Unlike the European Union ("EU"), there are no specific rules on cookies* under Turkish Data Protection Law ("Turkish DP Law"). On the other hand, Turkish Data Protection Authority ("Authority") published a Guideline on Cookie Practices ("Guideline") on its website on 20 June 2022.

General information

  • The Authority's "general" approach on cookies seems to be following the EU practice.
  • On the other hand, some of the principles introduced by the Authority on cookies are quite specific to the Turkish DP Law practice.

In this factsheet, we focus on the major differences between the EU practice and the Turkish DP Law practice.

1. Explicit consent or not?

  1. Rule: As a general rule, strictly necessary cookies do not require consent under the Turkish DP Law.
  2. Exception 1: In line with EU Practice, functional cookies which are strictly necessary to enable the information society services explicitly requested by the user do not require consent under the Turkish DP Law.
  3. Exception 2: Contrary to the EU practice, the Guideline states that the explicit consent of the user may not be required for first-party analytics cookies subject to the following conditions:
    • The use of performance analysis cookies should be limited to measuring the target audience of the site or application concerned,
    • Personal data collected through cookies which are not strictly required for the purpose of processing should be anonymized,
    • The use of personal data collected through cookies should be limited to the production of anonymous statistics,
    • The duration of cookies should be reasonable, and the personal data collected should not be transmitted to
    • Personal data collected through cookies should not be used to track users across multiple sites or devices.

2. The obligation to inform data subjects about cookies

Due to the loophole in Turkish DP Law on cookies, data controllers in Turkey have been following the EU practice and using cookie policies similar to policies used in the EU.

However, the Guideline have clarified that the "privacy notices" on cookies must comply with rules on "obligation to inform" under Turkish DP Law.

Hence, such privacy notices must at least include:

  • The identity of the data controller and its representative (if any),
  • The purposes for which personal data will be processed,
  • The persons to whom personal data will be transferred and the purpose of such transfer,
  • The method and legal basis of collection of personal data, and
  • The data subject rights under Turkish DP Law.

On the other hand, the Guideline also recommends that the name, purpose and duration of cookies, and information as to whether a cookie is a first-party or third-party cookie be also included in cookie privacy notices.

3. Personal data transfer abroad

  • The Guideline states that data controllers must comply with data transfer abroad rules under Turkish DP Law for cookies.
  • In this regard, we are of the view that for those cookies, the use of which require explicit consent, data controllers may also rely on a "separate" explicit consent for data transfer abroad.
  • However, for those cookies, use of which do not require explicit consent (e.g. strictly necessary cookies), as to whether data controller may rely on consent is debatable because the Authority's established view is that "provision of a service may not be conditional upon a consent". Hence, for those cookies, the most appropriate method seems to be obtaining the Authority's approval by executing a standard form undertaking by which the recipient and the importer commit to provide an adequate level of protection.

In this regard, personal data transfer abroad remains to be a problematic issue on cookies as well.

Key points

  • First party analytics cookies may not require explicit consent in certain circumstances,
  • Cookie notices should be amended in accordance with rules on "obligation to inform" under Turkish DP Law,
  • An appropriate method for personal data transfers abroad should be determined by controllers.

* Electronic Communications Law includes rules specific to cookies which are only applicable to telecoms operators.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.