İçeriğe atla
Start free
KVKK · TÜRKİYE

KVKK Cookie Management 2026 Complete Implementation Guide

How are cookies managed under the Personal Data Protection Law No. 6698? Explicit consent requirements, disclosure text, KVKK Board precedent decisions and implementation recommendations.

Updated
31 May 2026
Scope
All TR companies
Penalty upper limit
Updated annually

This content is for general information purposes and does not constitute legal advice. For concrete situations, consulting a legal advisor is recommended.

How Are Cookies Defined Under KVKK?

KVKK Law No. 6698 does not directly define the concept of a "cookie"; however, under Article 3 (definition of personal data) and Article 4 (general principles), if cookies contain personal data (IP address, device fingerprint, behavioral data) they automatically fall within the scope of KVKK. KVKK Board decisions and the Guide on Cookie Practices have clarified the explicit consent requirement for cookies.

KVKK Board Guide Summary: "For non-mandatory cookies, explicit consent must be obtained, the data subject must be informed and a consent record must be kept. The reject option must be offered with the same ease as acceptance."

Relevant KVKK Articles

Madde 3

Definition of Personal Data

Any information relating to an identified or identifiable natural person is personal data. IP address, device identifier and the profile data generated by cookies fall within this scope.

Madde 4

General Principles

Personal data must be processed lawfully and fairly, for specified, explicit and legitimate purposes; it must be relevant to and proportionate with the purpose for which it is processed.

Madde 5

Conditions for Processing

Personal data may not be processed without the explicit consent of the data subject. Strictly necessary cookies may rely on the other conditions listed in the law; for advertising and analytics cookies, explicit consent is mandatory.

Madde 10

Disclosure Obligation

The data controller is obliged to inform the data subject at the time personal data is collected. The cookie policy and banner fulfill this obligation.

Madde 11

Data Subject Rights

The right to access, rectify, erase, port and object. Visitors must be able to withdraw their consent and change their cookie preferences whenever they wish.

Madde 12

Data Security

The data controller bears the obligation to prevent the unlawful processing of and access to personal data and to ensure its safekeeping. The secure storage of the consent log falls within the scope of this article.

Consent requirement

Which Cookies Require Explicit Consent?

According to the KVKK Board guide, there are 4 main categories: in one, consent is not required; in three, explicit consent is mandatory.

Strictly Necessary Cookies

Consent not required

Cookies that are indispensable for website functionality, such as login, cart, language preference and security (CSRF token). Disclosure is provided, but no explicit consent is obtained.

session_id, csrf_token, lang_preference

Performance / Analytics

Explicit consent required

Collects behavioral data such as the number of visitors, which pages were viewed and the user journey. Google Analytics, Hotjar and Yandex Metrica are in this category.

_ga, _gid, _hjid, _ym_uid

Advertising / Targeting

Explicit consent required

Used for remarketing, personalized advertising and conversion tracking. Meta Pixel, Google Ads, TikTok Pixel and LinkedIn Insight are here.

_fbp, IDE, _gcl_au, ttwid

Social Media / Functionality

Explicit consent required

Social media share buttons, embedded video (YouTube, Vimeo) and live support components write third-party cookies.

YSC, VISITOR_INFO1_LIVE, _tawkuuid

KVKK Board Decisions and Sanctions

The KVKK Board has imposed administrative fines on various companies due to inadequate cookie policies. The following types of violations frequently appear in the decision texts.

Frequently Identified Violations

  • Use of dark patterns: hiding the reject button or making it harder to use
  • The cookie disclosure text being inadequate or unclear
  • Loading third-party advertising and analytics cookies without obtaining explicit consent
  • Failure to keep a consent log and the resulting difficulty of proof
  • Failure to fulfill VERBİS obligations

Where Can You Find Board Decisions?

For specific decision numbers, justifications and the amounts of the administrative fines imposed, see the official source: kvkk.gov.tr Board Decisions and Official Gazette announcements.

This content is for general information purposes and does not constitute legal advice.

Note: The upper limit of administrative fines is updated annually by the revaluation rate. For this reason, a fixed amount is not shared on this page. Always reference the KVKK Board website for the current figure.

Requirements for Valid Explicit Consent Under KVKK

Under KVKK Article 3 and the Board guidance, explicit consent has three core elements.

Specific to a Particular Subject

Consent is not a blanket acceptance; it must be obtained separately for each cookie category. Alongside an "Accept all cookies" option, a category-based choice must be offered.

Based on Being Informed

Users must give consent with a clear understanding of which cookie they accept, for what purpose and for how long. Vague or misleading wording does not create valid consent.

Given Freely

The accept and reject options must be presented with equal visibility and the same ease. Blocking access to the site without giving consent (cookie wall) is considered problematic by the Board.

Cookie Disclosure Notice Template

A basic template aligned with KVKK Article 10 and prepared in line with KVKK Board decisions. Fill in the fields in square brackets with your own details.

Sample disclosure notice content; we recommend having it reviewed by a legal advisor.
As [COMPANY NAME], in our capacity as data controller under Law No. 6698 (KVKK),
we use cookies on our website.

1. DATA CONTROLLER
   Title: [Full Company Name]
   Address: [Full Address]
   Email: kvkk@[domain].com.tr

2. COOKIE CATEGORIES AND PURPOSES
   - Strictly Necessary Cookies: Session, cart, security (no consent required)
   - Performance Cookies: Google Analytics (with explicit consent)
   - Advertising Cookies: Meta Pixel, Google Ads (with explicit consent)
   - Functionality Cookies: Social media embeds (with explicit consent)

3. RETENTION PERIODS
   - Session cookies: Until the browser is closed
   - Persistent cookies: At most 12 months (KVKK Board recommendation)

4. DATA SUBJECT RIGHTS (KVKK Article 11)
   You have the right to access, correct, delete and port your data.
   For your requests: kvkk@[domain].com.tr

5. CHANGING YOUR CONSENT
   You can update or withdraw your consent at any time via the
   "Cookie Preferences" link at the bottom of the page.
Get the Ready-Made Template from cerez.io
Implementation steps

Practical Steps to KVKK Compliance with cerez.io

No need to hire a legal advisor or assign a developer. Infrastructure built for Turkish companies and tailored to Turkish regulation.

Create an account

Sign up for free on cerez.io. No credit card required.

Add the embed code

Add a single-line JavaScript snippet to your page. A WordPress plugin is also available.

Automatic scanning

All cookies on your site are scanned and categorized according to KVKK (217 known cookie definitions).

Customize the banner

Adapt it to your brand colors. Turkish, English and German texts are provided automatically.

Consent log

For the burden of proof under KVKK Article 12, consents are retained for 365 days by default (adjustable between 90-365 days). XLSX and PDF report exports are available.

217 cookie definitions
65 providers, 38 analysis rules
Turkish/English/German
Automatic language detection
Disclosure notice template
Ready-made, customizable
Google Consent Mode v2
Advertising and analytics signals
FAQ

KVKK Cookie Management: Frequently Asked Questions

How are cookies defined under KVKK?
Short answer: KVKK does not define cookies directly, but under KVKK Board decisions and Article 4 of Law No. 6698, cookies fall within the scope of KVKK if they contain personal data (device fingerprint, IP, behavior). Explicit consent is required for all cookies except strictly necessary ones. The KVKK Board's Guide on Cookie Practices clarifies this rule.
How much is the KVKK cookie fine?
Short answer: The upper limit of the KVKK Board's administrative fines is updated by the annual revaluation rate, so we do not share a fixed figure. The Board has imposed high administrative fines on various companies for inadequate cookie policies. For current figures and decision texts, please review kvkk.gov.tr Board Decisions.
Which cookies require explicit consent?
Short answer: Performance/analytics cookies (Google Analytics, Hotjar, Yandex Metrica), advertising/targeting cookies (Meta Pixel, Google Ads, TikTok Pixel, LinkedIn) and social media embed cookies require explicit consent. Strictly necessary cookies (session, cart, security, language preference) do not require consent, but disclosure is mandatory. In ambiguous cases, the cerez.io scanner categorizes them automatically.
Are the KVKK and GDPR cookie rules the same?
Short answer: They are very largely similar, but there are differences. Under GDPR, granular consent (category-based preference) is explicitly required; under KVKK this is not explicit, but Board decisions interpret it in the same direction. A reject button is not a legal requirement under KVKK, but it was recommended in the 2024 KVKK guide and is considered mandatory in practice. If you sell to the EU market, both will apply, so a solution that supports both regulations, such as cerez.io, is recommended.
What should the cookie disclosure text include?
Short answer: It must include the identity of the data controller (KVKK Article 10), cookie types and purposes, retention periods (at most 12 months recommended), information on transfers to third parties (Google, Meta, etc.), data subject rights (KVKK Article 11), contact details and the way to change consent. cerez.io offers a ready-made template that includes all of these elements.
What are the minimum requirements for a KVKK-compliant cookie banner?
Short answer: 1) Clear and understandable language, 2) A reject button with the same visual weight as accept, 3) Category-based choice (granular: separate options for strictly necessary / analytics / advertising), 4) A detailed cookie list (name, duration, provider, purpose), 5) A link to the cookie policy, 6) Keeping a record of consent and making it changeable from the bottom of the page. cerez.io meets these requirements by default.
Is VERBİS registration required for cookies?
Short answer: If your company is obliged to register with VERBİS, the personal data you collect via cookies (IP, behavior, device information) must be reported to VERBİS. VERBİS registration thresholds are updated by the KVKK Board; for current thresholds and exceptions, please review the announcements on kvkk.gov.tr. cerez.io offers a data inventory report on the Pro plan and above.
How do you achieve KVKK compliance with cerez.io?
Short answer: You add a single-line embed code, your cookies are scanned and categorized automatically (217 known cookies, 65 providers, 38 analysis rules), a KVKK-compliant banner appears, and consent logs are retained for 365 days by default (for the burden of proof under KVKK Article 12; adjustable per domain between 90-365 days). The disclosure notice template is ready to use. As a Turkish SaaS, we have a support team that is well versed in KVKK terminology. View pricing.

Start measuring your KVKK compliance today.

A cookie management platform based in Turkey. A team well versed in KVKK terminology, local hosting and transparent pricing in TRY. Start for free, no credit card required.

Start free Talk to an expert

⚡ YASAL ZORUNLULUK 2025/10 Cumhurbaşkanlığı Genelgesi: Kamu, belediye, banka, üniversite, hastane, okullar için 21 Haziran 2026'ya WCAG 2.2 A zorunlu · Ceza: 5.000–25.000 TL/tespit
Detay →