The Principle Decision ("Decision") numbered 2025/1072, issued by the Personal Data Protection Board ("Board") on June 10, 2025, regarding the processing of personal data through the transmission of verification codes via short message service (SMS) during the provision of goods and services, was published in the Official Gazette dated June 26, 2025, and numbered 32938.
This Decision reveals how the practices frequently used by e-commerce and digital service providers in identity verification processes should be evaluated within the scope of the Personal Data Protection Law No. 6698 and clarifies the legal obligations of data controllers in this context.
The Board conducted an investigation based on complaints and notices received regarding the sending of verification codes via SMS to individuals during the provision of products and services (such as during payment, registration, membership, or quotation processes), where the individual is requested to enter the code into the system or convey it to a staff member, and commercial electronic messages are sent during these processes.
As a result of the investigation, it was determined that no disclosure was provided in the SMS messages sent to individuals, the code was obtained by stating that it was required for payment or registration, but it was actually used for the purpose of obtaining consent for commercial messages. The Board evaluated that this situation amounted to misleading individuals and did not meet the validity requirements for explicit consent.
In its decision, the Board stated that various violations were identified regarding personal data processing activities carried out through the transmission of verification codes via SMS and that such practices must be terminated. In this context, it was emphasized that data controllers must pay particular attention to the following points:
- The purpose of the verification codes being sent and the consequences of this action must be clearly and understandably conveyed to the data subjects,
- The obligation to inform under Article 10 of Law No. 6698 must be fully fulfilled,
- In cases where explicit consent must be obtained, individuals must be provided with a separate, freely made, and genuine choice,
- Commercial electronic message permissions must not be presented as a prerequisite for benefiting from the service and must be obtained in accordance with the principle of consent,
- Relevant personnel must be adequately trained to ensure the effective execution of all these processes.
As a result of the Decision, if explicit consent regarding personal data processing activities is to be obtained via SMS, two different methods stand out. Firstly, it is preferable that the SMS intended for obtaining explicit consent is sent after the shopping is completed. However, if it is planned to send the SMS regarding explicit consent before or during the shopping, in that case, both in the content of the SMS and in the physical or digital notices provided by the data controller, it must be clearly stated that "the provision of the verification code is not a prerequisite for the delivery of the goods or services."
With this evaluation, it has once again been revealed that digital service providers, in particular, must act more carefully in terms of compliance with the legislation when processing user data. The Board stated that such practices contain unlawful data processing and deficiencies in disclosure and ruled that data controllers must take the necessary administrative and technical measures in accordance with Article 12 of the Personal Data Protection Law No. 6698. This "Principle Decision" of the Board is in parallel with the announcement ("Announcement") of the Personal Data Protection Authority dated November 13, 2023, regarding the Sending of Verification Codes via SMS in In-Store Shopping.
In the Authority's announcement dated November 13, 2023, it was also stated that, in the investigation conducted by the Board, complaints regarding the use of SMS codes—sent under the pretext of payment/invoicing processes during in-store shopping—for the purpose of obtaining consent for commercial electronic messages were addressed, and that similar key principles and obligations were established in this context.
As a result of the evaluation made by the Board, it was determined that the obligation to inform, which must be fulfilled under the Law, was neglected in such practices and that explicit consent was obtained in a misleading manner. This situation constitutes a violation of the provisions of the Law. The issues highlighted in the Authority's Announcement dated November 13, 2023, were once again brought to the attention of the public through the Principle Decision dated June 10, 2025, and it was stated that if data controllers fail to comply with these rules, sanctions will be imposed within the scope of the Law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
