In recent years, it has become a controversial practice in Türkiye to obtain consents—particularly for marketing communications—by confirming contact information through a single SMS code during the delivery of products or services. The Turkish Personal Data Protection Authority ("the Authority") addressed this issue for the third time in its Resolution No. 2025/1072, published in the Official Gazette on 26 June 2025. This resolution clarified the conditions under which explicit consent obtained at store checkouts may be considered valid.
Background
The Authority had first addressed the issue of verifying contact information in its Resolution dated 22 December 2020 and numbered 2020/966. This decision highlighted that individuals may provide contact details that belong to someone else—either mistakenly or intentionally—which can result in the unauthorized disclosure of personal data. In light of this, the Authority emphasized that data controllers must take reasonable measures to verify contact information, in line with the principle of data accuracy under Article 4 of the Law on the Protection of Personal Data No. 6698 ("Law").
Following this decision, many data controllers introduced measures such as sending verification codes via SMS to confirm the accuracy of contact details. However, the Authority received complaints from individuals stating that although the verification code was requested only to confirm their contact information, they subsequently received unsolicited marketing messages.
As a result, the Authority issued a public announcement on 17 December 2021. In this announcement, it stressed that practices combining various processing activities—such as membership agreements, data processing consent, and marketing consent—into a single action, typically by sending a verification code via SMS during payment, must cease. It also noted that the obligation to inform individuals must be fulfilled both verbally and through the content of the SMS.
Following this, in its second announcement on 13 November 2023, the Authority stated that marketing consent must be obtained after the completion of a purchase. This approach was intended to prevent the perception that consent is a precondition for receiving the service.
Key Takeaways from the New Resolution
The Authority's new Resolution introduces a degree of flexibility compared to its earlier approach. While previous announcement emphasized that verification codes should only be requested post-purchase, the new decision recognizes that explicit consent may also be obtained prior to service delivery.
While introducing this limited flexibility, the Authority reaffirmed certain core principles. The key point emphasized in the decision is that individuals must be clearly informed that the service can still be provided without sharing the verification code concerning marketing consent, and that they have the right to change their preferences later. The Authority also requires data controllers to regularly train their personnel and raise awareness on proper consent practices.
The Resolution also reiterates the following points, consistent with previous announcements:
- The purpose of the SMS containing the verification code, as well as the consequences of sharing the code, must be clearly explained before the individual proceeds.
- Distinct data processing activities must not be bundled into a single action. Each must be conducted separately and based on the data subject's freely given will.
- In cases where data is processed based on explicit consent, the consent must meet all conditions set out in the Law.
- The obligation to inform and the process of obtaining explicit consent must be treated as separate legal requirements.
Conclusion
The fact that the Authority has now addressed this issue for a third time strongly suggests that its earlier announcements were not being adequately implemented. The Authority's Resolution on this matter indicates that earlier announcements were not adequately implemented in practice. It also signals the potential for increased scrutiny in this area going forward.
The common practice in physical retail stores of combining multiple consents through a single SMS clearly violates both the requirement for explicit, freely given consent and the obligation to provide distinct and clear information. Through this decision, the Authority has reaffirmed its position on the issue for the third time.
Notably, while maintaining its earlier position that post-purchase consent is preferable, the Authority has acknowledged the practical challenges of this approach and introduced an alternative option. This can be interpreted as an acknowledgment that requiring consent exclusively after a purchase may be impractical.
In conclusion, companies should reassess the content of SMS messages used at checkout, review their privacy notices, and separate their consent mechanisms according to the specific data processing purposes involved. It is equally important that employees are properly trained to implement these processes in compliance with the Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
