top of page
Search

New KVKK Board Decision: SMS Verification Codes Cannot Be Used to Bypass Consent Rules

Date: 26 June 2025 

Source: Official Gazette No. 32938 

Decision No.: 2025/1072


On 26 June 2025, the Personal Data Protection Authority of Turkey (KVKK) published a significant decision in the Official Gazette addressing the improper use of SMS verification codes for obtaining consent in product and service transactions. This decision clarifies the limitations and legal obligations surrounding the use of verification codes and reinforces the importance of transparency, explicit consent, and separate processing operations in personal data collection.

Background of the Investigation

The KVKK received numerous complaints and notices alleging that organisations collecting mobile numbers from individuals during service processes—such as payment, registration, or membership creation—were sending SMS verification codes under the pretext of completing these transactions. However, it was found that after the verification code was submitted, unsolicited commercial electronic communications (e.g., advertisements or promotions) were sent to the data subjects without obtaining valid and explicit consent.


Key Findings of the KVKK

The Board determined that:

  • No clear purpose or adequate information was provided to data subjects during or before the SMS verification process.

  • The verification code was used to obtain consent indirectly for marketing communications or personal data processing beyond the stated purpose.

  • The verification step was sometimes wrongfully presented as a mandatory part of service delivery, thereby compromising the user’s freedom of choice.

  • Different processing purposes—such as contract formation, personal data processing, and commercial communication consent—were bundled into a single action, violating the principle of specific and informed consent under the Personal Data Protection Law (Law No. 6698, GDPR of Türkiye).


Legal Obligations Emphasised by the Board

The decision restates the following obligations under Law No. 6698:

  1. Explicit Consent Must Be Informed, Specific, and Freely Given

    • Consent obtained through misleading practices, or imposed as a condition for service, is not valid.

    • The subject must understand exactly what they are consenting to, including all processing purposes and categories of personal data involved.

  2. Separate Consent for Separate Processing Purposes

    • Organisations must obtain separate consents for different operations, such as:

      • Contractual transactions (e.g., membership or payment),

      • Personal data processing,

      • Commercial communications (e.g., SMS/email marketing).

  3. Verification Code Use Must Be Transparent and Lawful

    • Any SMS verification message must clearly explain:

      • Its purpose,

      • Whether it relates to a legal obligation or optional consent,

      • The consequences of not entering the code.

  4. The Information Obligation (Aydınlatma Yükümlülüğü) Must Be Fulfilled

    • Clear disclosures must be made before or during data collection, covering:

      • Identity of the data controller,

      • Purpose and legal basis for processing,

      • Rights of the data subject,

      • Transfer recipients (if applicable).

  5. Personnel Training and Awareness

    • Data controllers must conduct regular training for personnel handling customer information and ensure internal compliance with the law.


Implications for Businesses and Data Controllers

This decision sets a strong precedent and serves as a compliance warning to all sectors, particularly e-commerce platforms, membership-based services, and mobile applications. Businesses are expected to:

  • Review and revise their consent collection and SMS verification flows,

  • Separate their data processing actions, and

  • Ensure their data protection policies and disclosures align with KVKK principles.

Failure to comply may result in investigations, administrative fines, or public disclosure of violations under Article 18 of Law No. 6698.


CCS Law’s Comment

At CCS Law, we welcome this decision as a step toward enhanced transparency and accountability in data processing practices. Businesses must ensure they do not treat a technical step—like an SMS verification code—as a loophole for bypassing consent requirements.

If your organisation uses verification codes or processes personal data as part of its services,you may need tailored compliance advice, including:

  • KVKK audit and risk assessment,

  • Data protection policy drafting,

  • Consent mechanism review,

  • Commercial communication compliance under both KVKK and e-commerce regulations.


We urge all clients who collect customer data via digital platforms or communication channels to immediately review their data collection workflows, ensure separate and informed consent mechanisms, and update their privacy documentation accordingly.

Disclaimer: This article is intended for informational purposes only and does not constitute legal or tax advice.


 
 
ccs law contact - free consultation - legal services uk - turkish speaking solicitor london
CALL BACK 
Please fill in the form and share your legal query with us. One of our experts will get back to you soon with your case evaluation.

Your details will be held by CCS Law in compliance with current UK data protection legislation and will not be shared with any third parties.

ccs law uk london solicitor barnet turkish lawyer

CCS Law- quality legal services both at national and international levels to individual clients as well as corporate entities. By valuing specialist knowledge and experience that lies with the CCS lawfirm and the team of professionals, each particular legal issue is dealt with and worked out in the most precise manner according to the specific needs of the client.

+44 (0) 203 576 2076

info@ccs.law

2 Victoria Square, Victoria Street, St Albans, England, AL1 3TF

  • Instagram
  • Facebook
  • LinkedIn

©2024 CCS® is a trademark of CCS Law Ltd. | Registered in England and Wales No. 14677550.

bottom of page