Introduction
Cookie consent and website tracking rules under Turkish law have become a major compliance issue for companies operating websites, mobile applications, e-commerce platforms, online marketplaces, SaaS products, digital media services, advertising networks, fintech platforms, online games, and mobile apps targeting users in Turkey. Cookies and similar tracking technologies are no longer viewed as merely technical tools. They may involve the processing of personal data, profiling of users, monitoring of browsing behavior, creation of advertising segments, measurement of website performance, storage of preferences, fraud prevention, and even cross-border data transfers.
Turkey’s main personal data protection legislation is Law No. 6698 on the Protection of Personal Data, commonly known as KVKK. The law applies to natural persons whose personal data are processed and to natural or legal persons processing such data fully or partly by automated means or by non-automated means forming part of a data filing system. Its stated purpose is to protect fundamental rights and freedoms, especially the right to privacy, and to regulate obligations, principles, and procedures for persons processing personal data.
Although KVKK does not contain a separate article titled “cookies,” the Turkish Personal Data Protection Authority has published a detailed Guide on Cookie Practices. The Guide explains how cookies should be assessed when personal data is processed through website or application technologies. It also classifies cookies according to duration, purpose, and party, and provides practical guidance on when explicit consent may be required.
For businesses, the central question is not simply whether a website uses cookies. The real legal questions are: What data is collected through cookies? Is the data personal data? What is the purpose of each cookie? Is the cookie strictly necessary? Is explicit consent required? Has the user been properly informed? Are third-party cookies involved? Is data transferred abroad? Are cookie preferences recorded and respected? These questions determine whether a website tracking system is compliant under Turkish law.
What Are Cookies Under Turkish Law?
Cookies are small text files placed on a user’s browser, device, or application environment when the user visits a website or uses an online service. They may help maintain sessions, remember preferences, authenticate users, keep shopping carts active, measure website performance, analyze traffic, prevent fraud, or display personalized advertising.
The KVKK Cookie Guide uses the term “website” broadly to include desktop websites, mobile websites, and web applications. It also explains that cookies may be session-based or persistent. Session cookies are used to maintain continuity during a browsing session and are deleted when the user closes the browser. Persistent cookies are not deleted when the browser is closed; they are automatically deleted at a specific date or after a certain period and may be used to transmit user-related data to the server each time the user visits the site.
This distinction is important for compliance. A session cookie that keeps a user logged in during a single session may be legally easier to justify than a persistent advertising cookie that tracks browsing behavior over months. A persistent cookie can be useful for remembering login details or preferences, but it can also create tracking and profiling risks.
When Do Cookies Become a KVKK Issue?
Cookies become a KVKK issue when they process personal data. Personal data under KVKK means any information relating to an identified or identifiable natural person. KVKK also defines explicit consent as freely given, specific, and informed consent.
In practice, cookies may process personal data even if they do not directly collect a user’s name or ID number. Cookie IDs, device identifiers, IP addresses, advertising IDs, session IDs, location indicators, browser fingerprints, behavioral patterns, login information, and analytics identifiers may become personal data if they relate to an identifiable user. This is especially relevant when tracking data is combined with account data, CRM records, purchase history, marketing profiles, device information, or third-party advertising data.
Therefore, companies should avoid the assumption that cookies are outside privacy law because they are “technical.” If a cookie identifies or can reasonably be linked to a person, KVKK principles and obligations may apply.
Core KVKK Principles for Cookie Use
Cookie-based processing must comply with the general principles of KVKK. Personal data must be processed lawfully and fairly, must be accurate and kept up to date where necessary, must be processed for specified, explicit, and legitimate purposes, must be relevant, limited, and proportionate to those purposes, and must be stored only for the period laid down by law or required for the processing purpose.
These principles apply directly to website tracking. A website should not load unnecessary tracking tools by default. It should not use vague cookie descriptions. It should not retain tracking identifiers longer than necessary. It should not classify advertising cookies as “necessary” merely because the business finds advertising commercially useful. It should not use third-party scripts without understanding what data they collect, where they transfer it, and how long they retain it.
The principle of proportionality is particularly important. A website may need a session cookie to keep a user logged in or a shopping cart cookie to maintain products during checkout. However, tracking a user across multiple websites for behavioral advertising is a far more intrusive activity and usually requires stronger legal justification and explicit user control.
Types of Cookies Under Turkish Practice
The KVKK Cookie Guide classifies cookies in several ways. By duration, cookies may be session cookies or persistent cookies. By party, they may be first-party cookies or third-party cookies. First-party cookies are placed by the website the user visits, while third-party cookies are placed by a domain different from the visited website.
By purpose, the Guide refers to strictly necessary cookies, functional cookies, performance or analytics cookies, and advertising or marketing cookies. Strictly necessary cookies are required for the website to function or for the information society service clearly requested by the user, such as login, form completion, or remembering privacy preferences. The Guide states that if strictly necessary cookies are blocked, certain parts of the website will not work, and these cookies should not be used for marketing purposes.
Functional cookies are used for personalization and remembering preferences in websites or applications. Where it is not clear that the user has explicitly requested the relevant information society service, reliance on explicit consent may be required. Performance or analytics cookies are used to statistically measure and analyze user behavior on websites, including website improvement and sometimes measuring the effect of advertising. Advertising or marketing cookies are used to track online movements, identify interests, profile users, and show relevant ads.
This classification is crucial because the legal basis may differ by cookie category. A necessary cookie may be placed without explicit consent if it is strictly required for the requested service. An advertising cookie used for behavioral profiling will generally require explicit consent.
Strictly Necessary Cookies
Strictly necessary cookies are the lowest-risk category when properly used. They support essential website functions such as authentication, session continuity, fraud prevention, security, load balancing, form submission, shopping cart continuity, and remembering cookie preferences.
For example, an e-commerce website may use a session cookie to keep products in a shopping cart during checkout. A banking website may use authentication cookies to verify the user during a secure session. A website may use a cookie to remember whether the user rejected advertising cookies, because respecting privacy preferences is itself necessary for compliance.
However, the label “strictly necessary” must not be abused. A cookie is not strictly necessary simply because it is useful to the company. A marketing pixel, social media tracker, analytics tool, or advertising network cookie should not be placed in the necessary category merely because the company wants to measure conversion or increase sales.
The KVKK Board’s 2023/1645 decision summary is important in this respect. It emphasized that when personal data is processed through cookies, the Guide’s criteria should be considered; where explicit consent is required, consent should be based on an active action such as an opt-in method, and a cookie management panel with equally presented “accept,” “reject,” and “preferences” buttons may be a good practice.
Functional Cookies
Functional cookies improve user experience by remembering language settings, region preferences, display preferences, saved choices, or personalization settings. Some functional cookies may be connected to a service clearly requested by the user, while others may not be strictly necessary.
For example, a cookie that remembers privacy preferences may be treated differently from a cookie that remembers optional personalization preferences for future visits. If the user clearly asks the website to remember a preference, the legal basis may be stronger. But if the website uses personalization cookies automatically without a clear user request, explicit consent may be necessary.
Companies should therefore review functional cookies individually. It is not sufficient to group all functional cookies into one category and activate them by default. The correct approach is to ask whether each cookie is necessary for a service requested by the user or whether it is merely convenient for the website operator.
Analytics and Performance Cookies
Analytics cookies are widely used to measure website traffic, understand user behavior, identify popular pages, detect technical problems, and improve services. They may appear less intrusive than advertising cookies, but they can still process personal data, especially where they use persistent identifiers, track users across sessions, or involve third-party providers.
The KVKK Cookie Guide describes performance and analytics cookies as cookies that allow statistical measurement of user behavior on websites, often for improving the site and sometimes for measuring the effect of advertisements. It gives examples such as estimating the number of unique visitors, identifying important search engine keywords leading to a page, and monitoring browsing behavior.
Analytics cookies require careful classification. A first-party analytics cookie that produces only aggregated anonymous statistics and does not track users across websites may be easier to justify than a third-party analytics tool that combines website behavior with advertising profiles. The Cookie Guide’s sample policy also indicates that a first-party analytics cookie used only to generate anonymous statistics and not for cross-site tracking may be distinguished from advertising cookies.
In practice, companies should assess whether analytics cookies are first-party or third-party, whether IP masking is used, whether data is aggregated, whether users are tracked across sites, whether data is transferred abroad, and whether the analytics provider uses the data for its own purposes. Where analytics is not strictly necessary and involves personal data, explicit consent may be the safer legal basis.
Advertising and Marketing Cookies
Advertising and marketing cookies are the most sensitive category in ordinary website tracking. They are used to track online movements, identify interests, create profiles, retarget users, measure conversions, and show personalized ads. The KVKK Cookie Guide explains that behavioral advertising involves tracking individuals’ online activities, analyzing and profiling those activities, matching profiled individuals with suitable advertisements, and showing the relevant ads to them.
Because advertising cookies generally involve profiling and third-party tracking, explicit consent is usually required. These cookies should not be activated before the user gives valid consent. They should not be bundled into necessary cookies. They should not be presented through manipulative design. The user should be able to reject them as easily as accepting them.
The KVKK Board’s 2022/229 decision summary concerning an e-commerce company is instructive. The complaint argued that the cookie policy was intrusive, unclear, and insufficient; that reliance on legitimate interest was not legally possible for the relevant cookie use; and that personal data was transferred abroad through website or mobile application cookies without the data subject’s explicit consent under the then-applicable Article 9 framework.
Advertising cookies also create contractual and vendor-management risks. A website operator may integrate social media pixels, advertising networks, demand-side platforms, affiliate trackers, or remarketing scripts. These third parties may process data for their own purposes, combine data with other sources, and transfer data abroad. The website operator should understand and disclose these data flows.
Cookie Banners Under Turkish Law
A compliant cookie banner should not be designed merely to obtain the fastest possible “accept all.” It should help users make a free, informed, and specific choice.
Good practice under Turkish guidance includes presenting a cookie management panel when the user enters the website and offering “accept,” “reject,” and “preferences” options with equal prominence in color, size, and font. Where consent is required, it should be based on an active user action, such as opt-in.
This means that pre-ticked boxes, implied consent, “by continuing to browse you consent,” cookie walls without alternatives, hidden reject buttons, deceptive colors, or multi-step rejection processes may create compliance risk. If accepting is easy but rejecting is difficult, consent may not be freely given.
A strong cookie banner should include a short first-layer notice and a detailed second-layer cookie panel. The first layer may briefly explain the categories of cookies and provide choices. The second layer should allow users to manage categories and access a detailed cookie policy. Non-essential cookies should not be placed before consent.
Cookie Policy Requirements
A cookie policy should be specific, accurate, and understandable. It should not be copied from another website. It should reflect the actual cookies and tracking technologies used by the website or application.
The KVKK Board’s 2023/1645 decision summary states that it would be appropriate for the notice to clearly include the cookie name, purpose, duration, and whether it is first-party or third-party.
A proper cookie policy should therefore include at least the following information: the identity of the data controller, cookie categories, cookie names, purposes, legal bases, duration, first-party or third-party status, recipients or recipient groups, whether data is transferred abroad, how the user can manage preferences, and how the user may exercise data subject rights.
This is consistent with the general obligation to inform under KVKK Article 10, which requires data controllers to inform data subjects about the controller’s identity, processing purposes, transfer recipients and purposes, method and legal basis of collection, and data subject rights.
The Communiqué on the Obligation to Inform further requires the obligation to inform to be fulfilled regardless of whether processing is based on explicit consent or another processing condition. It also states that where processing is based on explicit consent, informing and obtaining consent must be performed separately, and that the notice must use intelligible, clear, and plain language.
Explicit Consent for Cookies
Explicit consent under KVKK must be freely given, specific, and informed. In the cookie context, this means the user must know what they are consenting to and must actively choose to permit non-essential processing.
Consent should be granular. Users should be able to consent separately to analytics, functional, and advertising cookies where appropriate. A single “accept all cookies” button may be available, but it should not be the only practical choice. A “reject all” button should be equally visible where non-essential cookies are involved.
Consent records should be retained. A company should be able to prove which cookie notice was shown, what choices were offered, when the user consented, what categories were accepted, and whether consent was later withdrawn. This evidence may be important in a KVKK investigation.
Consent must also be withdrawable. Users should be able to change their cookie preferences later through an accessible cookie settings link. Withdrawal should be as easy as giving consent. After withdrawal, non-essential cookies should stop being placed and, where technically possible, existing non-essential cookies should be removed or disabled.
First-Party and Third-Party Cookies
First-party cookies are placed by the website visited by the user. Third-party cookies are placed by a different domain. Third-party cookies create higher risk because the website operator may not fully control how the third party uses the data.
The KVKK Board’s 2023/1645 decision summary emphasized that where third-party cookies are placed on a website, both the website owner and the third party must ensure users are clearly informed about cookies and consent is obtained. It also noted that where cookies used by websites operating in Turkey through foreign-based companies involve transfer abroad, the transfer must comply with Article 9.
This is highly relevant for advertising networks, social media plugins, embedded videos, chat widgets, analytics providers, heatmap tools, A/B testing tools, customer support tools, and affiliate tracking services. A website operator should not integrate third-party scripts without a legal and technical review.
Cross-Border Data Transfers Through Cookies
Many cookie tools transfer data abroad. Foreign analytics providers, advertising platforms, cloud-based tag managers, social media pixels, and global marketing tools may receive IP addresses, device IDs, cookie IDs, behavior data, page visit information, and conversion data outside Turkey.
Article 9 of KVKK was amended in 2024. Under the amended rule, personal data may be transferred abroad if one of the processing conditions under Article 5 or Article 6 is met and there is an adequacy decision. In the absence of an adequacy decision, transfers may be possible if data subjects have enforceable rights and effective legal remedies in the recipient country and one of the appropriate safeguards is provided, such as binding corporate rules, standard contracts, or written commitments approved by the Board.
The Turkish Personal Data Protection Authority announced in August 2024 that English translations of the By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad and standard contract texts were available, following the amendment of Article 9 by Law No. 7499.
For websites, this means that cookie compliance is not complete merely by adding a banner. The website owner should also map whether cookie-related personal data is transferred abroad and whether the Article 9 mechanism is properly implemented. Third-party advertising and analytics tools must be reviewed carefully.
Website Tracking Beyond Cookies
Cookie compliance should not be limited to traditional browser cookies. Similar tracking technologies may also process personal data. These include pixels, SDKs, local storage, session storage, device fingerprinting, tracking scripts, social media plugins, mobile advertising IDs, push notification tokens, tracking links, embedded content, and server-side tracking.
The legal analysis should focus on function, not terminology. If a technology identifies or tracks a user, records behavior, stores identifiers, profiles interests, or transfers personal data to third parties, it should be included in the website tracking inventory.
This is particularly important for mobile apps and modern marketing systems. A mobile SDK used for analytics or advertising may operate similarly to a cookie, even though it is not technically a browser cookie. A server-side conversion API may transfer behavioral data to an advertising platform even if fewer browser cookies are used. These tools still require KVKK analysis.
Data Subject Rights and Cookie Tracking
Users whose personal data is processed through cookies have data subject rights under KVKK Article 11. These include the right to learn whether their personal data is processed, request information, learn the purpose of processing, know third parties to whom data is transferred in Turkey or abroad, request correction of inaccurate data, request erasure or destruction under legal conditions, object to certain results arising from automated analysis, and claim compensation for unlawful processing.
A website should provide a practical method for users to exercise these rights. The cookie policy or privacy notice should explain how users can contact the data controller. Customer support and legal teams should understand that a cookie-related inquiry may be a KVKK application.
For example, a user may ask which tracking technologies were used, whether their data was transferred to advertising partners, how to withdraw consent, or how to delete identifiers. The company should be able to respond based on a real cookie inventory.
Data Security in Website Tracking
KVKK Article 12 requires data controllers to take all necessary technical and organizational measures to prevent unlawful processing, prevent unlawful access, and ensure protection of personal data. If processing is carried out by another natural or legal person on behalf of the controller, the controller is jointly responsible with that person for taking these measures.
In website tracking, data security means more than protecting the main database. Companies should control tag managers, scripts, analytics dashboards, advertising accounts, API keys, customer data platforms, consent management platforms, and access permissions. Unauthorized scripts can collect personal data without the company’s knowledge. Poor access controls in marketing tools may expose user data. Misconfigured tags may send excessive data to third parties.
Practical security measures include script approval workflows, tag manager access controls, periodic cookie scans, vendor due diligence, domain allowlisting, secure configuration of analytics tools, limited user permissions, audit logs, and regular review of third-party scripts.
Retention and Deletion of Cookie Data
Cookie data should not be stored indefinitely. KVKK Article 7 requires personal data to be erased, destroyed, or anonymized when the reasons requiring processing no longer exist, even if the data was originally processed lawfully.
Cookie retention periods should be purpose-based. Session cookies should generally expire when the browser session ends. Privacy preference cookies may need to remain longer to remember user choices. Advertising cookies should have a clearly justified duration, and unnecessarily long retention periods may be difficult to defend. Analytics data should be aggregated or anonymized where possible.
The cookie policy should disclose cookie durations accurately. If a third-party advertising cookie remains active for 365 days, the user should be informed. If analytics data is retained in an external dashboard for a longer period, this should be included in the broader privacy analysis.
Common Compliance Mistakes
The first common mistake is loading non-essential cookies before consent. Advertising cookies, third-party analytics cookies, retargeting pixels, and behavioral profiling tools should not be active before valid consent where consent is required.
The second mistake is providing only an “accept all” button without an equally visible reject option. This weakens the argument that consent is freely given.
The third mistake is using vague categories such as “improvement cookies” without explaining cookie names, purposes, durations, and third-party status.
The fourth mistake is classifying advertising or analytics cookies as strictly necessary. A cookie is not necessary merely because it is useful for revenue, marketing, or performance reporting.
The fifth mistake is failing to disclose cross-border transfers. If third-party tools transfer cookie data abroad, the privacy notice and transfer mechanism should reflect this.
The sixth mistake is ignoring mobile SDKs, pixels, local storage, tag managers, and server-side tracking. These technologies may involve the same legal risks as cookies.
The seventh mistake is copying a generic cookie policy. A cookie policy should be based on the website’s real technologies.
The eighth mistake is failing to keep consent logs. In a regulatory dispute, the data controller must be able to prove compliance.
Practical Cookie Compliance Checklist for Websites in Turkey
A website operator should first conduct a cookie and tracking audit. This audit should identify all cookies, pixels, SDKs, scripts, local storage items, analytics tools, advertising tools, embedded content, and tag manager configurations.
Second, each cookie or tracker should be categorized by purpose, duration, party, provider, data category, legal basis, and transfer destination.
Third, strictly necessary cookies should be separated from functional, analytics, and advertising cookies.
Fourth, non-essential cookies should be blocked until valid consent is obtained.
Fifth, the cookie banner should provide clear choices, including accept, reject, and preferences options with equal prominence.
Sixth, a detailed cookie policy should list cookie names, purposes, durations, first-party or third-party status, and legal bases.
Seventh, privacy notices should explain data controller identity, processing purposes, recipient groups, transfer purposes, collection method, legal basis, and data subject rights.
Eighth, consent records should be stored securely.
Ninth, users should be able to withdraw or change preferences easily.
Tenth, third-party vendors should be reviewed contractually and technically.
Eleventh, cross-border transfers should be assessed under Article 9, especially for foreign analytics and advertising tools.
Twelfth, cookie practices should be reviewed regularly because marketing teams often add new scripts over time.
Special Considerations for E-Commerce Websites
E-commerce websites usually involve more complex tracking than ordinary corporate websites. They may use cart cookies, login cookies, payment security tools, fraud prevention scripts, product recommendation engines, abandoned cart tools, retargeting pixels, affiliate tracking, conversion APIs, heatmap tools, customer support chat widgets, and personalized marketing systems.
Some cookies may be necessary for checkout, payment, or security. Others may require explicit consent. For example, a cart continuity cookie may be necessary for contract performance, while a retargeting pixel used to show ads after the user leaves the site generally requires consent.
E-commerce businesses should also ensure that cookie choices are not merged with commercial electronic message permissions. Consent to receive promotional emails or SMS messages is not the same as consent to advertising cookies. Each processing activity should have its own legal basis and consent record where required.
Special Considerations for Online Advertising and Media Companies
Digital media companies, publishers, advertising networks, and online content platforms often rely heavily on third-party advertising technologies. These businesses should pay particular attention to profiling, behavioral advertising, real-time bidding, audience segments, and third-party data sharing.
Where multiple parties participate in advertising data flows, roles must be assessed carefully. A publisher may be a controller for certain website tracking activities. An advertising network may be an independent controller for its own profiling activities. A technology vendor may be a processor in one context and a controller in another. The cookie policy should not obscure these roles.
Companies should avoid using broad statements such as “we use cookies to improve your experience” when the real activity involves third-party behavioral advertising. Transparency is essential.
Enforcement Risk and Board Decisions
The Turkish Personal Data Protection Board has issued several cookie-related decision summaries that show the Authority’s approach. In the 2022/1358 decision summary, the complaint concerned a website where users allegedly were not informed about cookie processing and where explicit consent was not obtained for non-essential cookies.
In the 2022/229 decision summary concerning an e-commerce company, the allegations included an unclear and intrusive cookie policy, failure to properly inform users, inappropriate reliance on legitimate interest for cookie use, lack of explicit consent, and foreign transfer issues.
In the 2023/1645 decision summary, the Board referred to the Cookie Guide and emphasized opt-in consent, equal presentation of accept/reject/preferences options, disclosure of cookie name, purpose, duration, and first-party or third-party status, and Article 9 compliance for foreign transfers through cookies.
These decisions show that cookie compliance is no longer an optional best practice in Turkey. It is an enforcement-sensitive area, especially for online games, e-commerce platforms, digital advertising, and websites using foreign third-party tools.
Conclusion
Cookie consent and website tracking rules under Turkish law require a structured and practical compliance approach. A website operator must understand what tracking technologies it uses, whether they process personal data, which legal basis applies, whether explicit consent is required, whether the user is properly informed, whether data is transferred to third parties or abroad, and whether user preferences are respected.
Strictly necessary cookies may often be used without explicit consent if they are genuinely required for a service requested by the user. Functional cookies, analytics cookies, advertising cookies, pixels, SDKs, and similar technologies require a more careful legal assessment. Advertising and behavioral tracking cookies generally require explicit opt-in consent and should not be loaded before consent is obtained.
A compliant Turkish cookie framework should include a real cookie audit, accurate classification, a clear cookie policy, a user-friendly consent banner, equal accept and reject options, granular preferences, consent logs, withdrawal mechanisms, third-party vendor review, cross-border transfer analysis, and periodic technical audits.
For companies operating websites or digital platforms in Turkey, cookie compliance is not only a legal requirement. It is also a trust-building mechanism. Users increasingly expect transparency and control over how they are tracked online. Businesses that handle cookie consent properly reduce regulatory risk, improve digital credibility, and strengthen their overall KVKK compliance position.
Yanıt yok