Web Accessibility (WCAG) and KVKK: Legal Obligations of Enterprise Websites

Enterprise websites are not just brand surfaces; they're channels subject to legal regulation. The European Accessibility Act, KVKK and GDPR set the framework for design, development and content management. This article covers the legal obligations enterprise brands need to address.

Web Accessibility: WCAG 2.2 Criteria

Web Content Accessibility Guidelines (WCAG) 2.2 is the global accessibility standard. Level AA is the target compliance point for enterprise projects. Four core principles:

Perceivable: Content must be perceivable. Alt text for images, captions for video, sufficient colour contrast (4.5:1 normal text, 3:1 large text).

Operable: All functionality must be keyboard-accessible. No keyboard traps. Users must have sufficient time; auto-redirects must be controllable.

Understandable: Page language must be specified (lang attribute). Form errors must be clear. Consistent navigation and labelling.

Robust: Semantic HTML must be used correctly. ARIA only where needed and correctly. Screen reader compatibility tested.

European Accessibility Act (EAA)

EAA came into force on 28 June 2025. Enterprise brands offering goods or services in the EU, e-commerce platforms, banking services and mobile apps fall under this law. WCAG 2.1 AA is the minimum compliance level. Türkiye-based brands serving EU markets are evaluated under EAA.

KVKK: Data Protection in Websites

Türkiye's Personal Data Protection Law (Law No. 6698) covers all entities processing personal data. KVKK compliance points for websites:

Privacy notice: Form fields must transparently state which data is processed and why. Linked, in clear language.

Explicit consent: For marketing data processing, the user must give active consent. Pre-checked checkboxes are not allowed.

Cookie policy: Non-essential cookies require user consent. Analytics, advertising and tracking cookies must not load before consent.

VERBİS registration: Companies above a certain scale must register with the Data Controllers Registry.

GDPR: European Data Protection Regulation

Türkiye-based brands serving EU markets or processing data of EU-resident users fall under GDPR. It largely overlaps with KVKK with some differences. Data processing agreements, breach notification (72 hours) and the right to erasure are GDPR-specific strong elements.

Cookie Management (CMP)

Cookie management platforms (Cookiebot, OneTrust, Usercentrics) have become standard on enterprise sites. They handle cookie categorisation (essential, performance, functional, targeting), consent storage and reporting.

Forms and User Data

Contact, subscription and application forms must follow data minimisation. Only fields needed for the purpose are collected. Retention periods are defined and automatic deletion processes set up.

Impact on Design

These topics aren't a compliance checklist tacked on at the end; they're decisions made at brief stage. Form fields, cookie banner design, font choices, colour palette and interaction design are shaped within this framework.

Conclusion

Enterprise websites operate within an increasingly tight legal framework. WCAG 2.2 AA, KVKK compliance points and where applicable GDPR must be on the table at the start of design and development. Adding this framework later is both costly and risky.