KVKK (Law No. 6698) is Turkey's data protection law — conceptually close to GDPR, but with its own registry, consent standards and enforcement practice. If you collect leads or run marketing in Turkey, it applies to you from day one.
The essentials for marketers
Explicit consent is required for marketing communications; consent must be provable (who, when, which text version, from which IP). Forms need a linked privacy notice (aydınlatma metni). Cookie consent follows the same logic as EU practice: analytics and ads tags load only after consent.
Commercial electronic messages: İYS
Email and SMS marketing additionally require registration with İYS (the national commercial message consent registry). Sending campaigns to purchased lists is both illegal and — because Turkish spam filters are aggressive — commercially useless.
Practical checklist
Localized privacy notice on every form; consent checkbox stored with timestamp and IP; cookie banner with real blocking; İYS registration before email/SMS campaigns; a designated data controller process for KVKK Article 11 requests. Get these right at build time — retrofitting is far more expensive.
This article is general information, not legal advice; have your counsel confirm specifics for your case.

