What KVKK and GDPR Actually Require About Website Trackers
Analytics, pixels and fonts that load before a visitor clicks "Accept" are the most common cause of privacy fines. Here is what the law expects — in plain language.
Almost every website loads third-party code: analytics, advertising pixels, session recorders, hosted fonts, a chat widget. Under both Türkiye's KVKK and the EU's GDPR (together with the ePrivacy rule on cookies), the moment those non-essential trackers run before the visitor consents, you are processing personal data without a legal basis. That single gap — trackers firing on page load, before anyone clicks "Accept" — is the most common trigger for enforcement.
Why "before consent" is the whole ballgame
The ePrivacy rule (GDPR Art. 5(3)) and KVKK Art. 5 both say the same thing in effect: reading from or writing to a visitor's device for non-essential purposes needs their prior consent. "Prior" is literal. A cookie banner that appears while Google Analytics has already set its identifier and sent a hit to the US has not obtained consent — it has documented the violation. Regulators look at what actually executed in the browser, not at the wording of your policy.
What counts as "essential" (and what doesn't)
- Essential (usually no consent needed): the session cookie that keeps a user logged in, the cart, a CSRF token, a load-balancer cookie.
- Non-essential (consent required first): analytics (GA4, Yandex Metrica), advertising and remarketing (Meta Pixel, DoubleClick, Criteo), session recording (Hotjar, Microsoft Clarity), and — often overlooked — hosted fonts and CDNs that transmit the visitor's IP abroad.
Tag managers deserve special mention: Google Tag Manager is not itself a tracker, but if it fires tags on the default page-view trigger, every tag it carries runs pre-consent — including ones a previous developer added and forgot.
The cross-border twist
Many of these trackers also send data outside the country — GA and the Meta Pixel to the US, Yandex to Russia. That engages a second regime entirely: KVKK Art. 9 / GDPR Chapter V, which require an explicit transfer mechanism (an adequacy decision, standard contractual clauses, or explicit consent). A pre-consent tracker that also transfers abroad fails two tests at once.
What regulators expect to see
- A genuine consent mechanism that blocks non-essential trackers by default and only releases them after opt-in.
- Reject as easy as Accept — a banner that nudges or dark-patterns users into consent is treated as no consent.
- A record of what you process and why — the kind of inventory GDPR Art. 30 asks for.
What to do now
Scan your own site the way a regulator would: load it fresh, and see what fires before you click anything. Gate every non-essential tracker behind consent (Google Consent Mode v2 defaults set to "denied" is the standard pattern), self-host your fonts, and keep a dated record of what runs and why.
This article is general information, not legal advice. And the line we repeat everywhere: an automated scan is evidence of what a page does at a point in time and the articles it touches — it is not a determination that you are, or are not, legally compliant.