"You're going to receive a verification code on your phone—may I kindly ask for that code?"

Turkish Data Protection Board’s New Principle Decision on Electronic Commercial Messages and Explicit Consent

Whether in online shopping, digital memberships, or in-store registrations, one familiar step keeps repeating: “Please enter the verification code sent to your phone.”But is this process in compliance with the applicable data protection legislation?

In response to numerous complaints and notices, the Turkish Personal Data Protection Board (“Board”) recently examined the use of SMS-based verification codes in service processes and the associated collection of consent for commercial messages.

The Principle Decision was published in the Official Gazette on June 26, 2025 (Official Gazette Link) and introduced significant obligations and restrictions for data controllers across sectors, especially e-commerce platforms and retail companies.

Key Findings From Complaints and Reports

The Board determined that:

• Users were not properly informed before receiving the verification code via SMS.

• The code was requested as a condition for receiving the service, while commercial message consents were simultaneously obtained—without clear separation.

• Individuals were misled into giving consent for commercial communication under the guise of service provision.

These practices were found in violation to the principles of transparency and informed consent under the Turkish Personal Data Protection Law.

Highlights from the Principle Decision

1. Layered Information Must Be Provided: When requesting contact information to send a verification code, the purpose of the SMS, and the consequences of providing the code, must be clearly explained to the data subject. SMS messages must also contain brief disclosures or a link to a full privacy notice.

2. Single-Action, Multi-Consent Mechanisms Are Not Permitted: It is unlawful to collect multiple consents (e.g., approval of membership, consent for personal data processing, and marketing communication) through a single action or checkbox.

3. Explicit Consent Must Be Separated and Reversible: Consent must be freely given, specific, informed, and unambiguous—and obtained separately from the privacy notice.

Users must also be informed that they may withdraw their consent at any time, without negative consequences.

4. Consent Cannot Be a Precondition for Service: Creating a perception that the service or transaction cannot be completed unless consent is given invalidates the consent.

Where consent is necessary (e.g., for marketing communication), it should be requested after the transaction is completed, or at least with a clear explanation that the consent is not mandatory for the service itself.

5. Staff Must Receive Regular Training: All personnel involved in data processing activities must receive periodic training on topics such as explicit consent, privacy notices, and commercial communication practices.

The EYAS Perspective: Final Thoughts

This Principle Decision clearly emphasizes the need to separate data processing activities from commercial message approval mechanisms.

Businesses operating digital platforms, retail stores, or membership-based services must review and restructure their verification code practices and consent workflows in accordance with the Principle Decision.

The Board has explicitly warned that non-compliance may result in administrative sanctions.