In June 2022, Turkey's data protection authority published a dedicated Cookie Guidance (Çerez Uygulamaları Hakkında Rehber), setting out how websites should handle cookies under the country's privacy law. Two years later, in 2024, Turkey amended that law to bring parts of it closer to the GDPR. If you serve Turkish visitors, both documents shape what your banner has to do.
This guide covers how the KVKK (Kişisel Verileri Koruma Kanunu, Turkey's Personal Data Protection Law) treats cookies, the consent standard, the narrow exceptions, and what changed in the 2024 reforms.
The law and the regulator
The KVKK is Law No. 6698, in force since 2016. It's enforced by the Personal Data Protection Authority, known by the same acronym, KVKK (Kişisel Verileri Koruma Kurumu). The Authority runs the register of data controllers (VERBIS), issues guidance, and imposes administrative fines. Its 2022 Cookie Guidance is the document that translates the general law into concrete expectations for websites.
Explicit consent is the default for cookies
Under the KVKK, processing personal data generally requires explicit consent unless another legal ground applies. The Cookie Guidance carries that into the cookie context: if a cookie processes personal data and doesn't fall within a narrow exception, you need explicit prior consent before it runs. Valid explicit consent under the KVKK has to be:
- Specific, tied to a clearly stated purpose rather than a blanket agreement.
- Informed, based on clear notice of what data is collected and how it's used.
- Freely given, through an affirmative action, so pre-ticked boxes and "by browsing you agree" notices don't qualify.
The two exceptions
The Cookie Guidance identifies two situations where a cookie can run without explicit consent. The first covers cookies whose sole purpose is carrying out the transmission of a communication over a network. The second covers cookies that are strictly necessary to provide a service the user has explicitly requested. A shopping-cart cookie during checkout or a session token for a logged-in user fits the second exception. Analytics, advertising and social-media cookies do not, so they need consent.
Analytics Is Not "Strictly Necessary"
A common mistake is stretching the strictly-necessary exception to cover measurement tools. Under the KVKK guidance, a cookie only qualifies if the service the user requested cannot function without it. Analytics improves your site, but the visitor didn't request it, so it needs explicit consent. Keep those tags blocked until the visitor agrees.
How the Guidance sorts cookies
The Cookie Guidance groups cookies the way most privacy teams already think about them, and it's worth mapping your own inventory to its categories. It distinguishes cookies by duration (session cookies that expire when the browser closes versus persistent cookies that linger), by owner (first-party cookies you set versus third-party cookies from other domains), and by purpose (strictly necessary, functional, performance and advertising or marketing). Third-party advertising cookies get the closest scrutiny, because they typically build cross-site profiles and almost never fit an exception. Sorting your cookies into these buckets first tells you which ones the banner has to block until consent.
What the 2024 reforms changed
In March 2024, Turkey amended the KVKK through Law No. 7499, with the main changes taking effect on 1 June 2024. Two are worth knowing. First, the amendment added new legal grounds for processing special categories of personal data, moving away from the previous, narrower approach. Second, it reworked the rules on cross-border data transfers, introducing GDPR-style mechanisms such as standard contractual clauses. Since most cookie-based advertising and analytics send data abroad, the transfer changes matter for how you describe and lawfully carry out those transfers.
Penalties
The KVKK backs its rules with administrative fines, which are indexed and revised upward each year. Fines apply to failures such as not fulfilling the obligation to inform data subjects, not registering with VERBIS where required, and not meeting data-security obligations. Because the amounts are re-indexed annually, treat any specific figure as a moving target and check the Authority's current schedule. The direction of travel is upward.
Where CookieBeam Fits
CookieBeam's regional rules let you apply an explicit opt-in flow to visitors from Turkey, keeping analytics and advertising cookies blocked until consent while functional cookies covered by the exceptions run normally. Per-purpose consent logging records which categories each visitor accepted, with a timestamp. You set the region and the categories; the banner enforces the block and keeps the record.
Data subject rights and your cookie data
The KVKK gives people in Turkey a set of rights under Article 11 that reach any cookie data tied to them: to learn whether their data is processed, to ask what's held and why, to have inaccurate data corrected, and to request deletion. They can also object to results produced solely by automated analysis, which is relevant when advertising profiles drive what someone sees. In practice that means two things for your site. Keep your cookie and consent records in a form you can actually retrieve per person, and give visitors a standing way to reopen their preferences and withdraw consent, so exercising the withdrawal right is as easy as granting it was.
Related guides
Turkey's KVKK is one of several non-EU regimes that borrow heavily from GDPR. Compare it with Switzerland's revised FADP and UK GDPR. For the wider view, see cookie consent laws around the world and running one banner across a global audience.
Primary sources: Personal Data Protection Authority (Turkey), kvkk.gov.tr; Law No. 6698 on the Protection of Personal Data; KVKK Cookie Guidance (Çerez Uygulamaları Hakkında Rehber, June 2022); Law No. 7499 (2024 amendments).