İYS Guide: Capturing, managing, and proving consent in Turkey

İYS (İleti Yönetim Sistemi, Commercial Messaging Consent Registry) is Turkey's national system where consent records for commercial electronic messages (SMS, e-mail, voice) are centrally stored; under Law No. 6563 on Electronic Commerce, every service provider sending commercial content must register the recipient's consent in İYS. Informational content (order confirmation, appointment reminder, OTP) is exempt. This guide explains the consent flow, the system's technical rules, and iletiMerkezi integration.

Summary

İYS = Turkey's national commercial-messaging consent registry. Consent must be on file before you send commercial SMS.
Informational SMS (order, appointment, OTP, service alert) is exempt from İYS.
Consent must be registered in İYS within 3 business days of being captured; late registration is subject to administrative fines.
Consent statuses: ONAY (allowed to send) or RET (sending forbidden). RET always overrides a prior ONAY.
At iletiMerkezi, consent is uploaded via the panel or the iys-register endpoint (up to 5,000 records per request); a real-time İYS check runs on every send-sms iys=1 call before dispatch, and iys-check lets you query a single recipient's status (ONAY / RET / source / date) for audit and operational use cases.

What is İYS, and why does it exist?

İYS keeps a centralised record of "who messaged whom under which consent" for commercial communication in Turkey. When a recipient files a complaint, the Information and Communication Technologies Authority (BTK) and the Ministry of Trade audit the sender through this system. İYS is the proof obligation: you can only demonstrate that you had consent if it is registered there.

İYS is operated by İleti Yönetim Sistemi A.Ş. ("İYS A.Ş."), an entity authorised by the Union of Chambers and Commodity Exchanges of Turkey (TOBB) and wholly owned by the TOBB Education and Culture Foundation (TOBEV). BTK-licensed SMS providers like iletiMerkezi connect to the İYS A.Ş. API and register/query consent on their customers' behalf.

Commercial vs informational

İYS only applies to commercial content. The distinction is the most commonly confused part of compliance:

Type	İYS required?	Typical example
Informational	No	Order confirmation, shipping status, appointment reminder, OTP, service outage, invoice issuance
Commercial	Yes	Discount announcement, campaign, product launch, loyalty programme, survey invitation
Mixed	Yes (the message as a whole)	"Your order is on the way, also check our new collection"

Rule of thumb: if the message contains any promotional or persuasive content meant to influence purchase, usage, or brand preference, it is commercial and requires İYS consent.

How consent is captured: web, call, paper

The source of the consent is part of the record. iletiMerkezi supports the source codes below; coding the right source is critical for the legal evidence chain:

Source code	Meaning
`HS_FIZIKSEL_ORTAM`	Physical medium (paper form, brochure, leaflet)
`HS_ISLAK_IMZA`	Wet-signed contract
`HS_ETKINLIK`	Event / trade fair / booth
`HS_EORTAM`	Electronic medium (generic)
`HS_WEB`	Web form, on-site checkbox
`HS_MOBIL`	Mobile application
`HS_MESAJ`	Confirmation captured via SMS
`HS_EPOSTA`	Confirmation captured via e-mail
`HS_CAGRI_MERKEZI`	Call centre, voice or keypad confirmation
`HS_SOSYAL_MEDYA`	Social-media channel
`HS_ATM`	ATM screen
`HS_KARAR`	Administrative or court ruling (cannot be used for the first registration)

For consent to be legally valid, the form/channel must clearly inform the recipient, the wording must be unambiguous ("I consent to receive commercial electronic messages"), and pre-checked boxes are not allowed.

The 3-business-day rule

Once consent is captured, you must register it in İYS within 3 business days. This window also applies to opt-outs (RET): if a recipient withdraws and you do not update the record in time, you carry the liability for any subsequent send.

Practical flow with iletiMerkezi:

When the customer ticks the web form or says "yes" on a call, store the record locally.
Within the same day or by end of the next business day, batch-upload via iys-register.
Check response.status.code: 200 means the entire batch was accepted; 422 means the entire request was rejected (atomic, see below). Locate and fix the offending record on your side, then resubmit the batch.

ONAY and RET semantics

In İYS, the most recent record for a recipient wins:

Recipient consented (ONAY), then opted out (RET) > sending is forbidden (latest RET wins).
Recipient opted out (RET), then re-consented (ONAY) > you may send, but archive how the new consent was captured.
A registered RET cannot be deleted unless the recipient consents again.

Implementing this on the code side: pass iys=1 + iysList on commercial send-sms calls, the backend performs a real-time İYS check before dispatch, drops non-consented recipients (RET or no record), and only charges credits for consented ones. For audit or operational checks, the iys-check endpoint returns a single recipient's current status (ONAY / RET / source / date). Do not cache consent status on your side; the backend's real-time check captures the most recent state, and a recipient can flip to RET at any moment.

Batch upload: 5,000-record cap and atomic behaviour

iys-register accepts 1-5,000 consent records per request. The behaviour is atomic: if a single record in the list is invalid (out-of-enum source, consentDate older than 3 days, malformed phone number, etc.), the entire request is rejected and the response does not return a per-record breakdown, only a summary status. In practice this means:

Validate every record on your side before uploading (enum values, date format, phone/e-mail format, +90 prefix, recipient/recipientType match).
If you get a 422, isolate the offending record by chunking the batch yourself (binary-search style); fix it and resubmit.
If your batch exceeds 5,000, chunk it on your side; oversize lists return a 475 error code.

See: iys-register API, iys-check API.

Frequently asked questions

Q: Do I need İYS consent for OTP or order-confirmation SMS? No. These are informational and out of scope. The recipient must, however, be informed (via your KVKK clarification text) that providing their phone means they will receive such notifications.

Q: A customer clicked "unsubscribe", what now? You have 3 business days to register a status: RET record via iys-register. After that, do not send commercial content to that number. At iletiMerkezi you can also block them at account level via add-blacklist.

Q: Does KVKK consent replace İYS consent? No. KVKK governs the processing of personal data; İYS governs commercial messaging. Different legal frameworks, both required. See: KVKK and SMS.

Q: What happens if I send commercial SMS without consent? Under Law No. 6563 and İYS regulations, administrative fines apply per recipient; amounts are revised annually and currently fall in the tens to hundreds of thousands TRY range. Repeat offences compound.

Q: Do test sends with the APITEST sender require İYS consent? The APITEST sender is technically only deliverable to your own registered test number, so in practice it is moot. Once you go to production with real recipients, commercial-content rules apply.

Q: Does İYS apply to B2B messaging? Yes. The law requires consent for commercial messaging even when the recipient is a legal entity; recipient type is recorded as TACIR.

How to do it on iletiMerkezi

Four options:

Panel: Settings > İYS, upload one-by-one or via Excel, query existing consents, process opt-outs.
API (iys-register): Up to 5,000 records per request. iys-register endpoint.
API (iys-check): Single-recipient consent lookup. iys-check endpoint.
Inline with send-sms: Pass iys=1 together with the recipient list to send-sms; the platform validates consent and drops non-consented recipients automatically.

Last updated: 2026-04-30 · Türkçe