The Draft Guidelines mainly provides an introductory note on the definition of cookies and provides information as to the types of cookies. Upon providing a general definition of cookies, it categorizes cookies based on (i) timeframe (i.e. session cookies, permanent cookies), (ii) purpose (i.e. mandatory cookies, functional cookies, performance–analytical cookies, ad/marketing cookies), (iii) parties (i.e. first party cookies, third party cookies.)
In the following sections, the DPA gives some use cases that do and do not require explicit consent. Accordingly, the Draft Guidelines lists the following types of cookies as the ones which do not require explicit consent: (i) cookies created as a result of users signing in and creating submission forms (i.e. when picking items to fill out an online-shopping basket), (ii) cookies that form as a result of identification verification tools, (iii) cookies created by the user’s security preferences, (iv) multimedia player session cookies, (v) cookies that help with network load balancing, (vi) cookies created by user interface personalization, (vii) add-on content for social networking such as liking, sharing, commenting on posts, (viii) cookies used for managing the explicit consent platform, (ix) first-party analytical cookies, and (ix) cookies used for security of the website.
The scenarios which do require explicit consent are listed as (i) social tracing add-ons (such as those used for marketing and behavioral or analytical research tools); (ii) online behavioral advertising cookies.
Furthermore, the Draft Guidelines elucidates the elements that must exist in lawfully obtained consent. Accordingly, a lawful consent must be (i) related to a definite subject; (ii) based on being informed; (iii) expressed with free will.
Moreover, the Draft Guidelines mentions parties’ liability and notes that some websites may utilize “Cookie Walls” (i.e. if the user does not accept the collection of all cookies, the user is prevented from using the website). The Draft Guidelines concludes that a case-by-case evaluation must be made to determine whether such cookie-walls hinder explicit consent; however use of alternative options to cookie walls would be recommendable.
In the eighth section, the Draft Guidelines sets out how obligation to inform should be duly fulfilled before personal data is processed by cookies. By referencing Article 5 of the Communique on Procedures and Principles on Providing Explicit Consent and Article 10 of the DPL, it states that information notice should be clear, plain and easily accessible, and the methods that make it difficult for the data subjects to access it should not be used. Draft Guidelines also states that when a person visits a website for the first time, an information notice on cookies should be provided (e.g. through pop-up messages). It also recommends that the name and purpose of cookies along with the usage period of cookies and information on whether there is a first or third party exists should be included in the information notice.
In the ninth section, the Draft Guidelines cites the decision dated February 27, 2020 with number 2020/173 of the DPA, as an example of how DPA has previously decided in a case which involved the collection of cookies by a website.
By Gonenc Gurkaynak, Partner, Ceren Yildiz, Partner, Noyan Utkan, Associate, and Gamze Yalcin, Associate, ELIG Gürkaynak Attorneys-at-Law