Push Notifications in Turkish Law: Legal Obligations and User Rights

We can clearly state that commercial communication has shifted from traditional channels to mobile applications and tools like push notifications or pop-ups.[1] IBM defines the concept of push notifications that appear as pop-up messages on desktop browsers, mobile home screens, or device notification centers. These messages typically display text or visuals that allow the user to perform a specific action, and they are optional notifications. For example, notifications sent by online marketplace, airline, or news application that you have installed on your phone are referred to as “push notifications.”

In this article, we will discuss the legal nature of these notifications, the rights of users, and the obligations of those sending notifications that are becoming increasingly prevalent in our lives.

Commercial Electronic Message

According to Article 4 of the Regulation on Commercial Communication and Commercial Electronic Messages (“Regulation”), prepared within the scope of Law No. 6563 on the Regulation of Electronic Commerce, data, sound, and visual content transmitted in electronic media for commercial purposes using tools such as phone, call centers, fax, automatic dialing machines, smart voice recording systems, electronic mail, short message service, and others are referred to as “commercial electronic messages.” Accordingly, push notifications sent for commercial purposes should be considered as commercial electronic messages. However, it is important to note that not all push notifications carry commercial content. For instance, an push notificationused to confirm or remind a user of an activity or transaction within an application may not serve a commercial purpose. Therefore, each case needs to be evaluated, and the purpose of the content must be determined.

Obligations

According to Article 8 of the Regulation, the MERSIS number must be included in the content of electronic messages for traders. Also, in accordance with Article 8, for commercial electronic messages, at least one of the contact information of the service provider must be provided, depending on the type of electronic communication tool. According to Article 9 of the Regulation, senders are obliged to provide the option of unsubscribing in the message content.

No exception is granted for push notifications regarding these obligations. In other words, as a rule, this information should be included in push notifications. However, in practice, such information is often not found in push notifications. Moreover, these notifications can usually be blocked through the software on the respective device. Therefore, no statement regarding the right to unsubscribe is added to instant push notifications. In the end, the absence of this information in instant push notifications may be considered a violation of the law. In legal doctrine, it is also argued that subjecting every function, content display screen, and notification of millions of applications to the E-Commerce Law would be an interpretation that goes beyond the purpose of the E-Commerce Law.[2] We believe that it would be appropriate to make a change in the legislation regarding this matter.

IYS (Message Management System)

The Message Management System (“IYS”) is operated by the company named Message Management System Inc., established by the Union of Chambers and Commodity Exchanges of Turkey with the authority granted by the Ministry of Commerce. According to the Regulation, those who wish to send commercial electronic messages must register with the IYS. Accordingly, sending commercial electronic messages to recipients without approval in the IYS is not possible, and approvals not registered in the IYS are considered invalid. As a general rule, this procedure must be followed for all commercial electronic messages, including push notifications. However, the technical infrastructure of the IYS is not designed to include push notifications or messages sent via WhatsApp, as it was created only for commercial electronic messages sent through calls, emails, or short messages (SMS). In other words, the technical infrastructure of the IYS hinders those sending push notifications from fulfilling their legal obligations, creating a significant gap and problem.

Consent and Data Protection

As a rule, under the Regulation, user consent must be obtained before sending commercial electronic messages. This issue can be discussed in conjunction with the decision dated 13/04/2021 of the Personal Data Protection Board (“Board”).

In this decision, the sending of promotional messages to a person’s mobile phone via two mobile applications provided by a bank is examined. In the bank’s defense, it was argued that mobile applications are used as a communication channel established for marketing purposes targeting customers, and these applications provide users with the option to choose not to receive messages. It was stated that users are asked for their preferences when they download the application to their smartphones, and if they allow it, they receive marketing notifications, and users always have the right to refuse these notifications.

However, the Board found the bank’s push notifications to be illegal for the following reasons:

• The automatic approval of the option to receive electronic messages in the settings of the banking application, and the acceptance of this preference as valid as long as users do not change it, contradicts the relevant legislation.

• The default presence of such notifications in mobile applications’ settings contradicts the regulation that electronic messages are subject to the approval of the recipients, as stated in Law No. 6563 on the Regulation of Electronic Commerce, and also violates the requirement of explicit consent for the processing of personal data as stipulated in the Personal Data Protection Law.

• The bank should have amended the option to send promotional messages via mobile applications specifically for Android operating system users, so that it conforms to all elements of explicit consent as required by law and made it possible for users to configure the default settings of the application not to receive promotional messages.

In this context, we can say that the most crucial part of the legal discussions regarding push notifications is “consent.” Sending these notifications without obtaining consent is highly risky.

Conclusion

1. Push notifications sent for commercial purposes are considered commercial electronic messages.
2. According to the regulations, MERSIS, contact information, and information about the right to unsubscribe must be included in push notifications. However, in practice, this requirement is often not met, and it is nearly impossible to enforce such control. An amendment to the legislation may resolve this confusion.
3. According to the regulations, notification to the IYS is required for push notifications as well. In other words, there is no exception in the legislation for push notifications. However, due to the technical infrastructure of the IYS, it is currently not possible to include push notifications in this process.
4. User consent should be obtained before sending push notifications. The fact that these notifications are “approved/allowed” by default in notification settings contradicts both the Electronic Commerce Law, which states that electronic messages are subject to the approval of recipients, and the Personal Data Protection Law, which requires explicit consent for the processing of personal data.

---

[1] Kaya M.B. (2020) Elektronik Ticaret Hukuku: Ticari Elektronik İletiler, On İki Levha

[2] Kaya M.B. (2020) Elektronik Ticaret Hukuku: Ticari Elektronik İletiler, On İki Levha.