When we visit a website, we often come across information about the collection of cookies and the question of whether we allow it or not. Despite many people not knowing what cookies are, they are invited to read the cookie policies of websites. Sometimes, accepting cookies is presented as a prerequisite for accessing certain services. So, how much do we know about cookies? What is the legal aspect of collecting cookies, and does rejecting cookies prevent the use of a website? In this article, we will define cookies, then discuss their types, functions, and control, and finally, we will examine cookies from a legal perspective.

What are Cookies?

The directive prepared for European Union institutions defines cookies as "text files created by the web service visited by the user." Similarly, the cookie policy of the European Commission answers the question of what cookies are by stating that they are "small text files stored on your computer or mobile device when you visit a website." In other words, cookies are created by browsers as users visit websites and are stored on the devices they use to access the websites. Since cookies are usually encrypted files, only the website that created them can read them. Therefore, they do not have meaning on their own and cannot be used by other websites.

Some argue that the term comes from Hansel and Gretel, who left bread crumbs on their way home, while others believe it comes from small text-filled cookies. However, the most widely accepted theory is that it originates from the "magic cookie" data packet used in the Unix operating system. As a result, we cannot provide a definitive answer to the question of what "cookies" mean in its original context. To maintain this ambiguity, the term is translated as "çerez" (cookie) in Turkish.

What are the types of cookies?

Cookies are primarily divided into two categories: session cookies and persistent cookies. Session cookies, also known as temporary cookies, are automatically deleted when you close the session without requiring any action. Thus, session cookies cannot be restored on the next visit to the page. On the other hand, persistent cookies are not automatically deleted when you close the website or browser. They remain on your computer until you delete them manually or until the expiration date set by your browser. Persistent cookies, such as language and theme preferences, allow the website to remember your choices for your next visit, so you do not have to make those choices again.

Another distinction regarding cookies is between necessary and non-necessary cookies. Necessary cookies are essential for the functioning of the website and are collected as a requirement for the website to function properly. For example, cookies that keep products in the shopping cart are necessary cookies for e-commerce websites. Non-necessary cookies, on the other hand, are not essential for the website's operation. This category includes cookies that remember usernames and passwords, advertising cookies, or cookies that collect statistical information.

Another aspect related to cookies is whether they are placed by the website itself or by third parties. Cookies placed by the website itself can include cookies that facilitate the use of the website, such as language and theme preferences. Third-party cookies, on the other hand, are advertisement cookies placed by advertising companies like Google Adsense. In such cases, while the website provides its own content, the advertisements on the website are provided by third parties that use cookies. As a result of placing these cookies, Google keeps track of the websites you visit, offers personalized ads, and prevents you from seeing the same ad repeatedly. You can find detailed information on this subject at https://policies.google.com/technologies/ads and edit your personalized ad settings at https://adssettings.google.com/authenticated.

What is the function of cookies?

The main purpose of cookies is to enhance the website's usability by remembering user preferences and providing personalized experiences, thus improving the services offered to visitors. For example, if a visitor permits the collection of cookies, they do not have to redo language and theme preferences when revisiting the website. Similarly, cookies that keep the session open allow users to stay logged in without having to log in again.

On the other hand, cookies may also be necessary for the proper functioning of the website. One of the most important examples is that cookies prevent products added to the shopping cart from disappearing on the payment page. Disabling or rejecting cookies may prevent the user from benefiting from the website.

It is not possible to say that all cookies are harmless. Some cookies can track your internet browsing activity. However, you can control cookies' specific actions or prevent certain websites from collecting cookies through your browser settings.

How to control and delete cookies?

Privacy is everyone's right. This right is protected in the Turkish Constitution and the European Convention on Human Rights. Therefore, you should be the one who determines when to share which information. In terms of cookies, there are two aspects: enabling cookies and clearing cookies.

You do not need to enable cookies in your default browser settings. When you visit a website, the website sends certain information to your browser, and your browser creates a text file and stores this information in the browser folder. Therefore, you can control cookies from the relevant folder or browser settings.

In addition, websites that place cookies place these cookies for certain periods. Session cookies can be deleted at the end of the session or automatically after a specific period. In this case, if you do not want to clear them before the set time, you do not need to do it manually. 

Cookies Under Turkish Law

There is no specific legislation in Turkish law that regulates cookies. However, in the decision of the Personal Data Protection Authority ("Authority") regarding Amazon Turkey Retail Services Limited Company dated 27/02/2020 and numbered 2020/173, it is stated that "all actions falling within the scope of data processing (such as tracking, transferring, sharing, storing, etc.) with cookies ..." shall be considered within the scope of personal data. However, consent is not required for all collected cookies. This distinction depends on whether the collection of cookies is necessary. Consent is not required for cookies that are essential for the website's operation, while consent will be required for non-necessary cookies.

The final version of the “Guide on Cookie Applications” prepared by the Personal Data Protection Authority was published on 20.06.2022. On the guide good and bad practices about cookies are examined.

The consent to be obtained is explicit consent, defined in Article 3 of the Personal Data Protection Law ("PDPL") as "consent based on the information and expressed with free will regarding a specific subject matter." The requirement of free will means that consent cannot be made a prerequisite for the provision of a product or service or the use of a product or service. In other words, the "love it or leave it" approach cannot be applied here, refusing cookies cannot prevent access to the service, and the opposite behavior would impair the consent. In such a case, an appeal can be made to the Authority due to non-compliance with the PDPL.

In the European Union, cookies are regulated in the General Data Protection Regulation ("GDPR") and the ePrivacy Directive. According to these regulations, consent regarding cookies must be obtained after the user is sufficiently informed about the purpose of data use and before the data is collected. Similarly, the user must give consent through an active action and be able to withdraw their consent. However, data can be collected without obtaining consent when the data is collected in bulk for the purpose of improving the website, with anonymization. Websites that attract traffic from EU member countries should pay attention to these issues and provide visitors with the option to accept or reject cookies. While having a cookie policy is not a legal requirement in terms of the PDPL, companies based in the EU and websites attracting visitors from the EU are obliged to have a cookie policy. Therefore, preparing a cookie policy that complies with legal regulations worldwide and seeking help from a privacy lawyer in Turkey will help you overcome potential issues at the beginning stages.

For any questions or legal assistance regarding this matter, you may contact us at info@paldimoglu.av.tr.

[1] European Data Protection Supervisor, “Guidelines on the protection of personal data processed through web services provided by EU institutions”, 2016 Kasım.

[2] European Commission, “Cookies policy”, https://ec.europa.eu/info/cookies_en.