The Personal Data Protection Board Issued a Principle Decision on the Processing of Personal Data Through SMS Verification Codes Sent to Customers Almost by Force During the Provision of Products and Services in Stores

In recent years, it has become increasingly common for stores to request contact information from individuals during purchases and/or to obtain their explicit consent by sending a verification code via SMS, after which commercial electronic messages are sent to the provided contact details for advertising purposes. Due to the growing number of complaints from consumers and the widespread nature of this practice, the Personal Data Protection Board (“Board”) issued a Board Resolution dated 10.06.2025 and numbered 2025/1072, published in the Official Gazette on 26.06.2025 (“Board Resolution”), to clarify the matter.

It should be noted that the Personal Data Protection Authority (“Authority”) initially addressed the issue on 17 December 2021, through a public announcement titled “Public Announcement on the Processing of Personal Data Through the Sending of Verification Codes via SMS to Data Subjects During In-Store Purchases.” Subsequently, in response to additional complaints, the Board issued Decision No. 2023/1653 dated 28.09.2023, in which no sanctions were imposed on the data controller, as the data processing activity had ceased following the withdrawal of explicit consent. Afterwards, on 13 November 2023, the Authority published its most recent public announcement titled “Public Announcement on the Processing of Personal Data Through the Sending of Verification Codes via SMS to Data Subjects During In-Store Purchases”, concerning the practice of sending SMS verification codes to data subjects during checkout transactions.

In these announcements and decisions, the Board emphasized that the obligation to inform data subjects and the process of obtaining explicit consent must be carried out in accordance with the Personal Data Protection Law (“Law”); that separate explicit consents must be obtained for different data processing activities; and that such consents should not be presented to consumers as if they are a mandatory element of the purchase process.

However, despite all these public announcements and individual decisions issued by the Authority, due to the continuation of the said practice and the widespread nature of the violation, the Board ultimately issued the Board Resolution.

The Board Resolution states that, based on complaints received by the Board, it was determined that users’ contact information was collected during transactions such as payments or memberships, verification codes were sent via SMS, the codes were presented as if they were mandatory for the transaction, and subsequently, commercial electronic communications were sent, through which consent was obtained.

These practices clearly violate Article 3 of the Law, which requires that explicit consent be specific, informed, and freely given; Article 10, which outlines the obligation to provide comprehensive information to the data subject; and Article 12, which mandates that data controllers take all necessary technical and administrative measures to ensure the lawful processing and protection of personal data and to prevent unauthorized access.

As a result of these findings, the Board decided as follows:

1. In product and service delivery processes (such as payment, registration, membership, offer, etc.), the purpose of the SMS sent to the data subjects and the possible consequences arising from sharing the code must be clearly and understandably explained by the data controller officers at the initial stage as part of layered notification; additionally, information channels enabling compliance with the notification obligation should also be provided within the SMS content.
2. Different data processing activities such as membership approval, consent for personal data processing, and consent to receive commercial communications must not be combined in a single transaction via verification SMS; instead, separate options must be provided for each, and explicit consent must be obtained individually.
3. The processes of obtaining explicit consent and fulfilling the obligation to inform must be carried out separately by data controllers.
4. If a verification code is sent via SMS to obtain consent for receiving commercial communications, the consent thus obtained must meet all the conditions set out in the Law.
5. Consent for commercial communications must not be presented as a mandatory requirement for the provision of products or services.
6. Explicit consent for commercial electronic communication should be requested after the completion of the product or service delivery, or it should be clearly stated in the SMS/other notification channels that the product or service will continue to be provided even if the code is not shared, and that permissions granted via the code can be modified at any time, thereby preventing the perception of consent as a mandatory requirement.
7. Data controllers must provide regular training and awareness programs for personnel involved in these processes to ensure that operations are conducted in compliance with the law.
8. Furthermore, considering that under Article 12 of the Law, data controllers are obliged to take all necessary technical and administrative measures to prevent unlawful processing and access to personal data and to ensure its protection, it is required that the aforementioned matters be fulfilled in accordance with these obligations, and in case of non-compliance, the relevant data controllers shall be subject to enforcement actions pursuant to Article 18 of the Law.

In this context, it is crucial for data controllers to review SMS verification processes, update privacy notices, conduct explicit consent procedures independently and separately from other transactions, ensure that commercial communication consents are not presented to consumers as a mandatory requirement for product or service delivery, and most importantly, provide regular training to the relevant field personnel regarding the obtaining of such consents.

Special thanks to İsmail Arslan for his contributions.

Author:

Begüm Yavuzdoğan Okumuş, Partner
Email: begum.yavuzdogan@gun.av.tr