---
title: "İYS Guide: Capturing, managing, and proving consent in Turkey"
description: "How İYS (Turkey's commercial messaging consent registry) works: commercial vs informational, batch consent upload, the 3-business-day rule, and iletiMerkezi integration."
slug: /en/docs/guides/iys-rehberi
locale: en
audience: general
last_updated: 2026-04-30
target_queries: [iys turkey, turkey commercial sms consent, iys api, iys 3-day rule, turkey sms compliance]
related: [toplu-sms-nedir, kvkk-sms, sms-basligi-nasil-alinir]
alternates:
  tr: https://www.iletimerkezi.com/docs/guides/iys-rehberi
  en: https://www.iletimerkezi.com/en/docs/guides/iys-rehberi
---

# İYS Guide: Capturing, managing, and proving consent in Turkey

İYS (İleti Yönetim Sistemi, Commercial Messaging Consent Registry) is Turkey's national system where consent records for commercial electronic messages (SMS, e-mail, voice) are centrally stored; under Law No. 6563 on Electronic Commerce, every service provider sending **commercial** content must register the recipient's consent in İYS. Informational content (order confirmation, appointment reminder, OTP) is exempt. This guide explains the consent flow, the system's technical rules, and iletiMerkezi integration.

## Summary

- İYS = Turkey's national commercial-messaging consent registry. Consent must be on file **before** you send commercial SMS.
- **Informational SMS** (order, appointment, OTP, service alert) is exempt from İYS.
- Consent must be registered in İYS within **3 business days** of being captured; late registration is subject to administrative fines.
- Consent statuses: `ONAY` (allowed to send) or `RET` (sending forbidden). `RET` always overrides a prior `ONAY`.
- At iletiMerkezi, consent is uploaded via the panel or the `iys-register` endpoint (up to 5,000 records per request); a real-time İYS check runs on every `send-sms iys=1` call before dispatch, and `iys-check` lets you query a single recipient's status (ONAY / RET / source / date) for audit and operational use cases.

## What is İYS, and why does it exist?

İYS keeps a centralised record of "who messaged whom under which consent" for commercial communication in Turkey. When a recipient files a complaint, the Information and Communication Technologies Authority (BTK) and the Ministry of Trade audit the sender through this system. İYS is the **proof obligation**: you can only demonstrate that you had consent if it is registered there.

İYS is operated by **İleti Yönetim Sistemi A.Ş.** ("İYS A.Ş."), an entity authorised by the Union of Chambers and Commodity Exchanges of Turkey (TOBB) and wholly owned by the TOBB Education and Culture Foundation (TOBEV). BTK-licensed SMS providers like iletiMerkezi connect to the İYS A.Ş. API and register/query consent on their customers' behalf.

## Commercial vs informational

İYS only applies to **commercial** content. The distinction is the most commonly confused part of compliance:

| Type | İYS required? | Typical example |
|---|---|---|
| **Informational** | No | Order confirmation, shipping status, appointment reminder, OTP, service outage, invoice issuance |
| **Commercial** | Yes | Discount announcement, campaign, product launch, loyalty programme, survey invitation |
| **Mixed** | Yes (the message as a whole) | "Your order is on the way, also check our new collection" |

**Rule of thumb:** if the message contains **any promotional or persuasive content meant to influence purchase, usage, or brand preference**, it is commercial and requires İYS consent.

## How consent is captured: web, call, paper

The **source** of the consent is part of the record. iletiMerkezi supports the source codes below; coding the right source is critical for the legal evidence chain:

| Source code | Meaning |
|---|---|
| `HS_FIZIKSEL_ORTAM` | Physical medium (paper form, brochure, leaflet) |
| `HS_ISLAK_IMZA` | Wet-signed contract |
| `HS_ETKINLIK` | Event / trade fair / booth |
| `HS_EORTAM` | Electronic medium (generic) |
| `HS_WEB` | Web form, on-site checkbox |
| `HS_MOBIL` | Mobile application |
| `HS_MESAJ` | Confirmation captured via SMS |
| `HS_EPOSTA` | Confirmation captured via e-mail |
| `HS_CAGRI_MERKEZI` | Call centre, voice or keypad confirmation |
| `HS_SOSYAL_MEDYA` | Social-media channel |
| `HS_ATM` | ATM screen |
| `HS_KARAR` | Administrative or court ruling (cannot be used for the first registration) |

For consent to be **legally valid**, the form/channel must clearly inform the recipient, the wording must be unambiguous ("I consent to receive commercial electronic messages"), and pre-checked boxes are not allowed.

## The 3-business-day rule

Once consent is captured, you must register it in İYS within **3 business days**. This window also applies to opt-outs (`RET`): if a recipient withdraws and you do not update the record in time, you carry the liability for any subsequent send.

Practical flow with iletiMerkezi:

1. When the customer ticks the web form or says "yes" on a call, store the record locally.
2. Within the same day or by end of the next business day, batch-upload via `iys-register`.
3. Check `response.status.code`: 200 means the entire batch was accepted; 422 means the entire request was rejected (atomic, see below). Locate and fix the offending record on your side, then resubmit the batch.

## ONAY and RET semantics

In İYS, the **most recent record** for a recipient wins:

- Recipient consented (`ONAY`), then opted out (`RET`) > **sending is forbidden** (latest `RET` wins).
- Recipient opted out (`RET`), then re-consented (`ONAY`) > you may send, but archive how the new consent was captured.
- A registered `RET` cannot be deleted unless the recipient consents again.

Implementing this on the code side: pass `iys=1` + `iysList` on commercial `send-sms` calls, the backend performs a real-time İYS check before dispatch, drops non-consented recipients (RET or no record), and only charges credits for consented ones. For audit or operational checks, the `iys-check` endpoint returns a single recipient's current status (ONAY / RET / source / date). Do not cache consent status on your side; the backend's real-time check captures the most recent state, and a recipient can flip to `RET` at any moment.

## Batch upload: 5,000-record cap and atomic behaviour

`iys-register` accepts **1-5,000** consent records per request. The behaviour is **atomic**: if a single record in the list is invalid (out-of-enum `source`, `consentDate` older than 3 days, malformed phone number, etc.), the **entire request is rejected** and the response does not return a per-record breakdown, only a summary `status`. In practice this means:

- Validate every record on your side before uploading (enum values, date format, phone/e-mail format, `+90` prefix, recipient/recipientType match).
- If you get a 422, isolate the offending record by chunking the batch yourself (binary-search style); fix it and resubmit.
- If your batch exceeds 5,000, chunk it on your side; oversize lists return a `475` error code.

See: [iys-register API](../api/iys-register.md), [iys-check API](../api/iys-check.md).

## Frequently asked questions

**Q: Do I need İYS consent for OTP or order-confirmation SMS?**
No. These are **informational** and out of scope. The recipient must, however, be informed (via your KVKK clarification text) that providing their phone means they will receive such notifications.

**Q: A customer clicked "unsubscribe", what now?**
You have 3 business days to register a `status: RET` record via `iys-register`. After that, do not send commercial content to that number. At iletiMerkezi you can also block them at account level via `add-blacklist`.

**Q: Does KVKK consent replace İYS consent?**
No. KVKK governs the processing of personal data; İYS governs commercial messaging. Different legal frameworks, both required. See: [KVKK and SMS](./kvkk-sms).

**Q: What happens if I send commercial SMS without consent?**
Under Law No. 6563 and İYS regulations, administrative fines apply per recipient; amounts are revised annually and currently fall in the tens to hundreds of thousands TRY range. Repeat offences compound.

**Q: Do test sends with the `APITEST` sender require İYS consent?**
The `APITEST` sender is technically only deliverable to your own registered test number, so in practice it is moot. Once you go to production with real recipients, commercial-content rules apply.

**Q: Does İYS apply to B2B messaging?**
Yes. The law requires consent for commercial messaging **even when the recipient is a legal entity**; recipient type is recorded as `TACIR`.

## How to do it on iletiMerkezi

Four options:

- **Panel:** Settings > İYS, upload one-by-one or via Excel, query existing consents, process opt-outs.
- **API (`iys-register`):** Up to 5,000 records per request. [iys-register endpoint](../api/iys-register.md).
- **API (`iys-check`):** Single-recipient consent lookup. [iys-check endpoint](../api/iys-check.md).
- **Inline with send-sms:** Pass `iys=1` together with the recipient list to `send-sms`; the platform validates consent and drops non-consented recipients automatically.

[Sign up](https://panel.iletimerkezi.com/auth/signup), [iys-register API](../api/iys-register.md), [send-sms API](../api/send-sms.md)

## Related

- [What is bulk SMS?](./toplu-sms-nedir)
- [KVKK and SMS](./kvkk-sms)
- [How to get an SMS sender ID](./sms-basligi-nasil-alinir)
- [iys-register API](../api/iys-register.md)
- [iys-check API](../api/iys-check.md)