Back to Articles
Data Protection··7 min read

Privacy Notices and Explicit Consent Texts Must Not Be Combined: What Does the Board’s Principle Decision Mean?

The Personal Data Protection Board (KVK Kurulu) has turned its individual decisions on violations arising from data controllers preparing privacy notices together with explicit consent texts into a principle decision. This decision shows that the obligation to inform and explicit consent must not be merged into the same text, and that data controllers need to review their compliance processes.

In personal data protection law, although the obligation to inform and explicit consent often arise within the same process, their legal nature is different. The Personal Data Protection Board (KVK Kurulu) has compiled its previous individual decisions concerning administrative offences committed because data controllers prepared privacy notices and explicit consent texts together, turned them into a principle decision, and published this decision in the Official Gazette.

This development is particularly important for companies using standard texts for websites, mobile applications, membership forms, employee processes, customer registration screens, and marketing permissions. This is because the Board’s approach focuses not only on the existence of the text, but also on its content, the manner in which it is presented, and whether the data subject has truly been informed.

Under the Personal Data Protection Law No. 6698 (KVKK), the data controller is obliged to inform the data subject about certain matters when personal data is obtained. This obligation arises regardless of the legal basis on which the data processing activity relies.

Explicit consent, however, is a different legal mechanism. Explicit consent is one of the legal bases that may be used for the processing of personal data; however, explicit consent does not need to be obtained for every data processing activity. If other processing conditions set out in the Law are present, the data controller may rely on that legal basis instead of explicit consent.

For this reason, presenting the privacy notice and the explicit consent text in the same document, without making a distinction between them, may create the following risks:

  • The data subject may be unable to distinguish whether they are merely being informed or are also giving consent,
  • Explicit consent may be perceived as a natural extension of the privacy notice,
  • Doubt may arise as to whether the consent is based on free will,
  • The data controller may create confusion regarding the legal basis by obtaining consent even in cases where explicit consent is not required,
  • Adverse consequences may arise for the data controller in terms of the burden of proof in the future.

The Board’s principle decision clearly establishes that these two legal mechanisms must be separated both formally and in terms of content.

What Does the Principle Decision Mean for Data Controllers?

The Personal Data Protection Board has turned the decisions it previously issued within the scope of individual applications and reviews into a principle decision due to the prevalence of similar practices. Principle decisions are generally guiding texts for data controllers and also increase the risk of administrative sanctions in the event of non-compliance.

In this context, it is no longer sufficient for data controllers merely to say “we have prepared a privacy notice” or “we have added a consent checkbox.” The legal functions of the texts must be structured separately, they must be presented in a way that the data subject can understand, and the correct legal basis must be identified for each data processing activity.

The following practices in particular should be reassessed:

  1. Obtaining a privacy notice acknowledgment and consent declaration in a single form: Using a general “I have read and approve” checkbox at the end of the privacy notice may blur the boundary between explicit consent and information.
  2. Obtaining blanket consent for all processing activities: Tying data processing activities for different purposes to a single consent declaration may be incompatible with the requirement that consent relate to a specific matter.
  3. Presenting explicit consent as a condition of service: Creating the impression that the service cannot be used if consent is not given may undermine the element of free will.
  4. Resorting to explicit consent where a statutory basis exists: Obtaining explicit consent when other processing conditions exist, such as the establishment of a contract, a legal obligation, or legitimate interest, may mislead the data subject.

How Should a Privacy Notice Be Structured?

A privacy notice must provide the data subject with transparent and understandable information about the data processing activity. This text is not an approval or permission text; it is a means of providing information. Therefore, the language of the text must be plain, accessible, and specific to the processing activity.

A privacy notice is generally expected to clearly include the following headings:

  • The identity of the data controller,
  • The purposes for which personal data is processed,
  • To whom and for what purposes the processed personal data may be transferred,
  • The method and legal basis for collecting the data,
  • The rights of the data subject arising from the Law.

The critical point here is that the privacy notice should not be directed at obtaining a declaration of intent from the data subject. The privacy notice may be read, made available, or the fact that the information was provided may be proven; however, this process must not be confused with obtaining explicit consent.

Explicit consent is consent that relates to a specific matter, is based on information, and is declared through free will. Therefore, an explicit consent text must contain a declaration that is clear, leaves no room for doubt, and results from the data subject’s active conduct.

The main differences between a privacy notice and an explicit consent text can be summarized as follows:

CriterionPrivacy NoticeExplicit Consent Text
Legal natureObligation of the data controllerDeclaration of intent by the data subject
PurposeProviding informationGiving permission for specific processing
NecessityAs a rule, it arises in every data processing processRequired only where the legal basis is explicit consent
Manner of presentationMust be readable and accessibleMust be separate, clear, and based on active approval
RiskIncomplete informationInvalid or defective consent

This distinction becomes even more important in processes involving commercial electronic communication permissions, special categories of personal data, marketing profiling, cookie practices, and transfers to third parties.

What Steps Should Companies Take in the Compliance Process?

Data controllers must review their existing texts and application screens in line with the Board’s principle decision. This review should be carried out not only by the legal department, but as a holistic process involving human resources, marketing, information technology, customer relations, and e-commerce teams.

In practice, the following steps are important:

  • Existing privacy notices and explicit consent texts should be separated.
  • A separate legal basis analysis should be carried out for each data processing activity.
  • Unnecessary consent should not be obtained in processes where explicit consent is not required.
  • If explicit consent is to be obtained, the consent text should be separated according to specific purposes.
  • In digital environments, checkboxes should not be pre-ticked; the data subject’s active choice should be sought.
  • It should be possible to prove when, through which text, and by which method consent was obtained.
  • Instead of general and abstract statements, the texts should explain the concrete data processing activity.

Failure to take these steps not only creates a risk of administrative fines, but may also adversely affect customer, employee, and user trust.

What Does This Mean in Practice?

The Board’s principle decision strengthens the approach that prioritizes genuine and understandable information over formal compliance in personal data processing processes. The main consequence for data controllers is that the privacy notice and explicit consent must not be ambiguously combined in the same text.

In summary:

  • A privacy notice is a means of providing information; it is not a consent text.
  • Explicit consent must be obtained as a separate, specific declaration based on free will.
  • The approach of providing information and obtaining approval through a single text may create a risk of administrative sanctions.
  • The correct legal basis must be identified for each data processing activity.
  • Companies need to review their existing KVKK documentation and digital approval processes.

Share

Need legal advice on this topic?

Our expert team is here to help with your legal questions.

Contact Us

Related Articles