Turkey's KVKK and the 2024 Amendments: The Publisher and Advertiser Guide to Cookie Consent, Cross-Border Transfers, and Explicit Consent in 2026
Turkey's Personal Data Protection Law (KVKK, Law No. 6698) has been in force since 2016, but for most of that decade it operated as a quieter cousin of the GDPR — recognizably similar in structure but noticeably gentler in enforcement. That era has ended. The 2024 KVKK amendments, published in the Official Gazette on March 12, 2024, restructured the cross-border data transfer regime to align with GDPR-style adequacy and standard contractual clauses, and the KVKK Board (Kişisel Verileri Koruma Kurulu) has meaningfully escalated enforcement through 2025 and into 2026. For any publisher, advertiser, or platform processing data on Turkish users — whether based in Turkey or serving the Turkish market from abroad — 2026 is the year a modern consent stack stops being a nice-to-have and becomes the baseline. This guide walks through the law in its amended form, what cookie consent actually requires, how cross-border transfers now work, and what Board enforcement looks like in practice.
The Structure of KVKK After the 2024 Amendments
The KVKK is the primary data protection statute in Turkey, and its amended text is now the reference point. Publishers who have been working from the pre-2024 version are looking at an out-of-date framework.
What the 2024 Amendments Changed
The headline change was a rewrite of Article 9, which governs international data transfers. The pre-2024 regime was notoriously difficult to satisfy — it required either explicit consent or a case-by-case Board authorization for almost every cross-border flow, which was unworkable for any modern ad tech stack. The amended Article 9 introduces three tiers of transfer mechanism: an adequacy decision from the Board, a set of appropriate safeguards including standard contractual clauses, and in narrow cases, a set of derogations. This finally aligns Turkish transfer law with the GDPR pattern and makes programmatic advertising internationally compliant without a per-vendor Board filing.
What Did Not Change
The core definitions, lawful bases, data subject rights, and the explicit-consent standard for sensitive data remain as they were. The Turkish explicit-consent bar is, if anything, stricter in practice than the GDPR's standard, and this is where most publisher compliance gaps still sit.
The VERBIS Registry
Data controllers above certain thresholds — including most foreign controllers processing Turkish personal data at scale — must register in the Data Controllers Registry (VERBIS). Registration requires disclosure of processing activities, legal bases, and transfer mechanisms. Many foreign publishers have skipped VERBIS registration historically; the Board has signalled a more active posture on this through 2025 and 2026.
What Counts as Personal Data Under KVKK
The KVKK's personal data definition is broad and maps closely to the GDPR. Personal data is any information relating to an identified or identifiable natural person, and the Board's guidance has consistently treated cookies, advertising identifiers, IP addresses, and device fingerprints as personal data when they can be tied to a user directly or through reasonable means.
Sensitive Personal Data
The KVKK's list of sensitive categories is broader than the GDPR's: it explicitly includes race, ethnic origin, political opinion, philosophical belief, religion, sect, appearance, association or foundation membership, health, sexual life, criminal conviction, security measures, and biometric and genetic data. Processing any of these requires explicit consent — not the ambiguous or bundled kind, but a specific, informed, freely given consent tied to the specific sensitive processing.
Why This Matters for Cookies
A cookie that only stores a session ID is basic personal data. A cookie that feeds an audience segment like Liberal Voters or Devout Religious Community is sensitive personal data under the Turkish definition — and the consent configuration required is explicit-consent-or-nothing. Publishers targeting audience segments that touch the KVKK's sensitive list should not be running those segments under general advertising consent.
Cookie Consent Under KVKK in 2026
The Board's position on cookies has tightened over the past two years. The current guidance is unambiguous: cookies and tracking technologies that process personal data require consent unless strictly necessary for a service the user has requested.
The Four Elements of Valid Explicit Consent
Turkish explicit consent must be:
- Related to a specific subject — general umbrella consent covering unspecified future processing is not valid
- Informed — the user understands what data is processed, for what purpose, by whom, and for how long
- Freely given — the user can refuse without being denied a service they are otherwise entitled to
- Expressed by a clear affirmative act — pre-ticked boxes, implied consent, and scroll-as-consent are all invalid
What a Compliant CMP Looks Like
A CMP configured for Turkish traffic in 2026 should present:
- A visible banner before any non-essential cookie fires, defaulting to Turkish (Türkçe) for Turkish users
- Equal visual prominence for Accept, Reject, and Customize — the Board has specifically called out banner designs where Reject is less visible than Accept
- Granular toggles per purpose: analytics, advertising, personalization, cross-border transfer, and any sensitive-category processing
- A persistent, easy-to-access mechanism to withdraw consent after the initial choice
- A Turkish-language Aydınlatma Metni (Privacy Notice) disclosing controller identity, purposes, recipients, retention, and rights
- A separate, clearly-labelled explicit consent flow (açık rıza) for any sensitive-category processing, gated behind its own action
Consent Records
The controller must maintain records of consent — who consented, when, to what, through what interface. The KVKK Board has cited inadequate consent logs in several enforcement actions, and exportable timestamped logs are the baseline expectation.
Cross-Border Transfers Under the 2024 Article 9
The 2024 amendments introduced a three-tier transfer framework that mirrors the GDPR's approach. Understanding which tier applies to which flow is the most common compliance gap for foreign publishers in 2026.
Tier 1 — Adequacy Decision
The Board can designate a country, international organization, or sector of a country as providing adequate protection. Transfers to adequate destinations are permitted without additional mechanism. As of early 2026, the Board has been gradually issuing adequacy decisions but has not yet designated the United States broadly.
Tier 2 — Appropriate Safeguards
In the absence of adequacy, transfers are permitted on the basis of appropriate safeguards. The amendments specifically contemplate standard contractual clauses approved by the Board, binding corporate rules for intra-group transfers, and Board-approved codes of conduct or certification mechanisms. The Board's standard contractual clauses were published in 2024 and are the main working mechanism for most publishers.
Tier 3 — Derogations
Narrow exceptions exist for occasional transfers, transfers required for contract performance, or transfers the user has explicitly consented to. These are not usable as a primary legal basis for ongoing programmatic flows.
Practical Implication for Publishers
A typical programmatic stack sends cookie-derived data to dozens of overseas vendors per bid. Each of those flows is a cross-border transfer. The 2026 workable approach is to execute Board-approved standard contractual clauses with each international processor and document the transfer mechanism in the Aydınlatma Metni and the VERBIS registration. Publishers that have stuck with pre-2024 explicit-consent-per-transfer logic are simultaneously overexposed on compliance risk and underused on monetization opportunity.
Data Subject Rights
Turkish data subjects have the full set of rights found in the GDPR, applied through the KVKK framework:
- Right to learn whether their data is being processed
- Right of access to the processed data
- Right to correction of inaccurate data
- Right to erasure or anonymization where processing is no longer justified
- Right to be informed of third parties the data has been disclosed to
- Right to object to automated decisions producing adverse effects
- Right to compensation for damages caused by unlawful processing
Response Timelines
Controllers must respond to data subject requests within 30 days. The data subject can escalate to the KVKK Board if the controller's response is inadequate, and the Board has a 60-day window to decide. Operational readiness for the 30-day window — with runbooks, tooling, and Turkish-language response templates — is a common gap for foreign publishers.
Penalties and Enforcement Posture in 2026
The KVKK Board was relatively quiet through its first several years but has meaningfully ramped up enforcement. The 2025 fine total was the highest since the law came into force, and 2026 is on a similar trajectory.
Administrative Fines
Administrative fines are annually indexed to inflation. As of 2026 the ceiling for the most serious violations exceeds TRY 40 million per violation, and separate caps apply to failures around data security, notification, VERBIS registration, and Board decisions. Foreign controllers have been fined at the top of the range in several 2025 actions.
Reputational Exposure
The Board publishes summaries of enforcement decisions on its website. Foreign publisher fines have regularly made Turkish technology press, and the reputational cost of a public KVKK decision is typically higher than the fine itself.
Enforcement Themes
The Board's 2025 and early-2026 actions cluster around a small set of recurring issues: missing or ambiguous cookie consent, inadequate Aydınlatma Metni, unregistered foreign controllers in VERBIS, and unlawful cross-border transfers using the pre-2024 framework.
Audit Checklist for Turkish Traffic in 2026
- CMP banner is served in Turkish for Turkish users, with Accept, Reject, and Customize at equal visual prominence
- Consent purposes are granular and separate any sensitive-category processing behind its own explicit consent flow
- Consent logs are timestamped, exportable, and retained for at least the processing duration plus an auditable margin
- Aydınlatma Metni is available in Turkish with full disclosures of controller, processors, purposes, retention, and rights
- VERBIS registration is complete and up to date if the controller crosses the threshold
- Cross-border transfers rely on the 2024 standard contractual clauses or another valid Article 9 mechanism, with the mechanism documented in the Aydınlatma Metni
- Data subject request workflow can respond within 30 days end-to-end, in Turkish
- Vendor list has been reviewed, with unused or redundant vendors removed to reduce exposure
The 2026 Outlook
Turkey's data protection regime has caught up with the European framework in form and is rapidly catching up in enforcement. The 2024 amendments removed the biggest structural blocker to modern international ad tech — the old transfer regime — and the Board has used the two years since to focus on enforcement of the rest of the law. Publishers with a GDPR-grade consent stack need to make relatively small adjustments to be Turkey-ready: Turkish-language CMP and notice, VERBIS registration if applicable, 2024-standard transfer clauses, and care with the broader sensitive-data list. Publishers who have been treating Turkey as a lighter-touch market will find 2026 more expensive than 2025, and 2027 more expensive than 2026. The gap can be closed in weeks if it is prioritized — and it should be.