Skip to main content
Fix guides

How to fix common KVKK & GDPR privacy issues

Plain-English guides to the issues automated scanning finds most often — what each one means, who it affects, and how to fix it.

Serious KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3) · Analytics

Stop Google Analytics from loading before consent (KVKK/GDPR)

Google Analytics (GA4) sets identifiers and sends the visitor’s IP and page data to Google the moment it loads. If that happens before the visitor accepts cookies, it is processing without a legal basis.

Serious KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3) · Tag manager

Gate Google Tag Manager behind consent

Google Tag Manager is a loader: it can inject analytics, ad and pixel tags. If GTM fires those tags on page load, every one of them runs before consent — even the ones you forgot were there.

Serious KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller) · Social pixel

Load the Meta (Facebook) Pixel only after consent

The Meta Pixel tracks visitors for advertising and builds custom audiences. Firing it on page load shares behaviour with Meta before consent — and Meta is a joint controller for that data.

Critical KVKK m.5 · GDPR Art. 6 · Art. 9 risk · Session recording

Session recording (Hotjar, Clarity, Yandex) needs explicit consent

Hotjar, Microsoft Clarity and Yandex Webvisor record the visitor’s screen, mouse and keystrokes. Loading them before consent captures potentially sensitive input without a legal basis.

Moderate KVKK m.9 · GDPR Chapter V (transfers) · CDN

Self-host Google Fonts to stop leaking visitor IPs

Loading fonts from fonts.googleapis.com sends every visitor’s IP address to Google on page load — a cross-border transfer that happens before consent and cannot be consented to for an essential asset.

Serious KVKK m.5 · m.9 · GDPR Art. 6 · Chapter V · Analytics

Yandex Metrica: consent + a cross-border transfer to Russia

Yandex Metrica is analytics (and, with Webvisor, session recording) that sends data to Russia. It raises both a pre-consent problem and a cross-border transfer problem at once.

Critical KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3) · Consent

No consent banner? Non-essential trackers can’t run at all

If PrivaScan finds trackers but no consent management platform, there is no mechanism to get consent — which means every non-essential tracker on the page is running without a legal basis.

Serious KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3) · Advertising

Google Ads / DoubleClick remarketing before consent

DoubleClick / Google Ads remarketing tags drop advertising cookies to retarget visitors across the web. On page load, that is advertising processing without consent.

See where your site stands

Run a free privacy scan and get a prioritized list of what to fix.