Introduction
In both digital shopping environments and physical retail settings, the use of SMS-based verification codes for obtaining “consent” has become increasingly common. However, such consents raise important debates regarding their compliance with the definition of “explicit consent” under the Law on the Protection of Personal Data No. 6698 (“KVKK”).
In particular, the Personal Data Protection Board’s (“Board”) recent Principle Decision dated 10.06.2025 and numbered 2025/1072 sets out the main principles governing this method. The decision was published in the Official Gazette dated 26.06.2025 and numbered 32938, and also announced on the Board’s official website (https://www.resmigazete.gov.tr/26.06.2025). In this decision, the Board laid down in detail the requirements that must be met in order for explicit consent obtained through verification codes to be deemed lawful.
Legal Framework
Under the KVKK, explicit consent is defined as the data subject’s statement of will that is related to a specific matter, based on information, and given with free will. Pursuant to Article 5 of the Law, as a rule, personal data cannot be processed without explicit consent.
Furthermore, the rules for sending electronic communications (SMS, e-mail, calls, etc.) to recipients are governed by the Law on the Regulation of Electronic Commerce No. 6563 and the Regulation on Commercial Communication and Commercial Electronic Messages issued under this Law.
According to these regulations, sending commercial electronic messages (for promotional, marketing, or visibility-enhancing purposes) is subject to prior consent from the recipient, which must also be registered with the Message Management System (“İYS”). Sending such messages without valid consent may trigger sanctions under both the KVKK and the e-commerce legislation.
Evaluation in Light of the Board’s Principle Decision No. 2025/1072
The Board emphasized the following points:
- The data subject must clearly understand for which transaction they are giving consent. Consent texts must not be vague, general, or multi-purpose.
- It is unlawful to bundle consent for multiple purposes (e.g., membership, data processing, and commercial communication) into a single SMS approval. Each processing activity requires separate explicit consent.
- Explicit consent cannot be conditional; if service delivery is made dependent on providing consent, such consent will be deemed invalid.
- Sharing a verification code after receiving it by SMS cannot, in itself, be interpreted as a “direct explicit consent statement,” as this does not create sufficient legal safeguards.
According to the Board, for explicit consent obtained through verification codes to be valid, the following must be ensured:
- separate information and consent for each data processing activity;
- full compliance with the obligation to inform data subjects;
- the provision of consent must not be made a precondition for the service; and
- data subjects must be explicitly and clearly informed of their right to refuse or withdraw consent.
Common Mistakes in Practice
Typical errors observed among goods and service providers include:
- Obtaining a single consent for membership, data processing, and commercial communications together.
- Drafting consent texts that are vague or complex.
- Making verification codes a precondition for transactions without proper information.
- Failing to inform data subjects of their right to withdraw consent or making it technically difficult to exercise this right.
- Not registering consents with the İYS or failing to retain them within the statutory time limits.
Compliance Recommendations
To avoid possible administrative sanctions, businesses should take into account the Board’s latest Principle Decision and adopt the following measures:
- Prepare separate explicit consent texts for each purpose of data processing.
- Use SMS verification codes solely for identity verification purposes, not as substitutes for explicit consent statements.
- Ensure that data subjects are fully informed during the process and are able to exercise their choices freely.
- Obtain consents for commercial electronic messages separately, in line with İYS registration requirements, in a clear and simple manner.
- Structure the consent process as an optional element, not a condition for accessing the service, and provide alternatives.
Conclusion
The Board’s Principle Decision No. 2025/1072, published in the Official Gazette dated 26 June 2025 and numbered 32938, makes it clear that SMS-based consents are only valid under KVKK if the elements of explicit consent are fully met and not made conditional.
Otherwise, consents obtained through methods that fail to meet these criteria may expose data controllers to administrative fines and other legal sanctions. In this respect, companies must adapt their digital consent mechanisms to ensure compliance with both KVKK and e-commerce legislation.