Principle Decision of Personal Data Protection Authority on SMS Verification Codes

Following complaints and notifications received by the Personal Data Protection Authority (KVKK) regarding sending SMS verification codes to data subjects’ mobile phones during payment, membership creation, or registration processes and requesting contact information, KVKK decided on June 10, 2025, that the existing practices shall be ceased and the data controllers should comply with the following:

• Initially in processes related to the provision of products and services (such as making payments, registration, creating memberships, making offers, and similar transactions), the purpose of the SMS sent to the relevant person’s phone and the consequences of providing the code transmitted via this SMS must be clearly and understandably explained to the data subjects by the data controller’s authorized personnel.
• To fulfill the obligation of information, the SMS content must also provide necessary information channels.
• The practice of combining different processing activities—such as confirming membership contracts, obtaining consent for personal data processing and approval for commercial electronic communications—through a single action via SMS verification codes shall be terminated.
• Separate explicit consents must be obtained from the relevant persons by providing options for each different processing activity that requires consent.
• The processes of obtaining explicit consent and fulfilling the information obligation shall be fulfilled separately.
• Data subjects shall not be forced to give explicit consent for the purpose of sending commercial electronic communications as a condition for provision of products or services.
• Explicit consent for processing personal data for commercial electronic communications shall be requested after the completion of the sale of product or service or through information provided either in the SMS content or in physical or digital form, which clearly states that sharing the code with the seller is not obligatory for completing the sale, that products and services can be bought without sharing the code, and that consents and preferences given with the code can be changed at any time.
• To ensure the compliance with the aforementioned rules, data controllers shall regularly conduct necessary training and awareness programs for their employees who are involved in these processes.

Furthermore, it is emphasized that above requirements shall be deemed as one of the administrative and technical measures to be taken by data controllers pursuant to the first paragraph of Article 12 of the Law to ensure the lawful processing of personal data.

Accordingly, data controllers are required to review their existing explicit consent and awareness mechanisms and ensure compliance with the above principle decision.