Cookie Related Obligations in the Turkish AdTech Ecosystem in 5 Questions

  1. What Are Cookies?

According to the Guide on Practices Relating to Cookies ("Guide") published by the Turkish Data Protection Authority, cookies are defined as low-size rich text formats that allow certain information about users to be stored on users' terminal devices when a web page is visited.

Cookies are considered personal data according to the interpretation of the Turkish Data Protection Authority within the scope of the definition of personal data provided under the Turkish Data Protection Law ("TR DPL"). This definition provides that any information relating to an identified or identifiable natural individual constitutes personal data.

The Guide details cookie types and provides information on whether a type of cookie requires consent to be lawfully processed or not. Cookies which do not require consent such as first party analytics and load balancing cookies may be processed based on other legal bases provided under the DPL such as legitimate interest or performance of a contract while online behavioral advertising cookies require consent.

  1. Who are the Stakeholders in the AdTech Ecosystem?

Advertisers: Advertisers are the parties who constitute the demand side in the ecosystem and buy advertisement spaces to place their ads on.

Publishers: Publishers are the parties who constitute the supply side and own or operate online content or services where personal data is collected. Publishers provide the medium for advertisements to be placed.

Vendors: Vendors are the parties who provide services and technical solutions to advertisers and publishers which enables them to target, deliver, and measure their digital advertising efforts. Examples to vendors include, demand-side and supply-side platforms, measurement providers.

Consent Management Platform (CMP) Providers: CMP providers are a type of vendor who provide the technical means to publishers to inform and obtain consent from data subjects whose personal data are processed through the use of cookies on the medium owned or operated by the publisher. Publishers may outsource CMPs or develop and use their own.

  1. What are the Roles of these Stakeholders under the DPL?

The TR DPL, similar to the EU's General Data Protection Regulation ("GDPR") provides two roles for parties who process personal data based on the amount of control and decision-making power that party has while processing the relevant data set. These are the roles of a controller and processor.

Publishers and vendors may be considered data controllers based on how much control they have over the purposes for which they process the personal data of data subjects collected through cookies and similar technologies. For instance, where a vendor conducts a personal data processing activity by placing third party cookies on the website of a publisher to target the visitors on that website with its own initiative, this vendor is likely to be considered as a data controller.

Similarly, if a publisher uses cookies to track and target data subjects visiting their website for the purpose of profiling them this publisher will be considered as a data controller.

CMP providers and advertisers generally do not collect a vast amount of personal data however, they may also be considered as data controllers in cases where they mandate the purposes and means of processing personal data obtained.

To determine the roles of these parties, each processing activity carried out must be assessed on a case-by-case basis in terms of whether a party processes personal data for purposes determined by them and to what extend to other parties affect the decision-making process regarding the purposes and means of the processing.

  1. How Can These Stakeholders Ensure Compliance with the DPL?

The stakeholders mentioned above may be considered as data controllers for the same purposes if they decide jointly on any purposes or means to conduct data processing activities, only one may be the controller and the other the processor or two independent controllers may process personal data for their own separate purposes.

In all these cases, especially for processing activities requiring consent, allocation of the responsibilities within the contracts to be concluded between these parties based on their relationship is extremely substantial.

Additionally, as per the TR DPL, data controllers are obliged to inform data subjects regarding their processing activities beforehand and base their processing activities on a valid legal basis (regardless of obtaining explicit consent). This means that in practice, where the vendors as data controllers do not directly face the data subject, they require the assistance of the publishers to comply with their obligations to inform the data subjects.

In this context, the contracts to be executed between these stakeholders must be reviewed from a data protection standpoint taking into account the obligations of these parties under the TR DPL.

  1. Does It Work the Same in the EU?

The status of cookies as personal data and the obligation of the controllers to carry out their processing activities on a legal basis while complying with their transparency obligation do align with the obligations under the TR DPL in general. However, the legal basis applicable to each cookie type as well as the amount of detail suggested to be provided to data subjects as provided under the Guide may differ from the practice in the EU.

Transparency and consent frameworks such as the one published by the Interactive Advertising Bureau in the EU provide standards for the stakeholders in the AdTech ecosystem to comply with their privacy related obligations. It is observed that these types of frameworks are widely accepted and implemented among sector players in the EU. However, similar frameworks have not been widely accepted and implemented among the sector players in Turkey yet.

In conclusion, while the obligations and standards for compliance are similar in the EU and Turkey, there may be fundamental differences which need to be assessed on a case-by-case basis as both the legislation and practice do differ.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.