The Personal Data Protection Authority (“Authority”) has published a public announcement, stating that, as a result of the findings and assessments reached following examinations conducted within the scope of similar complaints submitted to the Authority regarding push notifications sent to users via mobile applications, there is a need to inform the public about the compliance of push notification processes with personal data protection legislation.
The Authority has reminded that it is mandatory for mobile application providers, acting as data controllers, to carry out their personal data processing activities in compliance with the general principles set out under Article 4 of the Law No. 6698 on the Protection of Personal Data (“KVKK”) and the processing conditions stipulated under Article 5 thereof. In this context, the announcement emphasizes that the push notification permission/consent mechanisms presented to users must be designed in a transparent, specific and legislation-compliant manner in terms of the purposes for which notifications will be sent and the personal data processing activities based on such purposes.
At the core of the announcement are the compliance risks arising from structuring the push notification consent obtained from users during the installation/initial use stage in a manner that combines different purposes under a single consent. According to the Authority’s assessment, presenting operational notifications (e.g., notifications necessary for the performance of the service such as order/shipment/process status) and marketing notifications (e.g., campaign and advertising content) under a single permission may result in users being forced to accept marketing content in order to benefit from the service. It has been stated that such an approach may undermine the “freely given” element required for the validity of consent.
The Authority has underlined that, for consent to be valid, it must relate to a specific matter, be based on information, and be given freely; and emphasized the importance of the principle of “granular consent,” which requires offering the data subject a separate and independent choice for each purpose where there are multiple purposes. In this regard, it has been assessed that mechanisms designed on an “all or nothing” basis and leading to obtaining consent for multiple purposes at the same time may not constitute an appropriate legal basis.
The announcement further states that not only legal texts but also the technical architecture of the application should be designed to support these principles. It is emphasized that users should be enabled to manage their notification preferences through in-app settings or the operating system settings of their devices, for example by keeping operational notifications enabled while disabling campaign/advertising notifications and having separate control options accordingly. It is noted that failure to provide such options may weaken users’ control over their personal data and may create risks in terms of the obligation to take necessary technical and administrative measures under Article 12 of the KVKK to prevent unlawful processing of personal data.
Within this framework, the Authority strongly reminds mobile application providers to review their push notification consent/permission processes considering the principles of “specificity” and “granular consent,” and to implement the necessary design and architectural updates to ensure that notification purposes are separated and users are provided with the ability to manage their preferences.
The full text of the public announcement published by the Personal Data Protection Authority may be accessed in Turkish via the link below:
Public Announcement on Push Notifications Sent via Mobile Applications
For detailed information and professional support during the compliance process, feel free to contact us.
This Legal Alert has been prepared for general information purposes only on current legal issues, and the evaluations contained in this Legal Alert do not constitute legal advice or a legal opinion. It is not possible to impose any liability on SRP-Legal Law Office due to the content of this Legal Alert. It is recommended to obtain the opinion of a legal advisor regarding your questions and enquires within the scope of this Legal Alert.
