Usage of Cookies and “Draft Guideline” Published by the Board
I.INTRODUCTION
Although there is no regulation “yet” about the cookies in the Turkey’s data protection legislation, they occupy a large place in the daily lives of people. Some cookies are subject to the Law on the Protection of Personal Data no. 6698 (“the Law”), as they collect information as personal data.
The Personal Data Protection Board (“the Board”) has prepared an advisory and guiding draft guide (“the Guide”) for data controllers who process personal data through cookies and announced this “draft” guide on its website on 11.01.2022.
In this note, firstly, general information about cookies and cookie practices will be given, and after that the Guide published by the Board will be briefly reviewed.
II. GENERAL INFORMATION ABOUT COOKIES
1.What is a Cookie?
Cookies, in simple terms, are small data files created by a web server and placed on a person's computer or other devices by the web browser while browsing the website. Cookies can be used for purposes such as improving the internet experience, showing more consistent and personalized advertisements on the internet pages, improving the functionality of the website used, and analyzing site visits.
Cookies offer many benefits to people when they are used in compliance with the legislation. By using cookies, users encounter the content they are interested in more often, they do not have to log in to the sites every time they visit, and having some user information kept benefits users. However, if cookies are not used in compliance with the legislation, since they may collect personal data, such an event may violate the right to protect the personal data of natural persons.
Cookies can be classified according to various criteria such as; the duration of their stay on the device where they are saved, whether they can be deleted or not, or according to the party that places them. Since cookies are examined separately in the Guide for these criteria, cookie types will not be mentioned separately in detail in this section in order to avoid repetition.
2. Risks of Cookies
Cookies store many personal data such as people's interests, the time they spend on the relevant sites during the session, usernames, and passwords. For this reason, there is no doubt that data controllers should comply with the legislation on the protection of personal data when using cookies. However, due to the fact that there has not been a special regulation (yet) regarding cookies in Turkey, and data controllers fail in compliance with the legislation, there are very rare examples where cookies are placed in accordance with the legislation. Therefore, new and detailed regulations are needed to protect the personal data collected through cookies and which may fall into the hands of unauthorized third parties due to cyber-attacks or commercial motives. In this context, in order to better understand what should happen, it is seemed beneficial to examine the cookie regulations primarily in EU.
3. Regulations on Cookies in EU Countries
Among the European countries, France is one of the countries that makes the most strict and comprehensive regulations regarding cookies. In order not to make our study too long and not to complicate the readability, the applications in France will be taken as an example in this study and it will be contented with the examination of these examples.
France's data protection authority, CNIL (Commission Nationale Informatique & Libertés), has introduced various regulations regarding cookies. CNIL has not only brought regulations, but also imposed serious sanctions on data controllers who do not comply with these regulations. As a striking example, the CNIL fined two tech giants Google (€100 million) and Amazon (€35 million) for “placing advertising cookies on users' computers without obtaining prior consent and without giving adequate information”.
According to the aforementioned regulations, all kinds of cookies do not require the consent of the data subject. Cookies with exceptions at the point of obtaining consent are as follows;
Cookies used “only for the purpose of transmitting a communication over an electronic communication network” (cookies used to perform the function of the relevant site)
Cookies that are “strictly necessary to provide an 'information society service' that is expressly requested by the subscriber or user to provide the service” (Cookies used to provide a service requested by the user)
Examples of such cookies are the types of cookies used by a website to remember the products in the basket while shopping on an online shopping site, or the types of cookies used to rewind a media file (video/music).
In this context, the types of cookies for which consent is required are the cookies used for advertising and analysis, that is, generally called “Tracking Cookies”, and other cookies serving such purposes without being limited thereto.
In the light of this information, if we look at the CNIL's guide on cookie policies; we can see that it stands on 6 main principles. These are as follows;
1. Silence does not imply consent.
2. Consent requires clear and positive action.
3. Consent must be easily revocable.
4. Accepting or rejecting cookies should be equally easy.
5. Consent must be based on full inform.
6. A record of consent should be kept.
III.TURKISH LAW AND “DRAFT GUIDE” PUBLISHED BY THE BOARD
In Turkish Law, there is currently no primary source of law that directly regulates cookies and makes provisions in this regard. However, since cookie applications cause personal data processing activities, it is necessary to act in accordance with the Law during these activities. The main problem here is to understand how the Law -which is too general and short form- should apply to a very specific and technical activity like cookies. At this point, the final guide to be issued will be of an important role in terms of determining compliance with the Law, as it will show how the Law should be implemented, yet it will not be directly binding itself -as in France-, and it is highly probable that the Board will decide basing on this guide in the future. The following explanations regarding cookies are included in the draft Guide dated 11.01.2022:
1. Types of Cookies
First of all, we would like to point out that the Guide has been prepared only within the scope of cookies that process personal data, and that the Guide does not include guidance within the scope of similar technologies such as pixels, user fingerprints, local storage, beacons. In the Guide, cookies are divided into different categories according to their duration, purpose of use and parties. These categories and their explanations are briefly given below:
• Cookies by Duration
oSession Cookies: Provide session continuity, get deleted when the browser is closed.
oPersistent Cookies: They are not deleted when the browser is closed, they are deleted after a certain period of time.
•Cookies by Purpose of Use
o Strictly Necessary Cookies: These are the cookies that are necessary for the website to function.
o Functional Cookies: Cookies used for personalization and remembering preferences.
o Performance-Analytical Cookies: Cookies used to analyze users’ behavior.
o Advertising-Marketing Cookies: These are the cookies that track the online movements of the users, determine their personal interests and display advertisements to the users on the internet for these interests.
•Cookies by Placing Party
o First Party Cookies: These are the cookies placed by the website visited.
o Third-Party Cookies: Placed by a third party other than the website visited.
2.Legislation Applicable to Cookies
In the Guide, besides the Law, reference is made to the Electronic Communications Law No. 5809. By drawing attention to the third paragraph of Article 51 of Law No. 5809, it was mentioned that this article is in accordance with the third paragraph of Article 5 of the e-Privacy Directive. Due to this coherence, it has been stated that the relevant article of the law no. 5809 will find a limited application area for the data controller operators in terms of cookies. According to the relevant article, “electronic communication networks can be used by operators to store information on terminal devices of subscribers/users or to access stored information apart from providing communication, provided that the data subjects are clearly and comprehensively informed about the processing of data and their explicit consent is obtained.”
One of the issues that causes the difference between the two articles and therefore limits the scope of application of Law No. 5809 is that the Law No. 5809 does not make a distinction in terms of demands for information society services; the other is that the Law No. 5809 is applicable only to data subjects who have the title of “operator” within the scope of the law, instead of all data controllers.
In the Guide, two criteria have been introduced to evaluate whether or not consent can be obtained in terms of cookies, taking into account the regulations in the European Union and which we have mentioned above in this article:
Criteria A: The use of the cookie only for the purpose of providing communication over the electronic communication network,
Criteria B: The use of cookies is strictly necessary for information society services that the subscriber or user explicitly requests to receive services,
At this point, by referring to the data processing conditions in the Law; it is stated that (in the Guide) an evaluation should be made according to these conditions in the concrete case (that is, if there are no exceptions in Article 5/2 or 6/3, express consent must be obtained). In the case of relying on 5/2-f (legitimate interest of the data controller), it is stated that an interest assessment should be made taking into account the two criteria mentioned above. However, it is also stated that "in case of processing of personal data by means of cookies within the scope of adding a product to user’s cart on an e-commerce site, the establishment or performance of a sales contract may be based on subparagraph (c) of the second paragraph of Article 5 of the Law". It has been revealed that the said criteria will not be in question only in the evaluations to be made within the scope of article 5/2-f.
3. Examples From Practice
In the Guide, examples are given about how to use and not to use cookies. In order not to lengthen our article and not to complicate the readability, the indicated usage examples will not be completely covered, only the basic examples will be briefly mentioned.
3.1.By Type of Cookies
If we briefly mention the examples of appropriate use that do not require explicit consent; Cookies that allow adding products to the basket on the shopping site (Criteria B), temporary session cookies that remember login information (Criteria B), flash cookies that help multimedia playback (Criteria B), load balancing session cookies whose sole purpose is to detect communication endpoints (Criteria A) ), personalization cookies (Criteria B) which are used only at the request of the data subject, can be given as examples.
If we briefly mention the cookie applications that require explicit consent; Examples are cookies such as social plug-in tracking cookies and online behavioral advertising cookies, which are used to track members/non-members with the help of third-party cookies for additional purposes such as behavioral advertising, analytics or market research.
3.2. According to Cookie Placing
While cookies are being placed, the persons whose data are processed should be informed in accordance with the Law and their explicit consent should be obtained -if necessary-.
Explicit consent must be obtained through active affirmative action, with specific and separate information from the data subjects about what they are asked to consent to. Therefore, consent not given by active action will not be valid. At this point, the process of obtaining consent for cookies should be done in an opt-in way. Just because a user uses a website does not mean that he/she allows cookies on that website. Therefore, it would be illegal to assume that people accept cookies when entering the site.
The main elements of explicit consent were drawn attention in the Guide and explanations were made about these issues specific to cookies;
Being relevant to a particular topic: (it is necessary to specify (i) the purpose of use of the cookie, (ii) the duration of the cookie determined proportionally for this purpose, and (iii) whether the cookie is first or third party.)
Based on information :(It should be done in a clear, simple and understandable manner, including all the elements of the informing obligation, and the submission of information text containing information on many other subjects cannot be interpreted as fulfilling the obligation to inform.)
Disclosure of free will (Considering that the data subject can revoke the explicit consent given to the data controller at any time, the express consent given in terms of cookies should also be revocable, It is recommended to include icons that provide this on the web site. In this context, measures that prevent the use of the website unless the use of cookies is allowed, such as cookie walls - the imposition of express consent as a service condition - harms the free disclosure of express consent)
In the light of these explanations, a pop-up or panel should be opened regarding the cookie informing and permissions at the first login to the site, while consent for cookies is obtained. Presenting the “accept” and “reject” options must have the same qualities in terms of color, size and font. In addition, it has been clearly stated that placing provisions in texts such as "Terms of Use", "Site Terms and Conditions" regarding consent to cookies does not mean that individuals give express consent in accordance with the law. However, obtaining consent at every access to the website will also give rise to "consent fatigue" and will cripple the legality of express consent. For this reason, it is recommended to remind periodically that consent has been obtained.
In the continuation of the Guide, screenshots of the application examples that contradict the previous explanations are included and the "Amazon Decision" is referred to and attention is drawn to the illegalities therein. This decision was also examined by our office before, and you can reach our explanations on this subject from the link in the footnote.