All Eyes of the Data Protection Authorities are on Cookies!

January 2022 Sevgi Ünsal Özden
% 0


In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed the balance of the business world, and has critical implications for the global economy-- especially for competition between companies.

Although there are many data collection methods, internet cookies are one of the more remarkable methods of obtaining data. Basically, cookies aim to make users' internet experience easier. When the purposes and benefits are considered, cookies can be deemed as useful, practical, and essential for both web servers/websites and users. However, even though cookies do not have the characteristics of personal data by nature, the data obtained as a result of their usage could be specified as personal data. Given the rise of data-driven companies, the volume of data obtained and the personal nature of that data, the usage of cookies raises serious concerns regarding data security and privacy. Recently, data protection authorities from all over the world, including from Turkey, have been determining the rules and principles regarding the usage of internet cookies, making regulations, publishing guidelines, and even imposing penalties against some companies.

In this Newsletter, internet cookies, their usage and purposes, the practices of data protection and legislative authorities, and the current developments in this area will be examined briefly.

What Are Cookies?

Cookies (also called as HTTP[1] cookies, web cookies, internet cookies, or browser cookies) are defined as small blocks of data created by a web server while a user is browsing a website, and are placed on the user's computer or any other device such as smartphones or tablets. When a user visits a website, that user's web browser sends the user's access request to the server. The server then transmits the requested data and the information of this user to the web browser. By means of cookies in HTTP communications, the actions, information and preferences of the user during past visits can be recognized by the server, and certain information about the user may be stored by combining the actions and information of the user on other websites visited with the same web browser.[2]

Cookies are commonly used to identify specific users and to improve such users’ web browsing experience by enabling the web servers to automatically display login and/or payment details, to auto-fill form fields, to keep items added in an online shopping cart, to re-load previously reviewed content, etc. They also allow websites to show advertisements specific to a user’s past preferences.

Considering the characteristics of cookies, it could be argued that internet cookies do not constitute personal data on their own since the cookies are basically text files, containing a combination of numbers and letters. Yet, when cookies are combined with other data, it is possible to make the person identifiable.[3] For instance, cookies that collect and process IP addresses of users and collect information such as name and e-mail address entered in a registration or sales form on a web page should be considered personal data.[4]

Types of Cookies

Cookie types vary according to (i) their source, (ii) the length for which they are retained, and (iii) the purposes for which they are used. Within this scope, these could be classified as “first-party cookies - third-party cookies”; “temporary cookies (session cookies) - persistent cookies”, "mandatory cookies - functionality cookies - performance cookies (analytical cookies) - advertising / marketing cookies".

Mandatory cookies are cookies that are absolutely necessary for the website to work and be used as intended. If mandatory cookies are blocked, some parts of the website will not work. Functional cookies, on the other hand, allow individualizing the site content for users based on their preferences. Through these cookies, the website operator can store information such as which region the user is in, or which username and password the are using. It is possible to block such types of cookies.

Third-party cookies, one of the popular topics recently, (e.g. if the website contains images, advertising, social media plug-ins of other sites), are created by third parties, such as business partners or service providers, rather than by the website owner. The personal data obtained by institutions such as Google through third-party cookies, can be matched, analyzed, and profiled by combining them with data received from different sites. This possibility, naturally, raises privacy concerns all over the world.

Determining the type of internet cookies is crucial in terms of data protection legislation, since the circumstances that require explicit consent vary according to the type of cookie.

How are Cookies Regulated under Turkish Law?

Pursuant to Article 51/3 of Electronic Communications Law No. 5809, electronic communication networks may only be used by operators[5] to store information on terminal devices of subscribers/users or to access stored information provided that the relevant subscribers/users are clearly informed and their explicit consent is obtained. Providing communication services for subscribers/users is regulated as an exception to this rule.

Other than the above, there is no particular regulation that regulates the use of cookies in Turkey and which is applicable to all cookie users. However, cookies could fall within the scope of Turkish Personal Data Protection Law No. 6698 to the extent that they can be associated with an identifiable person. As a matter of fact, in 2020, the Personal Data Protection Authority (“Authority”) imposed an administrative fine on Amazon Turkey on the grounds that the obligation to inform was not fulfilled at any stage of data processing, although personal data began to be processed through cookies as soon as a user entered the website.[6]

The Authority has recently published a draft guideline on cookies explaining the cookies and their types, the rules to be considered according to the cookie usage scenarios, the details of obtaining explicit consent and obligation to inform.[7] The annex of the guideline includes a checklist for the use of cookies, application examples, and examples of appropriate and inappropriate use – all of which should be very useful for all cookie users. It is noteworthy that the practices and rules included in the guide are similar to the European Union regulations.

The guideline also sheds light on the relationship between Law No. 6698 and Law No. 5809, and defines the legal scope of the application of these laws. The Authority remarks that Law No. 5809 is limited to data controller operators; in cases where Law No. 5809 is not specifically regulated, Law No. 6698 could be applied to personal data processing activities through cookie usage. The Guideline has been published as a draft version and opened for public comment, thus the final version may vary.

What is Happening in the European Union?

The European Union’s data privacy regime currently consists of the General Data Protection Regulation (“GDPR”) and the ePrivacy Directive (“ePD”) of 2002. The ePD is an EU directive on data protection and privacy in the digital age.[8] In 2009, the ePD was amended with the addition of regulations regarding cookies and thus, it has been referred to as “the EU Cookie Law” as of that date.

The studies of the Article 29 Data Protection Working Party, and the Planet49 Decision of the European Court of Justice[9] also provide guidance on how consent should be obtained for the use of cookies, how users should be informed regarding cookies, and comprehensively explains mandatory cookies which are not subject to the consent rule.[10] In the recent period, due to the fact that cookie regulations are required to be changed in line with technological developments, the first draft of a new E-Privacy Regulation was published on January 10, 2017, and finalized on February 10, 2021 by the EU Council. This draft provides a different framework from the previous directive and a more comprehensive list of exceptions to cookie usage. However, it is still not certain when the draft will be in force and/or take effect.

In addition to all these developments, the recent decisions of different data protection authorities with regard to the use of cookies demand attention.

On January 6, 2022, the French Data Protection Authority (“CNIL”) announced fines against Google and Facebook due to non-compliance with cookies legislation.[11] As a result of an investigation, CNIL found that while the websites,, and offer a button to immediately accept cookies, they do not offer an equivalent solution enabling the user to refuse cookies as easily. Accordingly, it was judged that the methods of collecting consent proposed to users, along with the lack of clarity of information provided to them, constituted a breach of applicable data protection legislation.

Furthermore, the Austrian Data Protection Authority (“DSB”)[12] recently determined that the use of Google Analytics (a system that uses cookies) by an Austrian website involved the collection and transfer of personal data to Google in the U.S., including user identification numbers, IP addresses and browser parameters. More importantly, DSB concluded that the Standard Contractual Clauses (“SCC”) could not provide an adequate level of protection under the GDPR since the SCCs do not eliminate the possibility of surveillance of, and access to, personal data by U.S. intelligence agencies. Consequently, the transfer of data was deemed to be in breach of the GDPR. Immediately after this decision, the Dutch DPA also declared that there are ongoing investigations regarding the use of Google Analytics that are planned to be concluded in early 2022, and which will help to determine whether the usage of Google Analytics is permitted in the Netherlands.


Recent developments regarding the use of cookies in Turkey, the European Union and the rest of the world are of great interest for both internet users and data controllers. The decisions and perspectives of data protection authorities are certainly a wake-up call to all online website owners as well as third-party service providers. It is obvious that the current developments on cookies must be closely followed, the rules and principles in legislation, decisions and published guides should be strictly followed, and cookie practices should be reviewed without any delay.


All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

Newsletter Articles
Briefing for the Impact Assesment of the Data Act Has Been Published

In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...

Personal Data Protection 31.07.2022
Newsletter Articles
The Regulation on Protection and Processing of Personal Data by the Social Security Institution

The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...

Personal Data Protection February 2022
Newsletter Articles
A New Era: The Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...

Personal Data Protection February 2022
Newsletter Articles
The Right to Be Forgotten
Personal Data Protection November 2021
Newsletter Articles
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Personal Data Protection September 2019
Newsletter Articles
The General Data Protection Regulation in Force
Personal Data Protection May 2018
Newsletter Articles
Destruction of Personal Data
Personal Data Protection November 2017
Newsletter Articles

For creative legal solutions, please contact us.