ceaksan - E-commerce & User Behavior Analytics

Personal Data and Consent Operations

Master the art of managing user consent for cookies and tracking with clear, actionable guidelines. Learn more

Ceyhun Enki Aksan
Ceyhun Enki Aksan Entrepreneur, Maker

In my previous article, I discussed the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, regarding the collection, processing, and storage of user data, and I attempted to summarize the obligations related to user data under this regulation.

In this article, I will discuss how to configure tracking and retargeting and personalization processes. Of course, I will primarily examine these processes within the context of frequently used applications and services.

Google Ads - Data protection personnel
GDPR Consent Examples & Definitions

We can begin with the common definition of consent. Consent refers to an agreement, approval, or acceptance given by individuals in response to a specific situation. This term is frequently used in legal, medical, research, and social relationship contexts. However, it is essential to evaluate the consent requirement within the boundaries established by law. For instance, even if a minor user provides consent, they may still be exempt from obligations arising from such consent under relevant legal provisions. Therefore, the consent process must be evaluated not only in everyday language but also within the relevant contextual framework.

Types of consent include unambiguous consent, implied consent, explicit consent, informed consent, unanimous consent, and substituted consent.

Unambiguous Consent
: In the field of personal data protection under EU law, unambiguous consent is considered and is valid provided that the condition of being given unambiguously is met. Consequently, the characteristics and conditions required for valid consent are clearly defined. The GDPR continues to use the concept of explicit consent regarding personal data of a special nature1.

Implied Consent
: Consent derived from a person’s actions and from the facts and conditions of a particular situation (or, in some cases, from a person’s silence or inactivity). The term implied refers to situations that are not explicitly stated or declared.

Explicit Consent
: A clear and direct form of approval, which may be given in writing, orally, or silently. For example, a clear physical gesture such as nodding one’s head may constitute explicit consent. If the consent is not documented by witnesses, is not in writing, or if one of the parties objects to it through a voice or video recording, the right to object arises. In the KCVK, the term “explicit consent” is always used in reference to the concept of consent1.

Informed Consent
: Consent in which the individual is clearly informed of the actualities of an action, the obligations that will arise along with the consent, and the future consequences. It is a form of consent in which the individual declares that they have understood the situation. This type of consent is frequently used within research contexts; participants explicitly state that they understand the research procedures and have given their consent for them.

Consent by Collective Agreement
: Consent given collectively by a group composed of various parties, such as an association, trade union, etc.

Substituted Consent
: Consent given by a decision-maker on behalf of an incompetent individual.

Other types of consent, and/or their Turkish equivalents (e.g., open consent), may also lead to confusion in usage, and such cases are possible1.

Let’s go back to GDPR. According to GDPR, user consent must be valid, freely given, specifically informed, and provided with clear information regarding the relevant circumstances. The consent granted must be active. However, the lack of feasibility and scope regarding legal consent mechanisms has led to difficulties in achieving alignment within the digital world. Certainly, legal grey areas can and should be evaluated. For instance, a recent study has shown that major companies such as Google, Amazon, Facebook, Apple, and Microsoft (collectively referred to as GAFAM) employ opaque consent mechanisms, raising doubts about the legal validity of the consent obtained2.

Actions to Be Taken

Establish processes for collecting, processing, and storing personal data. Clearly and understandably communicate to users the purposes for which the data is collected and with whom, and for what purposes, it will be shared. In cases where the collection of such information is required, obtain user consent. Users may give full or partial consent, or withdraw their consent at any time3.

  • Obtain technical and legal advice regarding data protection and online advertising processes.
  • Designate a primary point of contact or representative responsible for communicating user requests and legal actions.
  • Work with a legal advisor and legal representative to manage user consent, manage consent settings, process user requests, manage legally required user data, and handle other relevant legal processes.
  • Review the data management and data privacy policies of the tools/services you are using. Ensure that these tools and services comply with GDPR requirements.
  • If you are personally handling or processing data, appoint a data protection officer. This individual is responsible for ensuring the organization complies with GDPR requirements.
  • If possible, work with an EU Representative.
  • Add the representative’s information to the relevant pages/services.
  • Use customized pages for user requests and promptly process user requests through your representatives.
Google Ads - Data protection personnel
Google Ads - Data protection personnel

For example, assuming you are managing online ads via Google Ads. In this case, you can configure the representative details by following the steps: [var]Settings and Billing[/var] > [var]Account[/var] > [var]Preferences[/var] > [var]Data protection personnel[/var] 4.

Configure Tracking (Monitoring) Actions

IMPORTANT RULES:

  1. Maintain the original formatting (markdown, HTML tags, links, etc.)
  2. Keep technical terms and proper nouns as appropriate
  3. Preserve code blocks and technical syntax exactly
  4. Maintain the same tone and style
  5. Only output the translated text, no explanations or comments

Monitoring and advertising services are required to comply with regional (KVKK, CCPA, ePrivacy, etc.) and general regulations (such as GDPR) by implementing necessary updates and providing clear guidance to their users regarding these regulations. Additionally, if the website and/or application stores user data, they must specify which data is being stored, for what purpose (categories, etc.), for how long, and with whom it is shared.

For example, this site uses various monitoring tools and cookies for general and specific purposes (such as YouTube videos, SlideShare presentations, etc.). Generally, these tools are used for performance optimization (tracking daily visitors, form submissions, page load times, UX improvements, etc.), and absolutely do not include personally identifiable information (such as names, email addresses, IP addresses, etc.). These operations are conducted both during setup and through compliance checks with GDPR, CCPA, and ePrivacy regulations.

note

The installation, compliance process, and other configuration procedures will be addressed separately based on services, categories, and regulations.

Ensure Data Security

If your website and/or applications are collecting user data, you will certainly need to implement monitoring processes, obtain legal advisory services, and provide users with specific information messages. Responsibility for potential data breaches begins the moment you start storing such data. Therefore, you must conduct regular audits, promptly notify users of any potential breaches, delete expired data, and/or anonymize it. If you are processing such data or sharing it with third-party individuals or organizations (such as monitoring or sales services), you will also be responsible for overseeing and managing this process.

Report Breaches Within 72 Hours

As part of data protection, you must notify users of potential breaches or suspected incidents within 72 hours. Otherwise, you may be subject to significant fines. For example, under the GDPR, fines could amount to either EUR 20 million or up to 4% of your organization’s or entity’s annual global revenue—whichever is higher.

Respond to Requests Within 30 Days at the Latest

You must respond to requests made by users—such as adding consent (opt-in), removing consent (opt-out), downloading personal data, updating, deleting, anonymizing, or erasing data—within 30 days. Additionally, enabling users to easily view their relevant consent settings and to configure their own consent preferences will provide significant advantages. For instance, many cookie and tracking compliance tools offer customizable options in this regard. However, a key requirement remains: you must clearly document which data is being processed. Inadequate information or configuration may lead to legal complications. Therefore, continuous monitoring and process improvement efforts must not be overlooked.

Footnotes

  1. Dülger, D. Dülger, D. (2020). AB Genel Veri Koruma Tüzüğü (GDPR) ve KVKK’da Rıza Kavramı. Retrieved 20 December 2020, from https://www.academia.edu/39001909/A 2 3
  2. Human, S., & Cech, F. (2020). A Human-Centric Perspective on Digital Consenting: The Case of GAFAM. Human Centred Intelligent Systems, 139-159. doi: 10.1007/978-981-15-5784-2_12
  3. Helping publishers and advertisers with consent. Google Cookie Choices
  4. What is the General Data Protection Regulation (GDPR)? Google Ads Help
afaik terms cookie consent