June 2025 – On 26 June 2025, the Turkish Personal Data Protection Authority ("DPA") published its Principle Decision numbered 2025/1072 ("Principle Decision") in light of the widespread use of mandatory SMS verification codes requested from data subjects (e.g., consumers) during various product and service transactions (e.g., payment, registration, or membership processes).
The DPA underlined the non-compliance risk of such SMS verification processes under the Personal Data Protection Law No. 6698 ("DP Law") and cautioned that data controllers could be subject to sanctions.
Background
Numerous complaints were submitted to the DPA concerning service providers (e.g., retail stores) that request data subjects' phone numbers and send SMS verification codes under the pretext of completing a transaction, issuing invoices, or updating consumer information. It has been observed that the collected data through SMS verification is repeatedly used to send commercial electronic messages (e.g., SMS, email) without (i) providing clear information for such activity, and (ii) obtaining proper explicit consent, which is raising concerns about misleading and unlawful data processing practices.
DPA's key findings
While this common practice had previously come under the scrutiny of the DPA with its public announcement published on 17 December 2021 and 13 November 2023, it is emphasised again that such activities must be conducted with (i) proper information disclosure, and (ii) the acquisition of valid explicit consent. The DPA, within the Principle Decision, stated that:
- Data subjects (e.g., consumers) were not adequately informed about the purpose of the SMS verification or the intended use of their personal data.
- Service providers used a single SMS input to collect multiple types of consent (e.g., contract approval, data processing consent, and consent for commercial communications), which violates the validity condition that consent must be specific, informed, and freely given.
According to the DPA, the following measures must be implemented by data controllers to ensure lawful data processing activities when an SMS verification code is requested:
- Data controllers should prefer post-service consent collection. Where possible, explicit consent for marketing should be requested after the completion of the product or service delivery.
- Data controllers must provide clear
information both prior to and within the SMS message,
including:
- the specific purpose of the verification code;
- a clear statement that the code is not mandatory for receiving the service, unless it is strictly required for that purpose; and
- an explanation that any permissions given via the code can be revised at any time.
- Data controllers must obtain separate explicit consent for each distinct processing purpose (e.g., service provision and marketing communications). Such consent must be specific, informed, and freely given, and must not be made a condition for accessing the primary service (e.g., product purchase). In particular, marketing consent via SMS must not be bundled with operational processes such as payments or registration.
- Data controllers must ensure regular internal training and awareness activities for their personnel involved in these consumer-facing processes to ensure compliance with their obligations.
Consequences of non-compliance
While the DPA has previously issued public announcements on similar matters, the above guidance is now formally set out in a Principle Decision. The DP Law regulates a separate administrative fine for failure to comply with the DPA's decisions.
In this Principle Decision, the DPA explicitly states that it will impose penalties on data controllers who do not fulfil the outlined obligations, in accordance with Article 18 of the DP Law.
Accordingly, a separate administrative fine for non-compliance with this Principle Decision may be imposed, ranging from TRY 340,476 to 13,620,402 (approx. EUR 7,300 to 291,929).
What should data controllers do?
Data controllers that implement such SMS verification process must review their practices and ensure compliance with the applicable requirements. In this regard, data controllers should:
- Establish appropriate channels for providing the necessary information on personal data processing within the content of the SMS messages, in order to fulfil their obligation to inform;
- Obtain valid explicit consent when seeking consent for the purpose of sending commercial electronic messages. To ensure the validity of such consent, all elements (informed, specific, freely given) must be met. Ideally, this consent should be obtained after the completion of the transaction;
- Avoid creating the impression that SMS verification or the provision of explicit consent for commercial messages is a mandatory condition for accessing the product or service.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
