Turkey's Personal Data Protection Authority (KVKK - Kişisel Verileri Koruma Kurumu) yesterday published Decision 2026/347 in the Official Gazette (Resmi Gazete, Issue No. 33203, dated 24 March 2026), formalising a binding principle that prohibits data controllers from combining explicit consent texts with clarification (aydınlatma) texts into a single document. The decision, adopted by the Board on 18 February 2026, takes direct aim at practices that the authority describes as among the most frequently encountered legal violations in complaints and notifications submitted to the institution.

The ruling has immediate relevance for every organisation operating in Turkey that collects personal data - including digital advertisers, e-commerce platforms, financial services companies, and media organisations whose data collection practices routinely involve consent interfaces.

What the decision actually says

The legal foundation rests on two distinct concepts that Turkish law treats as fundamentally different instruments. According to the decision, the clarification obligation under Article 10 of Law No. 6698 requires data controllers to inform individuals about the identity of the controller, the purposes and methods of data collection, the legal basis for processing, and the individual's rights under Article 11 - all before any processing begins, regardless of whether the individual requests this information or gives any approval. Clarification is not a contract. It does not require the individual's agreement.

Explicit consent, meanwhile, is defined under Article 3 of the Law as consent that is "specific to a subject, based on being informed, and expressed through free will." It is one of several legal bases permitting personal data processing under Articles 5 and 6, and it applies specifically to sensitive (special category) personal data under Article 6 and to ordinary personal data processed on a consent basis under Article 5.

The conflation of these two instruments into a single interlocked document, according to the Board, creates a structural problem: individuals who sign or tick such documents cannot meaningfully distinguish between acknowledging they have been informed and actively consenting to processing. That confusion undermines the legal validity of both the clarification and the consent.

According to the Official Gazette publication, the Board's decision was taken unanimously and will be published both in the Resmi Gazete and on the KVKK's official website.

The five dark patterns the authority identified

The KVKK catalogued five categories of non-compliant practices that prompted the decision. First, the most widespread violation: combining explicit consent and clarification texts in a single, intertwined document. Second, requesting approval or consent from individuals in relation to the clarification text itself - effectively treating an informational notice as though it were a contract requiring acceptance. Third, copying texts prepared by another data controller without adapting them to the specific controller's own operations and activities. Fourth, using unclear, general, or misleading language in clarification texts, including phrases such as "your personal data is processed within the scope of the processing conditions specified in Articles 5 and 6 of the Law" - language the authority regards as ambiguous and potentially deceptive. Fifth, producing excessively detailed, complex, and lengthy texts that obscure rather than illuminate what is actually being done with personal data.

Each of these practices has a parallel in enforcement actions seen across European jurisdictions. France's data protection authority CNIL took action against publishers for similar dark patterns in cookie consent interfaces in December 2024, and Belgium's DPA sanctioned Mediahuis for misleading consent banner designs in the same month. The Turkish ruling operates under a distinct national framework, but the underlying concern - that consent mechanisms can be designed to obscure rather than enable genuine choice - is consistent with enforcement trends across multiple jurisdictions.

The positive requirements: what controllers must now do

Beyond prohibiting specific practices, the Board set out affirmative obligations. According to the decision, if personal data processing is based on explicit consent, the clarification text and the consent text must appear as separate documents under distinct headings. If operational constraints require both to appear on the same page, they must still be positioned under separate headings with distinct declarations for each. Under no circumstances may the statements required for each be merged.

Where data processing rests on a legal basis other than explicit consent - for example, contractual necessity or a legal obligation - no separate consent text is required at all. Only the clarification obligation applies. This distinction matters because over-soliciting consent where it is not the legal basis has its own compliance implications: it may misrepresent the actual legal ground for processing and create false records of consent that do not reflect the true basis on which data is being used.

Regarding acknowledgment language, the decision is precise. The closing statement on a clarification document should read that the individual has read and understood the clarification text - not that they have accepted, approved, or consented to it. The distinction may appear minor, but it reflects the difference between receiving information and entering into a legal relationship.

Controllers are also prohibited from copying templates from other organisations. Each controller must prepare texts that reflect their own specific data processing activities, the personal data categories they actually process, the purposes for which that data is used, and the legal basis for each processing activity. A retail company cannot use the privacy notice drafted for a financial institution, even if both operate in the same regulatory environment.

Language requirements are equally specific. According to the decision, texts should be written in clear, simple, and understandable language. They must not contain general or ambiguous statements, incomplete information, misleading formulations, or false information. Rather than reproducing the full text of Article 11 of the Law - which lists individual rights in technical legal language - controllers should state simply that the individual holds rights under Article 11.

The decision references three layers of Turkish law. Article 20 of the Turkish Constitution establishes that personal data may only be processed in cases provided by law or with the explicit consent of the person concerned. Articles 5 and 6 of Law No. 6698 enumerate the lawful bases for processing ordinary and special category personal data respectively. Article 10 specifies the clarification obligation in detail, requiring information on: the identity of the controller and, where applicable, their representative; the purposes for which data will be processed; the recipients of the data and the purposes of any transfer; the method and legal basis of collection; and the rights of the individual.

The obligation in Article 5(f) of the Regulation on Principles and Procedures for Fulfilling the Clarification Obligation is quoted directly in the decision's text, confirming that where processing is based on explicit consent, clarification and consent must be fulfilled as separate procedures.

Enforcement authority derives from Article 12 of the Law, which requires data controllers to take all necessary technical and administrative measures to ensure lawful processing. Article 15 of the Law authorises the Board to issue a binding principle decision - what Turkish administrative law terms an İlke Kararı - when it determines through complaint-based or ex officio review that a violation is widespread. According to the decision, violations of the principles set out in this ruling may trigger proceedings under Article 18 of the Law.

The decision is accompanied by two appendices: a good practice template (İyi Uygulama Şablonu) and a bad practice template (Kötü Uygulama Şablonu). The bad practice template reproduces a combined document titled "Clarification Text Regarding Explicit Consent" - a title that itself signals the problem, according to the KVKK - which merges both instruments under a single heading and ends with the statement "I have read and accepted the clarification text." The authority annotates this template with bracketed notes explaining what makes each section non-compliant. The good practice template provides separate, properly structured documents for each instrument, with the clarification text ending "I have read and understood the clarification text regarding the processing of my personal data" and the consent text offering a binary choice between granting and withholding consent.

Why this matters for digital advertising and marketing

The ruling lands in a market where consent infrastructure is under pressure across multiple jurisdictions simultaneously. Usercentrics, which processes more than 7 billion consents monthly across over 2 million websites, reached €100 million in annual recurring revenue in November 2025 - a figure that reflects the scale of investment being made globally in consent management infrastructure. Research published in July 2025 found that 95% of customers will not purchase from companies that fail to safeguard their data, while only 23% of consumers fully understand how companies use their personal data.

For Turkish operations specifically, the KVKK decision eliminates a common shortcut: the single-page form that bundles disclosure with consent solicitation, often ending with a phrase like "I have read, understood, and consent." That construct is now explicitly non-compliant. Digital platforms, e-commerce operators, and publishers serving Turkish users will need to audit their existing consent flows. Where consent forms currently appear as a single document - whether in web interfaces, mobile applications, call centre scripts, physical forms, or email processes - the architecture must be revised to separate the two instruments.

The consent management sector has become a measurable line item in marketing budgets. The Belgian and French enforcement actions of late 2024 signal that regulators are not limiting their attention to large platforms. Medium and smaller publishers face the same obligations. Spain's AEPD imposed €950,000 on Yoti in early 2026 for consent failures involving biometric data, underscoring that financial penalties can be substantial even for non-advertising violations.

The Turkish ruling operates outside the GDPR framework but shares its core concern: that consent must be a genuine, informed, specific, and freely given act - not a tick-box at the bottom of a document the individual has been asked to "read and accept" as a unit. The requirement for granular, purpose-specific consent, the prohibition on copying templates, and the insistence on plain language all parallel the standards European regulators have been enforcing for several years.

For programmatic advertising specifically, the implications are structural. Consent signals fed into supply chains - whether through IAB Transparency and Consent Framework strings or proprietary mechanisms - are only legally valid if the underlying consent collection process meets local legal requirements. A consent signal generated through a non-compliant combined document in Turkey is, under this ruling, not valid consent at all. That has downstream consequences for any campaign targeting Turkish users that relies on consent-based audience activation.

Penalties and enforcement posture

The KVKK's decision does not specify a penalty range for non-compliance, but the enforcement framework is established by Article 18 of Law No. 6698, which governs administrative sanctions. The Board has authority to issue warnings, impose administrative fines, and restrict or suspend data processing activities. The principle decision mechanism under Article 15 is typically followed by individual enforcement actions against controllers who fail to align with the stated principles.

The decision identifies the combined consent-clarification document as among the most common violations in complaints reaching the authority - a detail that signals the KVKK's awareness of how widespread the practice is and, implicitly, that enforcement will target a large population of controllers rather than isolated cases.

Timeline

Summary

Who: Turkey's Personal Data Protection Authority (KVKK - Kişisel Verileri Koruma Kurumu) issued the decision. It applies to all data controllers operating under Turkish Law No. 6698 - covering any organisation that collects or processes personal data of individuals in Turkey.

What: Board Decision No. 2026/347 establishes a binding principle requiring that explicit consent texts and clarification texts be prepared and presented as separate documents under distinct headings. The decision identifies five categories of dark practice, sets out affirmative format and language requirements, and is published alongside good and bad practice template appendices.

When: The Board adopted the decision on 18 February 2026. It was published in the Turkish Official Gazette on 24 March 2026 (Issue No. 33203) and became effective upon publication.

Where: The ruling is published in Turkey's Resmi Gazete and on the KVKK's official website. It applies to data controllers operating in Turkey across all channels - digital, physical, telephonic, and electronic.

Why: The KVKK identified the bundling of consent and clarification into a single intertwined document as one of the most common legal violations in complaints received by the authority. The combined-document format structurally prevents individuals from distinguishing between receiving information and actively granting consent, which undermines the legal validity of both instruments under Turkish constitutional and statutory data protection law.

Share this article
The link has been copied!