Firstly, it should be noted that the cookies that appear every time when we visit websites are called the small information files that are stored in internet browsers by websites are called cookies. Cookies appear every time when we visit websites. Thanks to cookies in HTTP communication, the server can remember the actions and information of the users during their past visits, and can keep all the information of the user up-to-date by combining the actions and information of the user on other websites visited with the same web browser. In addition, cookies are also used to save the personal preferences of users. While the data obtained through cookies and some types of cookies can be used to store information such as language preference or location of website visitors. Cookies may also be save the personal data such as IP address, user name, unique identifier or e-mail address.
The issues explained above may bring to our mind the question of what data conditions might be applicable for the processing of personal data via cookies within the scope of the Law.
In this regard, personal data can be processed with the explicit consent of the data owner in Article 5 of the Law on the Protection Of Personal Data, which regulates the processing conditions of personal data, the data processing conditions that constitute an exception to this rule are listed. It should be noted that in terms of sensitive personal data, “The processing conditions of sensitive personal data” in Article 6 of the Code will come to the fore. Within the scope of the relevant article, it may be possible to process such data through cookies without the explicit consent of the data owner in extremely limited situations.
Explicit consent; defined as “Consent on a certain subject, based on information and expressed with free will” in the Code. Explicit consent within the framework means that the person gives his/her consent to the processing of his/her data, voluntarily or upon request from the other party. Another importance of explicit consent is that it guides the data processor about the action to be taken. In this sense, explicit consent must include the “positive statement of will” of the person.
Within the scope of the definition of explicit consent in Article 3 of the Code, there are 3 elements of explicit consent:
– Relating to a specific subject,
– Consent is based on information,
– Disclosure of free will.
Edit Preferences Reject Accept
So, how can controller direct users to access websites to give explicit consent?
1- Nudging Method: With Directing. It means gently guiding the person to do something. (For example, painting the “accept” button, which is frequently seen on websites, and directing people to click on that button.)
2- Dark Patterns Method: It means directing the user/related person to give explicit consent, mostly with subliminal techniques.
3- It can be in the form of technical design or in the form of obtaining consent through consent fatigue by directing the user to click many buttons.
In practice, the relations between the controller and the data processor, especially those who do not have an IT unit or do not have their own servers, and those who outsource the IT service, may also be responsible for the companies that provide that service.
In the light of the above, the Evaluation of the Subject on the “Amazon Decision”, which is one of the important judgement of the Personal Data Protection Board:
The Personal Data Protection Board (“Board”) made evaluations regarding cookies in its Decision dated 27/02/2020 and numbered 2020/173 on Amazon Turkey Perakende Hizmetleri Limited Şirketi (“Amazon”), and it is the one of the crucial adjudgement in this context.
The processing of advertising/marketing cookies issued by the Board and therefore cookies used for statistical and analysis purposes should be subject to explicit consent. In fact, the use of functional cookies that individualize the site content for users may be subject to the explicit consent.
Data controllers must comply with the requirements of the Code on how to obtain explicit consent about cookies on websites. In other words, before explicit consent a clarification text must be published by data controllers. Explicit consent must be given freely based on an active behavior, and must be a prerequisite for providing a service.