The Guideline aims to ensure website operators’ compliance with the Law when using cookies and covers only cookies used for processing personal data. The Guideline does not cover technologies such as pixels, user fingerprints, local storage and beacons. The Guideline applies to desktop and mobile websites and applications.
Definitions and types of cookies
In the Guideline, “cookie” is defined as “a type of text file placed on the user’s device by the website operators and is transferred as part of the HTTP (Hyper Text Transfer Protocol) query.” Another definition given by the Guideline is as follows: “cookies are small sized rich text formats, which allow certain information about users to be stored on terminal devices when a web page is visited.”
The Guideline explains the types of cookies based on three main characteristics: (i) duration of the cookies; (ii) purpose of the cookies; and (iii) parties of the cookies. With regard to their duration, cookies are classified as session cookies and persistent cookies. As to their purpose, cookies are classified as strictly necessary (mandatory), functional, performance-analytical and advertising/marketing cookies. As regards parties, cookies are categorized into two — as first-party and third-party cookies, depending on whether the cookie is placed by the website or the domain visited by the user.
Relationship between the ECL and the Law
According to the Guideline, the Law will be applicable to information society services as, unlike the EU Directive 2002/58/EC, this topic is not regulated under the ECL. In this context, the decision dated 27 February 2020 numbered 2020/173 is highlighted. Additionally, the ECL may partially be applicable to the data controller operators.
In cases where third-party cookies are used, both the website owner and the third party are responsible for clearly informing the data subjects and obtaining explicit consent in accordance with the Law. The Guideline recommends that the rules regarding the obligation to inform and obtaining consent be regulated in the agreement between the website owner and the third party since it is more difficult for third parties to establish a connection with the data subjects compared to the website owner.
In the Guideline, the Authority aims to guide website operators and those that process personal data through cookies to bring cookie practices in line with the legislation. Stakeholders should review this important Guideline and ensure their compliance with the Law in light of the Authority’s guidance.
The term “website” referred to in the Guideline includes websites or media (such as mobile phones or tablets).