Yandex Metrica: consent + a cross-border transfer to Russia
Yandex Metrica is analytics (and, with Webvisor, session recording) that sends data to Russia. It raises both a pre-consent problem and a cross-border transfer problem at once.
Why it matters
As non-essential analytics it needs prior consent (KVKK Art. 5 / GDPR Art. 6). And because data flows to Russia — a country without an EU adequacy decision — it also needs a transfer mechanism under KVKK Art. 9 / GDPR Chapter V. Firing on load fails both tests.
How to fix it
Load ym() only after opt-in, disable Webvisor unless you have a specific need and explicit consent, and document the transfer basis. If you cannot justify the transfer, prefer a self-hosted, cookieless analytics tool instead.
// Only after consent, and without Webvisor by default:
function onConsentAccepted() {
ym(YOUR_ID, 'init', {
webvisor: false,
clickmap: false,
trackLinks: true
});
}
Official sources
- KVKK — Law No. 6698 (official full text, mevzuat.gov.tr)
- KVKK — Kişisel Verileri Koruma Kurumu (Turkish DPA)
- GDPR — full regulation, article by article
- ePrivacy Directive 2002/58/EC — cookies, Art. 5(3)
- EDPB — guidelines on consent & cookies
Links to primary legislation for reference. PrivaScan is not affiliated with these bodies; this is information, not legal advice.
Related guides
- Stop Google Analytics from loading before consent (KVKK/GDPR) KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Gate Google Tag Manager behind consent KVKK m.5 · GDPR Art. 6 · ePrivacy Art. 5(3)
- Load the Meta (Facebook) Pixel only after consent KVKK m.5 · GDPR Art. 6 · Art. 26 (joint controller)
- Session recording (Hotjar, Clarity, Yandex) needs explicit consent KVKK m.5 · GDPR Art. 6 · Art. 9 risk
These guides cover automated checks for trackers, cookies and data flows. A full privacy review also needs legal input.