The Principle Decision of the Personal Data Protection Authority Regarding the Use of Verification Codes for Obtaining Consent for Commercial Electronic Messages

In its decision dated 10 June 2025 and numbered 2025/1072, published in the Official Gazette, the Personal Data Protection Authority (“the Authority”) examined certain practices whereby data controllers, during the provision of services (such as making payments, creating accounts, registering for memberships, etc.), send verification codes to users via SMS and simultaneously obtain consent for the delivery of commercial electronic messages.

Upon evaluation, the Authority stated that the sending of verification codes via SMS must be strictly limited to the purpose of verification and that using this process as a means to obtain consent for commercial communications raises concerns in terms of the conditions required for obtaining explicit consent.

The decision emphasized that explicit consent, as defined under the Law, must relate to a specific subject matter, be based on informed choice, and be given freely. It was noted that, if consent is obtained during the verification process, it must be clearly and distinctly separated from the verification function, and the user must be adequately informed.

The Authority reiterated that in such practices, the processes concerning the processing of personal data and the sending of commercial electronic communications must be clearly separated, and that explicit consent must be obtained separately and in accordance with the legal requirements. Otherwise, the matter may be subject to further assessment within the scope of Law No. 6698 on the Protection of Personal Data.

The full text of the decision is available via the following link: https://www.resmigazete.gov.tr/eskiler/2025/06/20250626-7.pdf