Turkey’s DPA bans bundled consent texts in a ruling that reshapes data collection

Turkey’s Private Information Safety Authority (KVKK – Kişisel Verileri Koruma Kurumu) yesterday revealed Determination 2026/347 within the Official Gazette (Resmi Gazete, Concern No. 33203, dated 24 March 2026), formalising a binding precept that prohibits knowledge controllers from combining specific consent texts with clarification (aydınlatma) texts right into a single doc. The choice, adopted by the Board on 18 February 2026, takes direct purpose at practices that the authority describes as among the many most often encountered authorized violations in complaints and notifications submitted to the establishment.

The ruling has speedy relevance for each organisation working in Turkey that collects private knowledge – together with digital advertisers, e-commerce platforms, monetary providers firms, and media organisations whose knowledge assortment practices routinely contain consent interfaces.

What the choice really says

The authorized basis rests on two distinct ideas that Turkish legislation treats as essentially completely different devices. In response to the choice, the clarification obligation underneath Article 10 of Regulation No. 6698 requires knowledge controllers to tell people concerning the id of the controller, the needs and strategies of information assortment, the authorized foundation for processing, and the person’s rights underneath Article 11 – all earlier than any processing begins, no matter whether or not the person requests this data or offers any approval. Clarification is just not a contract. It doesn’t require the person’s settlement.

Specific consent, in the meantime, is outlined underneath Article 3 of the Regulation as consent that’s “particular to a topic, based mostly on being knowledgeable, and expressed by free will.” It’s one among a number of authorized bases allowing private knowledge processing underneath Articles 5 and 6, and it applies particularly to delicate (particular class) private knowledge underneath Article 6 and to unusual private knowledge processed on a consent foundation underneath Article 5.

The conflation of those two devices right into a single interlocked doc, based on the Board, creates a structural drawback: people who signal or tick such paperwork can not meaningfully distinguish between acknowledging they’ve been knowledgeable and actively consenting to processing. That confusion undermines the authorized validity of each the clarification and the consent.

In response to the Official Gazette publication, the Board’s determination was taken unanimously and shall be revealed each within the Resmi Gazete and on the KVKK’s official web site.

The 5 darkish patterns the authority recognized

The KVKK catalogued 5 classes of non-compliant practices that prompted the choice. First, probably the most widespread violation: combining specific consent and clarification texts in a single, intertwined doc. Second, requesting approval or consent from people in relation to the clarification textual content itself – successfully treating an informational discover as if it had been a contract requiring acceptance. Third, copying texts ready by one other knowledge controller with out adapting them to the particular controller’s personal operations and actions. Fourth, utilizing unclear, basic, or deceptive language in clarification texts, together with phrases equivalent to “your private knowledge is processed throughout the scope of the processing situations laid out in Articles 5 and 6 of the Regulation” – language the authority regards as ambiguous and doubtlessly misleading. Fifth, producing excessively detailed, advanced, and prolonged texts that obscure quite than illuminate what is definitely being completed with private knowledge.

Every of those practices has a parallel in enforcement actions seen throughout European jurisdictions. France’s data protection authority CNIL took action against publishers for similar dark patterns in cookie consent interfaces in December 2024, and Belgium’s DPA sanctioned Mediahuis for misleading consent banner designs in the identical month. The Turkish ruling operates underneath a definite nationwide framework, however the underlying concern – that consent mechanisms may be designed to obscure quite than allow real alternative – is per enforcement traits throughout a number of jurisdictions.

The optimistic necessities: what controllers should now do

Past prohibiting particular practices, the Board set out affirmative obligations. In response to the choice, if private knowledge processing is predicated on specific consent, the clarification textual content and the consent textual content should seem as separate paperwork underneath distinct headings. If operational constraints require each to seem on the identical web page, they need to nonetheless be positioned underneath separate headings with distinct declarations for every. By no means might the statements required for every be merged.

The place knowledge processing rests on a authorized foundation apart from specific consent – for instance, contractual necessity or a authorized obligation – no separate consent textual content is required in any respect. Solely the clarification obligation applies. This distinction issues as a result of over-soliciting consent the place it isn’t the authorized foundation has its personal compliance implications: it could misrepresent the precise authorized floor for processing and create false information of consent that don’t replicate the true foundation on which knowledge is getting used.

Concerning acknowledgment language, the choice is exact. The closing assertion on a clarification doc ought to learn that the person has learn and understood the clarification textual content – not that they’ve accepted, accredited, or consented to it. The excellence might seem minor, but it surely displays the distinction between receiving data and getting into right into a authorized relationship.

Controllers are additionally prohibited from copying templates from different organisations. Every controller should put together texts that replicate their very own particular knowledge processing actions, the private knowledge classes they really course of, the needs for which that knowledge is used, and the authorized foundation for every processing exercise. A retail firm can not use the privateness discover drafted for a monetary establishment, even when each function in the identical regulatory surroundings.

Language necessities are equally particular. In response to the choice, texts needs to be written in clear, easy, and comprehensible language. They need to not comprise basic or ambiguous statements, incomplete data, deceptive formulations, or false data. Reasonably than reproducing the complete textual content of Article 11 of the Regulation – which lists particular person rights in technical authorized language – controllers ought to state merely that the person holds rights underneath Article 11.

The authorized structure behind the ruling

The choice references three layers of Turkish legislation. Article 20 of the Turkish Structure establishes that private knowledge might solely be processed in circumstances supplied by legislation or with the express consent of the particular person involved. Articles 5 and 6 of Regulation No. 6698 enumerate the lawful bases for processing unusual and particular class private knowledge respectively. Article 10 specifies the clarification obligation intimately, requiring data on: the id of the controller and, the place relevant, their consultant; the needs for which knowledge shall be processed; the recipients of the info and the needs of any switch; the tactic and authorized foundation of assortment; and the rights of the person.

The duty in Article 5(f) of the Regulation on Ideas and Procedures for Fulfilling the Clarification Obligation is quoted straight within the determination’s textual content, confirming that the place processing is predicated on specific consent, clarification and consent should be fulfilled as separate procedures.

Enforcement authority derives from Article 12 of the Regulation, which requires knowledge controllers to take all needed technical and administrative measures to make sure lawful processing. Article 15 of the Regulation authorises the Board to concern a binding precept determination – what Turkish administrative legislation phrases an İlke Kararı – when it determines by complaint-based or ex officio evaluate {that a} violation is widespread. In response to the choice, violations of the rules set out on this ruling might set off proceedings underneath Article 18 of the Regulation.

The choice is accompanied by two appendices: a good apply template (İyi Uygulama Şablonu) and a unhealthy apply template (Kötü Uygulama Şablonu). The unhealthy apply template reproduces a mixed doc titled “Clarification Textual content Concerning Specific Consent” – a title that itself indicators the issue, based on the KVKK – which merges each devices underneath a single heading and ends with the assertion “I’ve learn and accepted the clarification textual content.” The authority annotates this template with bracketed notes explaining what makes every part non-compliant. The nice apply template gives separate, correctly structured paperwork for every instrument, with the clarification textual content ending “I’ve learn and understood the clarification textual content concerning the processing of my private knowledge” and the consent textual content providing a binary alternative between granting and withholding consent.

Why this issues for digital promoting and advertising and marketing

The ruling lands in a market the place consent infrastructure is underneath strain throughout a number of jurisdictions concurrently. Usercentrics, which processes more than 7 billion consents monthly across over 2 million websites, reached €100 million in annual recurring income in November 2025 – a determine that displays the size of funding being made globally in consent administration infrastructure. Research published in July 2025 found that 95% of customers will not purchase from companies that fail to safeguard their data, whereas solely 23% of customers totally perceive how firms use their private knowledge.

For Turkish operations particularly, the KVKK determination eliminates a standard shortcut: the single-page type that bundles disclosure with consent solicitation, usually ending with a phrase like “I’ve learn, understood, and consent.” That assemble is now explicitly non-compliant. Digital platforms, e-commerce operators, and publishers serving Turkish customers might want to audit their current consent flows. The place consent types at the moment seem as a single doc – whether or not in net interfaces, cellular purposes, name centre scripts, bodily types, or e-mail processes – the structure should be revised to separate the 2 devices.

The consent administration sector has turn out to be a measurable line merchandise in advertising and marketing budgets. The Belgian and French enforcement actions of late 2024 sign that regulators are usually not limiting their consideration to giant platforms. Medium and smaller publishers face the identical obligations. Spain’s AEPD imposed €950,000 on Yoti in early 2026 for consent failures involving biometric data, underscoring that monetary penalties may be substantial even for non-advertising violations.

The Turkish ruling operates exterior the GDPR framework however shares its core concern: that consent should be a real, knowledgeable, particular, and freely given act – not a tick-box on the backside of a doc the person has been requested to “learn and settle for” as a unit. The requirement for granular, purpose-specific consent, the prohibition on copying templates, and the insistence on plain language all parallel the requirements European regulators have been implementing for a number of years.

For programmatic promoting particularly, the implications are structural. Consent indicators fed into provide chains – whether or not by IAB Transparency and Consent Framework strings or proprietary mechanisms – are solely legally legitimate if the underlying consent assortment course of meets native authorized necessities. A consent sign generated by a non-compliant mixed doc in Turkey is, underneath this ruling, not legitimate consent in any respect. That has downstream penalties for any marketing campaign concentrating on Turkish customers that depends on consent-based viewers activation.

Penalties and enforcement posture

The KVKK’s determination doesn’t specify a penalty vary for non-compliance, however the enforcement framework is established by Article 18 of Regulation No. 6698, which governs administrative sanctions. The Board has authority to concern warnings, impose administrative fines, and prohibit or droop knowledge processing actions. The precept determination mechanism underneath Article 15 is often adopted by particular person enforcement actions in opposition to controllers who fail to align with the acknowledged rules.

The choice identifies the mixed consent-clarification doc as among the many most typical violations in complaints reaching the authority – a element that indicators the KVKK’s consciousness of how widespread the apply is and, implicitly, that enforcement will goal a big inhabitants of controllers quite than remoted circumstances.

Timeline

• August 14, 2018 – Brazil’s LGPD enacted, a part of a worldwide wave of information safety laws that positioned Turkey’s KVKK framework in an increasing worldwide context.
• February 14, 2023 – IAB and coalition launch CMP Complement specifications, establishing technical infrastructure for consent administration that intersects with regulatory necessities like Turkey’s.
• August 1, 2024 – noyb files lawsuit against Hamburg DPA over ‘Pay or OK’ consent banner decision, illustrating the contested boundaries of legitimate consent in digital environments.
• September 8, 2024 – Belgian DPA imposes strict measures on Mediahuis for cookie consent violations, one among a number of European enforcement actions concentrating on bundled or deceptive consent designs.
• December 12, 2024 – France’s CNIL orders websites to fix misleading cookie banners for darkish sample violations together with visible hierarchies that strain customers towards acceptance.
• February 11, 2025 – European Information Safety Board adopts Assertion 1/2025 establishing ten rules for GDPR-compliant age assurance techniques.
• February 18, 2026 – KVKK Board adopts Determination 2026/347 requiring knowledge controllers to arrange specific consent and clarification texts individually underneath Turkish Regulation No. 6698.
• March 2026 – Spain’s AEPD fines Yoti €950,000 for consent failures involving biometric data – a reminder that consent-related penalties proceed to build up throughout jurisdictions.
• 24 March 2026 – Determination 2026/347 revealed within the Turkish Official Gazette (Resmi Gazete, Concern No. 33203), making the ruling formally binding and publicly efficient.
• 25 March 2026 – Publication famous and circulated in business channels together with by way of LinkedIn by privateness professionals.

Abstract

Who: Turkey’s Private Information Safety Authority (KVKK – Kişisel Verileri Koruma Kurumu) issued the choice. It applies to all knowledge controllers working underneath Turkish Regulation No. 6698 – masking any organisation that collects or processes private knowledge of people in Turkey.

What: Board Determination No. 2026/347 establishes a binding precept requiring that specific consent texts and clarification texts be ready and offered as separate paperwork underneath distinct headings. The choice identifies 5 classes of darkish apply, units out affirmative format and language necessities, and is revealed alongside good and unhealthy apply template appendices.

When: The Board adopted the choice on 18 February 2026. It was revealed within the Turkish Official Gazette on 24 March 2026 (Concern No. 33203) and have become efficient upon publication.

The place: The ruling is revealed in Turkey’s Resmi Gazete and on the KVKK’s official web site. It applies to knowledge controllers working in Turkey throughout all channels – digital, bodily, telephonic, and digital.

Why: The KVKK recognized the bundling of consent and clarification right into a single intertwined doc as one of the widespread authorized violations in complaints obtained by the authority. The combined-document format structurally prevents people from distinguishing between receiving data and actively granting consent, which undermines the authorized validity of each devices underneath Turkish constitutional and statutory knowledge safety legislation.