KVKK

Law on the Protection of Personal Data No. 6698 (Kişisel Verilerin Korunması Kanunu)

Flag of TR
TurkeyOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
April 7, 2016
Enacted
April 7, 2016
Enforcing Authority
Turkish DPA (KVKK Board — Kişisel Verileri Koruma Kurumu)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Turkey, including through cookies

Overview

Turkey's KVKK (Law 6698) is broadly modeled on the GDPR but lacks specific cookie legislation. Cookies that process personal data require explicit consent. The 2024-2025 amendments significantly strengthened the framework, introducing cross-border data transfer rules, expanded personal data definitions, and data portability rights.

What This Means for Your Website

  • Explicit consent is required for cookies that process personal data of Turkish visitors
  • Data controllers must register with VERBIS (Data Controllers Registry) before processing personal data
  • Consent must be informed and freely given, with the right to withdraw at any time
  • The 2025 updates introduced digital consent tracking and user-friendly withdrawal mechanisms
  • Penalties are adjusted annually for inflation, making fine amounts a moving target

Key Requirements

The KVKK Board enforces the law with penalties that vary by violation type — from TRY 68,083 for information failures to TRY 17,092,242 for VERBIS violations. All penalty amounts are adjusted annually for inflation. VERBIS registration is mandatory before processing personal data. The 2024-2025 amendments expanded the personal data definition and introduced structured cross-border transfer rules including adequacy decisions, SCCs, and BCRs.

How ConsentStack Handles This

ConsentStack detects Turkish visitors and presents a consent banner requiring explicit opt-in for all cookies that process personal data. The platform's consent records support the digital consent tracking requirements introduced in the 2025 updates.

Penalties

Failure to inform: TRY 68,083-1,362,021. Failure to provide data security: TRY 204,285-13,620,402. VERBIS violations: TRY 341,809-17,092,242. Adjusted annually for inflation.

Maximum Fine
TRY17,092,242 per violation

Key Requirements

  • Explicit consent for cookies that process personal data
  • Data controllers must register with VERBIS before processing
  • Consent must be informed and freely given
  • Right to withdraw consent at any time
  • Digital consent tracking and user-friendly withdrawal mechanisms

Notable Provisions

  • 2024-2025 amendments expanded personal data definition and data portability
  • VERBIS registration mandatory for data controllers
  • Penalties adjusted annually for inflation
  • No formal cookie-specific guidance

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
Loi Informatique et LibertésFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Does Turkey have a cookie-specific law?

No. Turkey has no formal cookie-specific legislation. Cookies processing personal data fall under KVKK's general consent requirements. ConsentStack applies the appropriate consent model automatically.

What is VERBIS?

VERBIS is Turkey's mandatory Data Controllers Registry. Data controllers must register with VERBIS before processing personal data, including through cookies.

What are the KVKK penalties?

Penalties range from TRY 68,083 to TRY 17,092,242 depending on the violation type, and are adjusted annually for inflation.

What changed in KVKK in 2024-2025?

Amendments expanded the personal data definition, added data portability rights, and introduced structured cross-border data transfer rules including adequacy decisions, SCCs, and BCRs.

Stay compliant with KVKK

ConsentStack helps you implement Opt-in consent for Turkey automatically.

Get started free