022 and numbered 2022/229 on ‘Unlawful processing of personal data through cookies used on the website/mobile applications by the data controller company operating in the e-commerce sector’, In its decision, GRC LEGAL also stated that it is important for the accessibility of the disclosure to include a link that can directly direct the relevant persons to the Cookie Policy in cookie pop-ups, and underlined that a clear and simple language should be used in the relevant text, considering that the Cookie Policy is a technical subject.
GRC LEGAL Comment
In website applications, the field of activity of each website, the cookies to be placed and the purpose to be achieved with the use of these cookies should be evaluated within itself. Because, it cannot be expected that the cookies processed on a website that is prepared only to inform the user and a website that carries out e-commerce activities will be of the same quality, and this issue should be taken into consideration within the scope of the purpose-related, limited and proportionate personal data processing activity, and the compatibility of the cookies to be placed on the website with the nature of the site should be considered.
As an extension of the subject; it is also extremely important to technically determine the nature of the cookies processed on the website, to prepare a Cookie Information Text / Cookie Policy, to create a cookie panel if necessary, and to carry out the approvals to be obtained in the relevant panel in accordance with the legislation and recommended practices.
Based on all these explanations, it is recommended that the cookie applications, which are closely related to real and legal persons who have websites and carry out their activities through these sites, should be designed and executed with legal and technical consultancy services and kept up-to-date in order to prevent a possible complaint / investigation scenario, to avoid being caught on the radar of regulatory and supervisory institutions and thus to minimise the risk.
