KVKK and Cookie Policy Compliance for E-commerce Sites

E-commerce sits at the intersection of KVKK and electronic commerce legislation. Many activities — customer records, payment information, cookie data, email delivery, and targeted advertising — create not independent but interrelated obligations. As a law firm providing advisory to Antalya-based e-commerce businesses for years, in this guide we explain the basic legal framework e-commerce sites must comply with.

E-commerce Business's Position from Data Protection Perspective

An e-commerce business processes customers' personal data at various stages:

• During registration and login,
• During order placement (name, address, phone, email),
• During payment (card information),
• During shipping (sharing with cargo company),
• In marketing activity (newsletter, targeted advertising),
• In customer behaviour analysis (cookies and tracking tools),
• In return and complaint processes.

Each stage requires evaluation under KVKK.

Obligations at Registration Phase

Privacy Notice

Privacy notice must be presented when customer registers. Notice must clearly state:

• Who data controller is,
• What data is processed,
• For what purposes processed,
• To whom transferred (cargo, payment services, cloud providers),
• Storage period,
• Data subject's rights.

The most preferred application is privacy notice placed before "I accept" tick.

Explicit Consent Notice

Separately from privacy notice, explicit consent must be obtained for marketing-purpose data processing. This consent:

• Should not be made mandatory for registration process (covert consent cannot be obtained through pre-ticked box),
• Should be withdrawable,
• Should relate to specific topic (separately for email marketing, SMS, targeted advertising).

Cookie Policy

Cookies on website are personal data processing. KVKK and international standards-compliant cookie management:

Cookie Banner

Site should show cookie information banner on first visit. Banner should:

• Explain which cookies are used,
• Distinguish between mandatory and optional cookies,
• Offer user option to separately accept optional cookies,
• Provide one-click accept/reject ease.

Cookie Policy Text

A separate page should contain detailed cookie policy. Policy should explain:

• List of all cookies used,
• Cookie provider (your own site vs. third party),
• Cookie purpose,
• Retention period,
• How user can change cookie preferences.

Third-Party Cookies

Third-party tools like Google Analytics, Facebook Pixel, Hotjar process personal data and transfer abroad. For use of these tools:

• Explicit consent must be obtained,
• One of mechanisms foreseen in KVKK for cross-border data transfer must be applied.

Order and Payment Phase

During order placement, customer data:

• Is processed for purpose of contract formation and performance — contract legal basis is sufficient,
• Storage of payment information requires additional security measures,
• Payment infrastructure compliant with international standards like PCI-DSS should be preferred,
• Data processor agreement must be made with payment service providers.

Distance Contract Obligations

Sale within e-commerce scope is considered distance contract and subject to electronic commerce legislation. Obligations:

• Pre-information — product features, price, shipping, delivery period, withdrawal right, etc.,
• Withdrawal right — as a rule, specific period from delivery,
• Return procedure — in case of withdrawal,
• Order confirmation and contract text sending to customer.

Newsletter and SMS Marketing

In Turkey, sending electronic commercial messages (email, SMS, instant messages) is subject to İYS (Message Management System) registration obligation. Obligations:

• Commercial messages cannot be sent without prior explicit consent,
• Right to refuse must be easily exercisable in every message,
• Re-message should not be sent to refused user,
• Approval verification and recording via İYS is mandatory.

Heavy administrative fines apply for İYS non-compliance.

Targeted Advertising and Remarketing

For showing targeted advertising (Facebook, Google Ads, etc.) based on customer's behaviour on site:

• Explicit consent must be obtained,
• This purpose must be explicitly stated in privacy notice,
• Cross-border data transfer rules must be considered,
• User must be able to refuse this cookie in cookie banner.

Data Breach Notification Obligation

When e-commerce site experiences cyberattack, data leak, or breach:

• Data Protection Board must be notified in shortest time,
• Affected customers must be notified of breach,
• Concrete measures must be taken to mitigate event impact.

Concealing breach or notifying late leads to additional sanctions.

VERBİS Registration

When e-commerce business's customer count and data processing intensity exceeds specific thresholds, VERBİS registration is mandatory. Registration:

• What types of data processed,
• For what purposes,
• With whom shared,
• Storage periods

declares. After registration, personal data storage and disposal policy must be prepared.

Service to Foreign Customers and GDPR

Turkish e-commerce businesses selling products to customers in Europe must also comply with EU GDPR. GDPR has many similarities with KVKK but introduces additional obligations:

• Designation of Data Protection Officer (DPO) under specific conditions,
• Data Protection Impact Assessment (DPIA) requirement,
• Designation of representative within EU.

Consumer Arbitration Committee and Court

In customer disputes within e-commerce scope:

• Disputes below specific amounts at Consumer Arbitration Committee,
• Larger disputes at Consumer Court,
• Customer can sue at their own residence; this creates nationwide litigation possibility for business in Antalya.

Preparedness of complaint management and customer relations unit for these processes reduces legal cost.

Practical Compliance Steps

1. Privacy notice added to main pages of site.
2. Cookie banner and cookie policy page setup.
3. İYS registration and approval management setup.
4. Distance contract processes legally compliant.
5. VERBİS registration and personal data storage disposal policy.
6. Data processor contracts — with payment, shipping, hosting services.
7. Data breach response plan.
8. Employee training.

Legal Support

For e-commerce businesses in Antalya, MONA HUKUK provides end-to-end compliance service: privacy notice and cookie policy preparation, İYS coordination, distance contract texts, KVKK compliance, and where needed additional GDPR services. In rapidly growing e-commerce market, by reinforcing your legal foundations, we set risk management on professional ground for sustainable growth.

Contact us at contact@monahukuk.com or call +90 (242) 606 14 32 to schedule a consultation in Antalya.