Compass Consultancy

Logo
Compass Consultancy

Guideline on Obtaining Explicit Consent via SMS

Guideline Decision of the Personal Data Protection Board No. 2025/1072 dated 10/06/2025 on the Processing of Personal Data by Sending Verification Codes via SMS During the Provision of Products and Services.

The Personal Data Protection Board issued a guideline decision regarding the collection of explicit consent through verification codes sent by SMS, based on notifications and complaints it received. The decision was published in the Official Gazette on 26/06/2025.

The decision evaluated claims that during product and service delivery, data subjects’ contact information was requested, followed by sending them a verification code via SMS. It was alleged that this code was requested to complete payments, generate invoices, deliver invoices to contact addresses, or update information, but later commercial electronic messages related to the data controller’s activities were sent to those data subjects.

Upon investigation by the Board, it was found that no prior clarification was provided in the content of the SMS or before sending the SMS by the data controller or its authorized persons, and although the code was requested on the grounds of completing a payment or updating information, it was actually used to obtain explicit consent for sending commercial electronic messages, misleading the data subject.

This common practice fails to meet legal requirements. Even if legal requirements are included within the SMS, data controllers or data processors or their employee often lack the necessary awareness and thus fail to properly inform the data subject. Moreover, this procedure is imposed as a prerequisite to the transaction. To address these concerns, the Board has evaluated the matter from all aspects and outlined the following requirements:

  • The purpose of the SMS to be sent to the relevant data subjects and the potential consequences of providing the code conveyed in this SMS should be communicated clearly and understandably to the data subjects by the data controller’s officials as part of layered information.
  • After layered information, the SMS should include the necessary information or channels to fulfill the obligation of informing the recipients.
  • For issues requiring multiple consents, a single code should not be used to obtain consent; instead, separate requests should be made for matters such as membership agreement approval and consent for sending electronic commercial messages.
  • The obligations to obtain consent and to provide information should be fulfilled separately.
  • All elements specified in the Law should be included in the consent obtained via the SMS verification code.
  • The requirement to provide explicit consent for the processing of personal data for the purpose of sending commercial electronic messages should not be presented as a mandatory element for completing the product and service provision.
  • Consent obtained for sending commercial electronic messages should be requested after the completion of product and service provision.
  • In the case of obtaining consent during product and service provision, both in the SMS content and in the information provided by the data controller in physical or digital environments, it should be clearly stated that sharing the code with the official is not mandatory for completing the provision of products and services, and that products and services can always be provided without submitting the code. It should also be noted that permissions and preferences granted with the code can be changed at any time (withdrawal of consent).
  • To ensure the legality of these processes, the data controllers should periodically conduct necessary training and awareness activities for the personnel involved in these processes.

 

You can access the Board Decision via the provided link or contact our consultants for detailed information.