Latest developments in technology increased the control of big tech firms over personal data. One of the most common ways of tracking end-users is the use of cookies. Cookies are small data files that are installed on user devices by websites. While some cookies are known as strictly necessary for an enhanced functioning of a website, others are mostly optional. The latter can offer various benefits to the website owner such as improving user experience on the website or providing personalized advertisement depending on user preference. This data collected by cookies may include personal data related to end-users. This is why use of cookies is subject to personal data protection legislation. 

Cookies are not specifically legislated under Turkish Law no. 6698 on the Protection of Personal data (“LPPD”), however; the Turkish Data Protection Authority (“DPA”) held a significant decision on 27 February 2020 on this subject. Turkish DPA fined Amazon for a failure to comply with data controller’s obligation to inform data subject of the processing starting from the beginning of the processing activity. In other words, Amazon was processing personal data of website visitors thanks to cookies starting from the moment they visited the page, nonetheless; it did not provide adequate information regarding the use of cookies on its website. Therefore, it did not obtain the explicit consent of its users for data processing. It is also brought to attention that clauses such as “if you block or decline our cookies you cannot add items to Amazon Cart” are restrictive and thus; free consent cannot be obtained by forcing visitors to accept cookies to benefit from Amazon services.

 Even if the difference between mandatory and non-mandatory cookies is not mentioned in the decision, it should be emphasized that obtaining prior consent shall be considered compulsory for non-mandatory cookies such as marketing of statistical cookies. Another issue to consider is to provide the freedom to choose to website visitors. In other words; declining the use of non-mandatory cookies shall not prevent the visitor from benefiting from other services offered by the website. If the user is not free to opt-in or out for non-mandatory cookies, the consent  should be deemed unlawful. 

As stressed throughout the note, the subject decision of Turkish DPA concludes some essential rules in terms of cookie use. However, there are still many points that have to be clarified in terms of cookie use. The issue is expected to be handled in more detail in future decisions of the DPA. In the meantime, Guidelines published by European Union Member States’ such as “Guidance Note: Cookies and other tracking Technologies” of Irish Data Protection Authority can serve as valuable resources.  

Ayça Doğu, LLM


Leave a comment