What Is the KVKK and How Does It Apply to Cookies?
Turkey's Kisisel Verilerin Korunmasi Kanunu (KVKK), formally Law No. 6698, came into force on 7 April 2016. It is Turkey's primary data protection statute, governing the collection, processing, and storage of personal data. The law applies to any data controller - Turkish or foreign - that processes personal data of individuals located in Turkey.
Cookies that identify a user or device count as personal data under the KVKK. That means analytics trackers like _ga, advertising pixels such as _fbp, and session identifiers like PHPSESSID all fall within scope when they can be linked to an identifiable person.
The global trend toward stricter cookie regulation includes Turkey. The KVKK Board (the Personal Data Protection Authority, often abbreviated KVKK Kurumu) has published a 61-page "Guide on Cookie Applications" that sets out detailed rules for how websites must handle cookies.
The KVKK Cookie Guide: Two Exceptions, One Rule
The KVKK cookie guide establishes a clear default: all cookies require the user's prior explicit consent unless they meet one of two narrow exceptions.
The first exception covers cookies whose sole purpose is to carry out communication over an electronic network. The second exception applies to cookies that are strictly necessary for a service the user has explicitly requested - for example, maintaining a shopping basket or keeping a user logged in.
Every other cookie - analytics, advertising, social media plugins, retargeting - requires active, informed, freely given consent before it is set. Pre-ticked boxes or implied consent through continued browsing do not satisfy this standard.
If your site uses a cookie banner, it must include a management panel where visitors can choose which categories to allow. Marketing and analytics cookies must be disabled by default.
Consent Requirements Under Article 3(1)(a)
Article 3(1)(a) of the KVKK defines explicit consent as a declaration of will that is freely given, specific, and based on being informed. For cookie consent to be valid, it must meet all three conditions simultaneously.
Freely given means the user must have a genuine choice. Blocking access to content unless all cookies are accepted (so-called cookie walls) undermines free consent. The KVKK Board's Decision 2026/347, published on 24 March 2026, further requires that consent texts and disclosure (clarification) texts must be kept strictly separate - bundling them into a single document is now explicitly prohibited.
Specific means consent must be granular. A single "accept all" toggle without category-level controls is insufficient. Each processing purpose needs its own consent mechanism.
Informed means the user must know exactly what they are consenting to. Your cookie policy must disclose, for each cookie: its name, purpose, the party responsible (first-party or third-party), and the storage duration.
KVKK Administrative Fines for 2025 and 2026
The KVKK Board adjusts its administrative fines annually based on Turkey's revaluation rate. For 2025, fines were increased by 43.93%. The table below shows the current fine ranges.
| Violation | Minimum Fine (TRY) | Maximum Fine (TRY) |
|---|---|---|
| Failure to inform data subjects | 68,083 | 1,362,021 |
| Failure to fulfil data security obligations | 204,285 | 13,620,402 |
| Non-compliance with Board decisions | 340,476 | 13,620,402 |
| Failure to register with VERBIS | 272,380 | 13,620,402 |
| Failure to notify standard contracts for cross-border transfers | 71,965 | 1,439,300 |
In 2024, the Authority imposed a total of approximately 504 million TRY in fines. A single enforcement wave in August 2024 targeted over 16,000 organisations for VERBIS non-compliance alone.
These figures signal that the KVKK Board is actively enforcing the law, and cookie compliance is part of its remit.
VERBIS Registration: An Extra Obligation
Unlike the GDPR, the KVKK requires data controllers to register with the Data Controllers' Registry (VERBIS). Registration involves declaring your data processing activities, categories of personal data, data subjects, recipients, and retention periods.
If your website sets cookies that process personal data of Turkish users, VERBIS registration is likely required. Late registration does not eliminate liability - the Board has imposed fines for each year of delay.
How KVKK Compares to the GDPR
The KVKK was modelled on the EU Data Protection Directive (95/46/EC) rather than the GDPR itself. While the two frameworks share core principles, several differences matter for website operators.
| Feature | KVKK (Turkey) | GDPR (EU) |
|---|---|---|
| Legal basis for cookies | Explicit consent (except strictly necessary) | Consent under ePrivacy Directive (except strictly necessary) |
| Data Protection Officer | Not required | Required in certain cases |
| Data Protection Impact Assessment | Not required | Required for high-risk processing |
| Data portability right | Not included (under review) | Included (Article 20) |
| Breach notification | 72 hours (as of 2025 updates) | 72 hours (Article 33) |
| Registry requirement | VERBIS registration mandatory | No central registry |
| Maximum fines | Up to ~13.6 million TRY per violation | Up to 20 million EUR or 4% of turnover |
| Cross-border transfers | Board approval or explicit consent required | Adequacy decisions, SCCs, BCRs available |
The KVKK's cross-border transfer rules are stricter. Transferring personal data outside Turkey typically requires either explicit consent from the data subject or approval from the KVKK Board. The GDPR offers more flexible mechanisms such as Standard Contractual Clauses and Binding Corporate Rules.
For sites that serve both EU and Turkish visitors, meeting the GDPR's requirements does not automatically satisfy the KVKK. VERBIS registration, separate consent texts, and Board-approved transfer mechanisms may all be needed on top of existing EU compliance measures.
Cookie Compliance Checklist for Turkish Websites
Use this checklist to assess whether your site meets current KVKK cookie requirements.
Audit all cookies - run a cookie scan to identify every cookie your site sets, including those from third-party scripts.
Classify cookies - separate strictly necessary cookies from analytics, marketing, and functional cookie categories.
Block non-essential cookies by default - analytics and marketing cookies must not fire until the user gives explicit consent.
Provide granular controls - your consent banner must let users accept or reject each cookie category individually.
Write a detailed cookie policy - list each cookie by name, purpose, responsible party, and retention period.
Keep consent and disclosure texts separate - following Decision 2026/347, do not bundle your consent request with your clarification text.
Record consent - store proof that each user consented, including the timestamp and scope of consent.
Allow easy withdrawal - users must be able to change or revoke consent at any time with the same ease as giving it.
Register with VERBIS - if you process personal data of Turkish individuals, register your data processing activities.
Review cross-border transfers - if cookie data leaves Turkey (e.g., Google Analytics servers), confirm you have a lawful transfer mechanism.
Implementing a KVKK-Compliant Cookie Banner
A compliant banner for Turkish visitors should appear before any non-essential cookies are set. The banner must include a clear explanation of why cookies are used and a link to your full cookie policy.
The management panel should present cookie categories with toggles that default to "off" for analytics, marketing, and social media cookies. Only strictly necessary cookies may be pre-enabled, and their toggle should be non-dismissible.
If your site serves visitors from multiple jurisdictions, geo-detection allows you to show KVKK-compliant settings to Turkish users while applying different rules elsewhere. Google Consent Mode v2 can work alongside your consent banner to adjust tag behaviour based on the visitor's choices.
Frequently Asked Questions
Does the KVKK apply to websites based outside Turkey?
Yes. The KVKK applies to any data controller that processes personal data of individuals in Turkey, regardless of where the controller is established. If your website targets Turkish users or collects data from them, you fall within scope.
Are analytics cookies like Google Analytics allowed without consent in Turkey?
No. Analytics cookies do not meet either of the two exemptions under the KVKK cookie guide. They are neither strictly necessary for a user-requested service nor solely for transmitting communications. You must obtain explicit consent before setting them.
What is VERBIS and do I need to register?
VERBIS is Turkey's Data Controllers' Registry. If you process personal data of Turkish individuals - including through cookies - you are generally required to register. Failure to register can result in fines up to 13.6 million TRY.
Can I use a cookie wall to force consent in Turkey?
No. Consent must be freely given under Article 3(1)(a) of the KVKK. Blocking access to your website unless a user accepts all cookies does not constitute free consent and would likely be considered non-compliant.
How does the KVKK differ from the GDPR for cookie consent?
Both require prior consent for non-essential cookies. The KVKK does not require a Data Protection Officer or Data Protection Impact Assessments, but it does require VERBIS registration. Cross-border data transfer rules are stricter under the KVKK, and maximum fines are lower in absolute terms compared to the GDPR.
What changed with KVKK Decision 2026/347?
Decision 2026/347, published on 24 March 2026, prohibits data controllers from combining explicit consent texts with clarification (disclosure) texts into a single document. Consent requests and privacy disclosures must now be presented separately.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether they comply with the KVKK, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your Turkish visitors get a clear choice, and you stay compliant with Law No. 6698.
