Turkey: New Rules for Loyalty Programs – Phone Number Verification Required

Turkey: New Rules for Loyalty Programs – Phone Number Verification Required

February 28, 2026 James Parker - Business Editor Business

Turkey’s Personal Data Protection Authority (KVKK) is tightening rules around loyalty programs, effectively ending the practice of offering discounts solely in exchange for a phone number. A recent principle decision, published in the Official Gazette on February 28th, requires businesses to verify ownership of the phone number provided before granting discounts or loyalty points. The move aims to address data security risks stemming from the use of other people’s phone numbers during transactions.

The KVKK’s action comes after investigations revealed that shoppers were able to use phone numbers not registered to them, creating vulnerabilities for unauthorized billing and inaccurate data processing. This practice posed a significant threat to personal data protection, prompting the regulatory body to issue the new guidelines. The change impacts a wide range of retailers and service providers who rely on phone number-based loyalty schemes.

SMS Verification and QR Codes Now Required

Under the new regulations, simply providing a phone number or card number will no longer be sufficient to qualify for discounts. Businesses must implement additional verification methods. These include sending a verification code via SMS to the provided phone number, or requiring customers to present a QR code through a mobile application. This ensures that the transaction is linked to the actual owner of the phone number. The KVKK’s decision reflects a broader global trend toward stricter data privacy regulations, mirroring concerns seen with GDPR in Europe and similar laws elsewhere.

The shift isn’t limited to retail. The KVKK has too issued public announcements regarding data breaches at TÜRKKEP, Maremar K.Maraş Magnetic Resonance Imaging Diagnosis and Health Services Inc. and Vodafone Net Communication Services A.Ş. In February 2026, highlighting the increasing focus on data security across various sectors. The Personal Data Protection Authority (KVKK) has been increasingly active in enforcing data protection standards.

Six-Month Compliance Window for Businesses

Businesses have been granted a six-month grace period following the Official Gazette publication to implement the necessary technical and administrative adjustments. This timeframe allows companies to update their infrastructure and ensure compliance with the new requirements. The transition will likely require investment in new systems and processes, particularly for smaller retailers who may lack dedicated IT resources.

Impact on Consumer Loyalty Programs

The change will likely reshape the landscape of consumer loyalty programs in Turkey. While the intention is to enhance data security, some businesses may see a decrease in participation rates as the process becomes slightly more cumbersome for customers. The effectiveness of the new measures will depend on how smoothly businesses can integrate the verification processes without creating friction in the shopping experience. The new rules are expected to impact the way businesses collect and utilize customer data for marketing and promotional purposes.

Broader Context: Digital Literacy and AI Concerns

The KVKK’s actions are part of a wider effort to promote digital literacy and address the challenges posed by emerging technologies like artificial intelligence. The Authority recently hosted a symposium on “Legal, Ethical and Social Approaches to Personal Data Protection in the Age of Artificial Intelligence” at Trabzon University on February 25th, 2026. According to the KVKK website, this event signaled a growing awareness of the need to adapt data protection frameworks to the evolving technological landscape.

the KVKK issued public announcements regarding GROK and Google Assistant on February 16th and 11th, 2026, respectively, indicating scrutiny of AI-powered assistants and their potential impact on personal data privacy. This proactive approach suggests the KVKK is preparing for a future where AI plays an increasingly prominent role in data processing and consumer interactions.

What’s Next: Implementation and Potential Challenges

Over the next six months, businesses will be focused on implementing the required changes to their systems. This will involve updating point-of-sale systems, mobile applications, and customer databases. The KVKK will likely provide further guidance and clarification on the implementation process.

A key challenge will be ensuring a seamless customer experience. If the verification process is too cumbersome, it could deter customers from participating in loyalty programs. Businesses will need to strike a balance between security and convenience.

The KVKK will also be monitoring compliance and enforcing the new regulations. Businesses that fail to comply could face penalties, including fines and corrective action orders. As reported by Sözcü, the new rules are a significant step towards strengthening personal data protection in Turkey’s retail sector.

The long-term impact of these changes remains to be seen, but they signal a clear commitment from the KVKK to safeguarding consumer data in an increasingly digital world.

Alomaliye.com provides further details on the KVKK’s principle decision and the new regulations.