Privacy Risks in Digital Advertising and Retargeting Under Turkish Law

Introduction

Digital advertising and retargeting have become essential tools for e-commerce companies, mobile applications, online marketplaces, SaaS businesses, hotels, clinics, banks, fintech companies, insurance providers, educational institutions, media platforms, and consumer brands operating in Turkey. Businesses use cookies, pixels, SDKs, device identifiers, advertising IDs, customer match tools, social media audiences, analytics platforms, location-based advertising, profiling systems, and automated campaign tools to reach users across websites, apps, search engines, social media, and third-party networks.

However, digital advertising is not merely a marketing activity. In many cases, it is also a personal data processing activity. When an identifiable or identifiable user is tracked, profiled, segmented, retargeted, matched with customer databases, or shown personalized advertising based on online behavior, Turkish personal data protection rules may apply.

The main legal framework is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. KVKK applies to personal data processed wholly or partly by automated means or by non-automated means forming part of a data filing system. The law requires personal data to be processed lawfully, fairly, transparently, for specific and legitimate purposes, in a relevant, limited, and proportionate manner, and only for the period required by law or by the processing purpose.

For companies operating in Turkey, digital advertising compliance requires more than placing a general cookie banner on a website. A lawful structure should include clear privacy notices, valid consent mechanisms where necessary, separation of essential and non-essential cookies, proper cookie categorization, vendor and SDK mapping, cross-border transfer assessment, opt-out management, commercial electronic message compliance, data security measures, and respect for data subject rights.

What Is Digital Advertising and Retargeting?

Digital advertising refers to the use of online technologies to deliver advertisements to users through websites, mobile applications, social media platforms, search engines, video platforms, email, SMS, push notifications, and other digital channels. Retargeting, also called remarketing, is a specific form of advertising in which users who previously visited a website, viewed a product, abandoned a cart, clicked an ad, installed an app, or interacted with a brand are targeted again with relevant advertisements.

For example, a user visits an online shoe store, views a pair of shoes, leaves the website, and later sees the same shoes advertised on a social media platform. This retargeting activity may involve cookies, pixels, advertising IDs, browser identifiers, device IDs, IP addresses, user behavior data, and third-party ad platforms.

From a Turkish data protection perspective, the key issue is whether the advertising activity involves personal data. If the data can identify or make a person identifiable, directly or indirectly, KVKK applies. Even if the company does not know the user’s real name, identifiers such as cookie IDs, mobile advertising IDs, login IDs, device IDs, hashed email addresses, IP addresses, and behavioral profiles may still relate to an identifiable person depending on the context.

Why Digital Advertising Creates Privacy Risks

Digital advertising creates privacy risks because it often occurs invisibly, automatically, and across multiple websites, platforms, devices, and vendors. Users may not understand which companies track them, which data is collected, which third parties receive it, how profiles are created, how long data is retained, or how advertising preferences can be controlled.

Retargeting and behavioral advertising may reveal or infer sensitive information. A user who repeatedly visits pages about medical treatments, debt restructuring, fertility services, immigration issues, political content, religious materials, or legal problems may be profiled without realizing it. Even if the advertiser does not directly collect special category data, behavioral patterns may reveal sensitive interests.

Digital advertising also involves complex third-party ecosystems. A website owner may use analytics tools, advertising pixels, social media plugins, demand-side platforms, data management platforms, customer data platforms, attribution tools, consent management tools, tag managers, and mobile SDKs. Each of these parties may process data, set cookies, receive identifiers, or transfer data abroad.

This creates a compliance challenge. The company visible to the user may not be the only entity involved in processing. Under Turkish law, the data controller must understand and explain these data flows rather than simply relying on the technical defaults of advertising vendors.

Cookies, Pixels, SDKs, and Other Tracking Technologies

Cookies are small files stored on a user’s device when they visit a website. They may be used for authentication, shopping cart functionality, language preferences, security, analytics, advertising, and personalization. However, modern digital advertising also uses pixels, mobile SDKs, local storage, device fingerprinting, server-side tracking, conversion APIs, advertising IDs, and customer match tools.

The Turkish Personal Data Protection Authority’s Cookie Practices Guide explains different cookie categories, including strictly necessary cookies, functional cookies, performance/analytics cookies, and advertising/marketing cookies. The guide states that strictly necessary cookies are used for the operation of the website and for services explicitly requested by the user, such as login, forms, or privacy preference storage; it also states that such cookies should not be used for marketing purposes.

The same guide describes advertising and marketing cookies as cookies that track users’ online movements in order to identify personal interests and display advertisements based on those interests. This directly covers many retargeting and behavioral advertising practices.

In practice, companies should not focus only on “cookies” in the narrow technical sense. If pixels, SDKs, fingerprinting techniques, advertising IDs, or similar tools process personal data, they should be assessed under KVKK principles.

Strictly Necessary Cookies vs Advertising Cookies

A central distinction under Turkish practice is between cookies that are strictly necessary for a service requested by the user and cookies used for advertising, marketing, analytics, or personalization beyond what is strictly required.

Strictly necessary cookies may be used to keep a user logged in, maintain a shopping cart, remember privacy preferences, complete a payment process, prevent fraud, or ensure website security. These cookies may often rely on legal bases other than explicit consent, depending on the specific purpose and necessity.

Advertising and marketing cookies are different. They usually track online behavior, create user profiles, measure ad effectiveness, retarget users, or share identifiers with advertising networks. The Turkish Personal Data Protection Board’s Decision No. 2022/1358 stated that while strictly necessary cookies used for proper functioning of a website may not require explicit consent, advertising, marketing, and performance cookies are subject to explicit consent where no other processing condition exists. The same decision emphasized that non-essential cookies should not be activated by default and that consent should be obtained through an opt-in mechanism based on the user’s active action.

This is highly important for e-commerce websites, online marketplaces, media platforms, healthcare websites, education platforms, travel sites, and mobile apps. If advertising cookies are loaded before the user has actively consented, the company may face KVKK risk.

Consent Requirements for Retargeting

Explicit consent under KVKK must be specific, informed, and freely given. A valid retargeting consent mechanism should therefore explain what advertising technologies are used, what data is collected, for what purposes it is processed, whether third-party advertising partners are involved, whether data is transferred abroad, and how consent can be withdrawn.

Consent should not be hidden in general terms and conditions. It should not be bundled with service use unless the advertising activity is genuinely necessary for the requested service, which is rarely the case. Users should be able to reject non-essential advertising cookies without losing access to the main website or service.

The Personal Data Protection Board’s online game-related Decision No. 2023/1645 referred to the Cookie Practices Guide and stated that explicit consent for cookies should be based on the user’s active action, such as an opt-in mechanism. The decision also indicated that a good practice example may include a cookie management panel appearing when the user enters the website, with “accept,” “reject,” and “preferences” buttons presented equally in terms of color, size, and font.

This means that dark patterns are risky. A cookie banner that makes “accept all” bright and easy while hiding “reject” under multiple layers may not reflect freely given consent. A banner that says “by continuing to use this website, you accept cookies” is also risky for non-essential advertising cookies.

Privacy Notices and Cookie Notices

Under KVKK Article 10, data controllers must inform data subjects at the time personal data is obtained about the identity of the controller, processing purposes, transfer recipients and purposes, collection method and legal basis, and Article 11 rights.

The Communiqué on the Obligation to Inform states that the obligation to inform applies whether processing is based on explicit consent or another legal basis, and that informing and explicit consent must be performed separately where processing relies on consent. The Communiqué also requires the purpose of processing to be specified, explicit, and legitimate; it warns against general and ambiguous statements; and it requires clear, plain, and intelligible language.

For digital advertising, this means that a general privacy policy is not enough if it does not clearly explain advertising and tracking practices. A compliant cookie or advertising notice should identify cookie categories, purposes, retention periods, whether cookies are first-party or third-party, third-party providers, legal bases, cross-border transfers, and user rights.

The Board’s Decision No. 2023/1645 also stated that cookie notices should include the cookie name, purpose, duration, and whether the cookie is first-party or third-party.

First-Party and Third-Party Advertising Risks

First-party advertising occurs when a company uses data collected directly from its own website, app, CRM, or customer database. Third-party advertising involves external advertising networks, social media platforms, analytics providers, data brokers, affiliate networks, or programmatic advertising systems.

Third-party advertising creates higher transparency and transfer risks. A user visiting a Turkish website may have identifiers shared with global ad platforms, analytics providers, or social media networks. These vendors may use data for campaign measurement, retargeting, audience creation, lookalike modeling, conversion tracking, fraud prevention, or their own advertising services.

The Board’s Decision No. 2023/1645 is important because it noted that where third-party cookies are placed on a website, both the website owner and the third party must ensure that users are clearly informed and that their consent is obtained. The same decision also considered that where websites operating in Turkey use cookies through companies established abroad and thereby transfer personal data abroad, the transfer must comply with Article 9 of KVKK.

Therefore, businesses should not assume that advertising vendors alone are responsible. A website owner that embeds third-party pixels or SDKs must understand and disclose the resulting data flows.

Retargeting and Customer Match

Retargeting may occur through website pixels, mobile SDKs, abandoned cart triggers, CRM remarketing, email lists, hashed customer data, or platform-based custom audiences. Customer match tools are especially sensitive because they may involve uploading email addresses, phone numbers, or customer identifiers to advertising platforms to match users and serve targeted ads.

Even if email addresses or phone numbers are hashed before upload, this does not automatically remove the activity from KVKK. If the advertising platform can match the hashed data to identifiable users, personal data processing may still occur. The company must identify a lawful basis, inform users, assess whether consent is needed, and evaluate cross-border transfers.

Customer match should not be used merely because the marketing team has a customer list. The company should ask whether the customer gave permission for advertising use, whether the privacy notice covers such use, whether the data will be transferred to a third-party platform, whether the platform is abroad, and whether users can object or withdraw consent.

Profiling and Automated Advertising Decisions

Digital advertising often involves profiling. Users may be placed into segments such as “frequent buyer,” “luxury traveler,” “health interest,” “debt-related content visitor,” “new parent,” “student,” “high value customer,” “cart abandoner,” “loan seeker,” or “cosmetic surgery interest.” These profiles may influence what advertisements the user sees, what offers are presented, and how frequently the user is targeted.

KVKK Article 11 gives data subjects the right to object to the occurrence of a result against themselves by analyzing processed data solely through automated systems.

Not every advertising profile will necessarily create a legally significant adverse result. However, profiling may become higher risk if it affects prices, credit offers, insurance offers, financial products, access to services, health-related targeting, employment-related ads, or vulnerable groups. Companies should therefore assess whether their advertising algorithms produce results that could negatively affect individuals.

Location-Based Advertising

Location-based advertising uses GPS data, Wi-Fi data, IP-derived location, beacons, store visits, mobility patterns, or geofencing to target users. This creates serious privacy risks because location data may reveal home, workplace, school, hospital visits, religious places, political events, family routines, or private relationships.

If location data is used for advertising or retargeting and is not necessary for a user-requested service, explicit consent will often be required. Location-based advertising should be clearly separated from ordinary service delivery. For example, a delivery app may need location for delivery, but using the same location history to target unrelated advertisements requires separate assessment.

Companies should avoid continuous background location tracking unless strictly necessary. Approximate location should be preferred where precise coordinates are not required. Retention periods should be short and purpose-based.

Children and Vulnerable Users

Advertising to children creates heightened privacy and consumer protection concerns. Children may not understand tracking, profiling, retargeting, influencer marketing, in-app advertising, or behavioral targeting. Even where a service is not specifically designed for children, companies should consider whether children are likely to use the platform.

Digital advertising based on children’s behavior should be avoided or subject to extremely strict safeguards. Child-friendly notices, parental involvement, privacy-protective defaults, and data minimization are essential. Behavioral advertising using children’s data may be difficult to justify under Turkish data protection principles.

Vulnerable groups, such as patients, debtors, elderly users, employees, students, or individuals seeking legal or medical assistance, also require careful treatment. Advertising systems should not exploit sensitive situations or infer highly private conditions.

Commercial Electronic Messages and İYS

Digital advertising is not limited to cookies and pixels. Promotional emails, SMS messages, phone calls, and certain commercial notifications are also regulated. In Turkey, the İleti Yönetim Sistemi (İYS) is the central system for managing commercial electronic message permissions.

The Ministry of Trade states that İYS creates a central structure where citizens’ communication approvals are collected, allowing individuals to view, control, and exercise rejection rights from a single point. The Ministry also states that İYS provides service providers with legal security regarding proof obligations in permission management and enables citizens to easily grant or remove permissions.

This is important for retargeting campaigns that extend into email, SMS, or call-based promotions. A user who consents to advertising cookies has not necessarily consented to promotional SMS. A user who accepts email marketing has not necessarily consented to behavioral tracking. These permissions should be managed separately.

Cross-Border Transfers in Digital Advertising

Most digital advertising ecosystems involve foreign technology providers. Social media pixels, analytics tools, ad servers, mobile SDKs, customer data platforms, tag managers, attribution tools, and programmatic advertising platforms may transfer data abroad or allow access from abroad.

KVKK Article 9 was amended by Law No. 7499, and the Turkish Personal Data Protection Authority announced English translations of the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad and standard contract texts in August 2024. Under the amended Article 9, standard contracts must be notified to the Authority within five business days following signature.

For digital advertising, this means that using foreign advertising vendors is not only a marketing procurement issue. Companies must map which personal data is transferred, which parties receive it, which countries are involved, whether the transfer is controller-to-controller or controller-to-processor, whether onward transfers occur, and which Article 9 mechanism applies.

The Board’s Decision No. 2023/1645 specifically highlighted that where cookies used through foreign companies result in transfers abroad, those transfers must comply with Article 9.

Data Security and Vendor Management

Advertising data must be protected with adequate technical and organizational measures. KVKK Article 12 requires data controllers to take all necessary measures to prevent unlawful processing, prevent unlawful access, and ensure the protection of personal data. Where personal data is processed by another person on behalf of the controller, the controller is jointly responsible with that person for security measures.

In digital advertising, practical security measures include access controls in ad platforms, limited administrator permissions, multi-factor authentication, restricted customer list uploads, secure API integrations, vendor due diligence, tag governance, audit logs, consent management, deletion of old audiences, and review of third-party SDK permissions.

Marketing teams should not freely upload customer databases into advertising platforms without legal review. Agencies should not receive full customer lists unless necessary and contractually controlled. Tag managers should be governed by approval workflows so that new pixels are not added without privacy assessment.

Retention and Deletion of Advertising Data

Advertising data should not be retained indefinitely. Audience lists, remarketing pools, abandoned cart segments, campaign logs, pixel events, mobile advertising IDs, analytics identifiers, and customer match files should have defined retention periods.

KVKK requires personal data to be retained only for the period required by law or the processing purpose. Data subjects also have the right to request erasure or destruction under Article 7 conditions.

Businesses should regularly review old remarketing audiences, inactive marketing segments, outdated customer match lists, and historical analytics exports. If data is no longer needed for the campaign, legal proof, reporting, or legitimate business purpose, it should be deleted, destroyed, or anonymized.

Common Privacy Mistakes in Digital Advertising

One common mistake is activating advertising cookies before consent. Another is treating all cookies as “necessary” even when they are used for marketing, profiling, or analytics.

A third mistake is using cookie banners that make rejection difficult. If “accept all” is easy but “reject all” is hidden, consent may be challenged.

A fourth mistake is failing to identify third-party advertising providers. A company may know that it uses “marketing tools” but not know which vendors receive data, where servers are located, or whether data is transferred abroad.

A fifth mistake is uploading customer lists to advertising platforms without informing customers or assessing legal basis. A sixth mistake is using location data for advertising without separate consent. A seventh mistake is sending promotional SMS or email based on cookie consent alone.

Another frequent mistake is failing to update privacy notices when new pixels, SDKs, analytics tools, or advertising platforms are added. Marketing technology changes quickly; privacy documentation must change with it.

Practical Compliance Checklist for Digital Advertising in Turkey

A company conducting digital advertising or retargeting in Turkey should:

1. Map all cookies, pixels, SDKs, tags, and advertising tools.
2. Identify which tools process personal data.
3. Separate strictly necessary cookies from analytics, functional, advertising, and marketing cookies.
4. Do not activate non-essential advertising cookies before valid consent where required.
5. Use an opt-in consent mechanism for advertising and marketing cookies.
6. Present “accept,” “reject,” and “preferences” options fairly.
7. Prepare a clear cookie notice and advertising privacy notice.
8. Include cookie name, purpose, duration, and first-party or third-party status.
9. Identify all advertising vendors and data recipients.
10. Assess whether vendors are controllers or processors.
11. Map cross-border transfers.
12. Implement Article 9 transfer mechanisms where required.
13. Separate cookie consent from commercial electronic message consent.
14. Manage SMS, email, and call permissions through İYS where applicable.
15. Avoid behavioral advertising to children or vulnerable users.
16. Limit location-based advertising and obtain explicit consent where required.
17. Review customer match and custom audience uploads.
18. Define retention periods for advertising audiences and campaign data.
19. Implement access controls for advertising platforms.
20. Audit tags and marketing tools periodically.

Legal Consequences of Non-Compliance

Non-compliance with digital advertising privacy rules may lead to complaints before the Turkish Personal Data Protection Authority, administrative fines, orders to revise cookie practices, orders to stop unlawful processing, reputational harm, consumer complaints, and contractual disputes with advertising partners or agencies.

Risk increases when companies process large-scale behavioral data, use third-party tracking tools, transfer data abroad, target vulnerable groups, use location data, or fail to obtain explicit consent for advertising cookies. The Board’s cookie-related decisions show that the Authority expects opt-in consent, clear notices, proper cookie categorization, and compliance with cross-border transfer rules for foreign third-party cookies.

Conclusion

Privacy risks in digital advertising and retargeting under Turkish law are significant because advertising technologies often process personal data invisibly, automatically, and through complex third-party ecosystems. Cookies, pixels, SDKs, advertising IDs, customer match tools, location data, and profiling systems may all trigger KVKK obligations.

The key compliance principles are transparency, lawful basis, explicit consent where required, purpose limitation, data minimization, proportionality, data security, limited retention, vendor governance, and cross-border transfer compliance. Businesses should not assume that advertising technology providers handle all legal responsibility. A company that places pixels on its website, integrates SDKs into its app, uploads customer lists to ad platforms, or activates retargeting campaigns must understand and govern the personal data flows it creates.

Turkish practice makes a clear distinction between strictly necessary cookies and advertising or marketing cookies. Non-essential advertising cookies should not be activated by default where explicit consent is required; consent should be based on an active user action and supported by clear, accessible, and specific information.

For businesses operating in Turkey, digital advertising compliance is not a barrier to marketing. It is a framework for trustworthy, transparent, and sustainable marketing. Companies that implement proper consent management, clear cookie notices, vendor controls, İYS-compliant communication permissions, cross-border transfer safeguards, and regular audits can reduce legal risk while maintaining effective digital advertising strategies.