ARTICLE
2 July 2025

Turkish DPA Flags Mandatory SMS Verification In Purchases

KST LAW

Contributor

KST LAW is an independent Istanbul based full service corporate law firm in cooperation with Kinstellar.

We provide legal services relevant to all aspects of business in a wide variety of sectors. We operate to the highest international standards in managing cross border transactions or investments and providing practical and creative solutions to legal or regulatory issues.

KST LAW is proud to have an exceptional client base consisting some of the largest Turkish conglomerates, sector leaders in Turkey, multi-nationals, investment or private equity funds and financial institutions.

On 26 June 2025, the Turkish Personal Data Protection Authority ("DPA") published its Principle Decision numbered 2025/1072 ("Principle Decision") in light of the widespread...
Turkey Privacy

June 2025 – On 26 June 2025, the Turkish Personal Data Protection Authority ("DPA") published its Principle Decision numbered 2025/1072 ("Principle Decision") in light of the widespread use of mandatory SMS verification codes requested from data subjects (e.g., consumers) during various product and service transactions (e.g., payment, registration, or membership processes).

The DPA underlined the non-compliance risk of such SMS verification processes under the Personal Data Protection Law No. 6698 ("DP Law") and cautioned that data controllers could be subject to sanctions.

Background

Numerous complaints were submitted to the DPA concerning service providers (e.g., retail stores) that request data subjects' phone numbers and send SMS verification codes under the pretext of completing a transaction, issuing invoices, or updating consumer information. It has been observed that the collected data through SMS verification is repeatedly used to send commercial electronic messages (e.g., SMS, email) without (i) providing clear information for such activity, and (ii) obtaining proper explicit consent, which is raising concerns about misleading and unlawful data processing practices.

DPA's key findings

While this common practice had previously come under the scrutiny of the DPA with its public announcement published on 17 December 2021 and 13 November 2023, it is emphasised again that such activities must be conducted with (i) proper information disclosure, and (ii) the acquisition of valid explicit consent. The DPA, within the Principle Decision, stated that:

  • Data subjects (e.g., consumers) were not adequately informed about the purpose of the SMS verification or the intended use of their personal data.
  • Service providers used a single SMS input to collect multiple types of consent (e.g., contract approval, data processing consent, and consent for commercial communications), which violates the validity condition that consent must be specific, informed, and freely given.

According to the DPA, the following measures must be implemented by data controllers to ensure lawful data processing activities when an SMS verification code is requested:

  • Data controllers should prefer post-service consent collection. Where possible, explicit consent for marketing should be requested after the completion of the product or service delivery.
  • Data controllers must provide clear information both prior to and within the SMS message, including:
    • the specific purpose of the verification code;
    • a clear statement that the code is not mandatory for receiving the service, unless it is strictly required for that purpose; and
    • an explanation that any permissions given via the code can be revised at any time.
  • Data controllers must obtain separate explicit consent for each distinct processing purpose (e.g., service provision and marketing communications). Such consent must be specific, informed, and freely given, and must not be made a condition for accessing the primary service (e.g., product purchase). In particular, marketing consent via SMS must not be bundled with operational processes such as payments or registration.
  • Data controllers must ensure regular internal training and awareness activities for their personnel involved in these consumer-facing processes to ensure compliance with their obligations.

Consequences of non-compliance

While the DPA has previously issued public announcements on similar matters, the above guidance is now formally set out in a Principle Decision. The DP Law regulates a separate administrative fine for failure to comply with the DPA's decisions.

In this Principle Decision, the DPA explicitly states that it will impose penalties on data controllers who do not fulfil the outlined obligations, in accordance with Article 18 of the DP Law.

Accordingly, a separate administrative fine for non-compliance with this Principle Decision may be imposed, ranging from TRY 340,476 to 13,620,402 (approx. EUR 7,300 to 291,929).

What should data controllers do?

Data controllers that implement such SMS verification process must review their practices and ensure compliance with the applicable requirements. In this regard, data controllers should:

  • Establish appropriate channels for providing the necessary information on personal data processing within the content of the SMS messages, in order to fulfil their obligation to inform;
  • Obtain valid explicit consent when seeking consent for the purpose of sending commercial electronic messages. To ensure the validity of such consent, all elements (informed, specific, freely given) must be met. Ideally, this consent should be obtained after the completion of the transaction;
  • Avoid creating the impression that SMS verification or the provision of explicit consent for commercial messages is a mandatory condition for accessing the product or service.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More