In this article, we will try to evaluate the current developments regarding cookies, explicit consent in the use of cookies and examples in practice within the scope of the Law on the Protection of Personal Data No. 6698 (“Law”).
Firstly, it should be noted that the cookies that appear every time when we visit websites are called the small information files that are stored in internet browsers by websites are called cookies. Cookies appear every time when we visit websites. Thanks to cookies in HTTP communication, the server can remember the actions and information of the users during their past visits, and can keep all the information of the user up-to-date by combining the actions and information of the user on other websites visited with the same web browser. In addition, cookies are also used to save the personal preferences of users. While the data obtained through cookies and some types of cookies can be used to store information such as language preference or location of website visitors. Cookies may also be save the personal data such as IP address, user name, unique identifier or e-mail address.
The issues explained above may bring to our mind the question of what data conditions might be applicable for the processing of personal data via cookies within the scope of the Law.
In this regard, personal data can be processed with the explicit consent of the data owner in Article 5 of the Law on the Protection Of Personal Data, which regulates the processing conditions of personal data, the data processing conditions that constitute an exception to this rule are listed. It should be noted that in terms of sensitive personal data, “The processing conditions of sensitive personal data” in Article 6 of the Code will come to the fore. Within the scope of the relevant article, it may be possible to process such data through cookies without the explicit consent of the data owner in extremely limited situations.
Explicit consent; defined as “Consent on a certain subject, based on information and expressed with free will” in the Code. Explicit consent within the framework means that the person gives his/her consent to the processing of his/her data, voluntarily or upon request from the other party. Another importance of explicit consent is that it guides the data processor about the action to be taken. In this sense, explicit consent must include the “positive statement of will” of the person.
Within the scope of the definition of explicit consent in Article 3 of the Code, there are 3 elements of explicit consent:
– Relating to a specific subject,
– Consent is based on information,
– Disclosure of free will.
To take explicit consent of the user about notice of controllers, the most common method is, “the use of cookies on the website” to provide clarification text and mostly to provide the relevant people with links where they can access the entire cookie policy according to the Code.
Although less, it is seen that some data controllers allow visitors to approve the use of cookies with “Accept” and “Go to Settings” redirects. As a result of the research we have done, the most frequently encountered cookie texts on websites are as follows.
We use cookies for you to benefit from our website in the most efficient way and for improving your experience on our website. You may see the principles concerning collection of user data in our Cookie Policy Statement. If you prefer to disable the cookies, you may delete or block the cookies from your browser’s settings. However, we would like to remind you that this may affect your use of our website. Unless you change the cookie settings on your browser, we assume that you accept the use of cookies on this website. Edit Preferences Reject Accept |
In general, it is seen that warnings and clarification texts are made with the words “this site uses cookies” or similar expressions, and that the visitors can reach the cookie policies by clicking the link in the same text.
So, how can controller direct users to access websites to give explicit consent?
1- Nudging Method: With Directing. It means gently guiding the person to do something. (For example, painting the “accept” button, which is frequently seen on websites, and directing people to click on that button.)
2- Dark Patterns Method: It means directing the user/related person to give explicit consent, mostly with subliminal techniques.
3- It can be in the form of technical design or in the form of obtaining consent through consent fatigue by directing the user to click many buttons.
4- With an active verb: It means accepting the cookie policy along with accepting the website.
In practice, the relations between the controller and the data processor, especially those who do not have an IT unit or do not have their own servers, and those who outsource the IT service, may also be responsible for the companies that provide that service.
As a matter of fact, it will be possible to examine who has the obligation to give the form of explicit consent by the Board. Again, in this context, reviewing the data processing agreements of the website, controllers will help prevent future problems. It is clear that companies providing design services and data analysis services should also take the cookie policy seriously within the scope of The Law On The Protection Of Personal Data and develop it especially when the European market is taken into account.
In the light of the above, the Evaluation of the Subject on the “Amazon Decision”, which is one of the important judgement of the Personal Data Protection Board:
The Personal Data Protection Board (“Board”) made evaluations regarding cookies in its Decision dated 27/02/2020 and numbered 2020/173 on Amazon Turkey Perakende Hizmetleri Limited Şirketi (“Amazon”), and it is the one of the crucial adjudgement in this context.
In the Amazon judgement, in sum, the Board has determined, that although the personal data of the website visitors are processed through cookies from the moment they enter the website of Amazon, the website visitors are not informed about the use of cookies on the website and even explicit consent is not obtained in terms of certain types of cookies. In this context, with the aforementioned decision, the Board announced that cookies are a personal data processing activity within the meaning of The Law On The Protection Of Personal Data, that the relevant persons should be informed and that the explicit consent of the relevant visitors should be obtained for the cookies that do not have a reason for processing other than explicit consent.
According to the evaluations made by the officials of the Personal Data Protection Authority, the expectation of the Authority is that all data controllers who use cookies must first fulfill their obligation of disclosure. In addition, the explicit consent of the data subject must be obtained in a demonstrable manner before the data is processed through cookies, such as advertising/marketing cookies, where the personal data processing condition is determined to be explicit consent.
The processing of advertising/marketing cookies issued by the Board and therefore cookies used for statistical and analysis purposes should be subject to explicit consent. In fact, the use of functional cookies that individualize the site content for users may be subject to the explicit consent.
CONCLUSION:
Data controllers must comply with the requirements of the Code on how to obtain explicit consent about cookies on websites. In other words, before explicit consent a clarification text must be published by data controllers. Explicit consent must be given freely based on an active behavior, and must be a prerequisite for providing a service.