İYS Guide: Capturing, managing, and proving consent in Turkey

İYS (İleti Yönetim Sistemi — Commercial Messaging Consent Registry) is Turkey's national system where consent records for commercial electronic messages (SMS, e-mail, voice) are centrally stored; under Law No. 6563 on Electronic Commerce, every service provider sending commercial content must register the recipient's consent in İYS. Informational content (order confirmation, appointment reminder, OTP) is exempt. This guide explains the consent flow, the system's technical rules, and iletiMerkezi integration.

TL;DR

• İYS = Turkey's national commercial-messaging consent registry. Consent must be on file before you send commercial SMS.
• Informational SMS (order, appointment, OTP, service alert) is exempt from İYS.
• Consent must be registered in İYS within 3 business days of being captured; late registration is subject to administrative fines.
• Consent statuses: ONAY (allowed to send) or RET (sending forbidden). RET always overrides a prior ONAY.
• At iletiMerkezi, consent is uploaded via the panel or the iys-register endpoint (up to 5,000 records per request); each send is preceded by iys-check.

What is İYS, and why does it exist?

İYS keeps a centralised record of "who messaged whom under which consent" for commercial communication in Turkey. When a recipient files a complaint, the Information and Communication Technologies Authority (BTK) and the Ministry of Trade audit the sender through this system. İYS is the proof obligation: you can only demonstrate that you had consent if it is registered there.

İYS is operated by MTS (Mesaj Yönetim Servisleri A.Ş.); BTK-licensed SMS providers like iletiMerkezi connect to the İYS API and register/query consent on their customers' behalf.

Commercial vs informational

İYS only applies to commercial content. The distinction is the most commonly confused part of compliance:

| Type | İYS required? | Typical example | |---|---|---| | Informational | No | Order confirmation, shipping status, appointment reminder, OTP, service outage, invoice issuance | | Commercial | Yes | Discount announcement, campaign, product launch, loyalty programme, survey invitation | | Mixed | Yes (the message as a whole) | "Your order is on the way — also check our new collection" |

Rule of thumb: if the message contains any promotional or persuasive content meant to influence purchase, usage, or brand preference, it is commercial and requires İYS consent.

How consent is captured: web, call, paper

The source of the consent is part of the record. iletiMerkezi supports the source codes below; coding the right source is critical for the legal evidence chain:

| Source code | Meaning | |---|---| | HS_WEB | Web form, on-site checkbox | | HS_FIZIKI | Wet-signed paper contract or form | | HS_ISMERKEZI | Verbal consent in a call centre (recorded) | | HS_EPOSTA | Confirmation captured via e-mail | | HS_MESAJ | Confirmation captured via SMS | | HS_FAKS | Consent captured by fax | | HS_OZNT | Special-nature method (legal record) | | HS_DIGER | Other than the above | | HS_TUKETICI | Captured upon consumer request | | HS_RET | Opt-out record (recipient withdrew consent) | | HS_TARAFIMA | Recipient self-registered | | HS_GENEL | General acceptance |

For consent to be legally valid, the form/channel must clearly inform the recipient, the wording must be unambiguous ("I consent to receive commercial electronic messages"), and pre-checked boxes are not allowed.

The 3-business-day rule

Once consent is captured, you must register it in İYS within 3 business days. This window also applies to opt-outs (RET): if a recipient withdraws and you do not update the record in time, you carry the liability for any subsequent send.

Practical flow with iletiMerkezi:

1. When the customer ticks the web form or says "yes" on a call, store the record locally.
2. Within the same day or by end of the next business day, batch-upload via iys-register.
3. Inspect consentResult in the response; queue any rejects/errors and retry just those records.

ONAY and RET semantics

In İYS, the most recent record for a recipient wins:

• Recipient consented (ONAY), then opted out (RET) → sending is forbidden (latest RET wins).
• Recipient opted out (RET), then re-consented (ONAY) → you may send, but archive how the new consent was captured.
• A registered RET cannot be deleted unless the recipient consents again.

Implementing this on the code side: validate with iys-check before each send; if you cache, set a max TTL of 1 hour because a RET can land at any time.

Batch upload: 5,000-record cap and atomic behaviour

iys-register accepts 1–5,000 consent records per request. The behaviour is atomic: if a single record in the list is invalid (out-of-enum source, missing date, malformed phone number), the entire request is rejected. So:

• Validate format on your side before uploading.
• On error, find the offending record from consentResult, fix only that record, and retry.
• If your batch exceeds 5,000, chunk it on your side.

See: iys-register API, iys-check API.

Frequently asked questions

Q: Do I need İYS consent for OTP or order-confirmation SMS? No. These are informational and out of scope. The recipient must, however, be informed (via your KVKK clarification text) that providing their phone means they will receive such notifications.

Q: A customer clicked "unsubscribe" — what now? You have 3 business days to register a status: RET record via iys-register. After that, do not send commercial content to that number. At iletiMerkezi you can also block them at account level via add-blacklist.

Q: Does KVKK consent replace İYS consent? No. KVKK governs the processing of personal data; İYS governs commercial messaging. Different legal frameworks, both required. See: KVKK and SMS.

Q: What happens if I send commercial SMS without consent? Under Law No. 6563 and İYS regulations, administrative fines apply per recipient; amounts are revised annually and currently fall in the tens to hundreds of thousands TRY range. Repeat offences compound.

Q: Do test sends with the APITEST sender require İYS consent? The APITEST sender is technically only deliverable to your own registered test number, so in practice it is moot. Once you go to production with real recipients, commercial-content rules apply.

Q: Does İYS apply to B2B messaging? Yes. The law requires consent for commercial messaging even when the recipient is a legal entity; recipient type is recorded as TACIR.

How to do it on iletiMerkezi

Four options:

• Panel: Settings → İYS — upload one-by-one or via Excel, query existing consents, process opt-outs.
• API (iys-register): Up to 5,000 records per request. iys-register endpoint.
• API (iys-check): Verify a recipient's consent before sending. iys-check endpoint.
• Inline with send-sms: Pass iys=1 together with the recipient list to send-sms; the platform validates consent and drops non-consented recipients automatically.

Sign up · iys-register API · send-sms API

Related

• What is bulk SMS?
• KVKK and SMS
• How to get an SMS sender ID
• iys-register API
• iys-check API

Last updated: 2026-04-30 · Türkçe