The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding the failure of the data controller to provide the privacy policy and explicit consent wording for cookies on the website of a gaming platform in its decision dated 23.12.2022 and numbered 2022/1358.
The complaint subject to the decision is that when accessing the website of a gaming platform, users are not informed about the data processing made through cookies, explicit consent is not obtained for non-essential cookies, and also their identity and contact information is requested from the users who are members of the website, but privacy policy and explicit consent texts are not provided.
The Board made the following explanations regarding the complaint;
- Cookies that are necessary for the proper functioning of a website are defined as essential cookies and can be used as exception to the explicit consent requirement in Article 5 of the Law on the Protection of Personal Data No. 6698 (“DPL”). However, the cookies used for advertising, marketing, and performance purposes are subject to the explicit consent of the data subject. If there is no processing condition other than explicit consent regarding the cookies other than essential cookies such as functional cookies, performance-analytical cookies, and advertising/marketing cookies, the data controller must obtain explicit consent from data subjects according to the “opt-in” mechanism that envisages their voluntary active action at the time of log-in, and preventing the cookies being active in default.
- In this context, it is seen that there are many cookies on the website, and there is no privacy policy. In addition, it has been determined that the data controller does not obtain explicit consent for cookies that are non-essential and track user movements for purposes such as advertising or statistics.
- The data controller must fulfill the obligation to inform data subjects during the first visit of the users to the website regarding the personal data collected via cookies in accordance with Article 10 of the DPL. On the other hand, it has been observed that the privacy policy on the website does not contain the mandatory elements, and the processed personal data is transferred abroad.
In this regard, the Board adopted the following decisions;
- The data controller processes personal data through non-essential cookies for the purpose of advertising and marketing without relying on any legal basis on the relevant website. Since this situation constitutes a violation of the obligations in Article 12 of the DPL, an administrative fine of TRY 300.000 (approx. EUR 14.036) was imposed on the data controller.
- In terms of personal data processed with cookies on the website, it has been decided to instruct the data controller to fulfill the obligation to inform in accordance with the relevant provisions of Article 10 of the DPL and the Communique on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform.
- It is seen that the privacy policy on the website is presented to the users during sign-up, it has been decided to instruct the data controller to complete the deficiencies in the privacy policy.
Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş