Personal Data Protection Board: Purpose-Based Consent Required for Push Notifications

•     As you may recall, in our Information Note dated October 8, 2025 (“ Information Note ”), we reviewed the decision of the Advertising Board stating that the methods for obtaining permission for instant notifications for marketing and informational purposes should be differentiated.

In its decision, the Advertising Board stated that separate permission is required for marketing push notifications – in addition to the permission obtained through phone settings .

Furthermore, the Advertising Board noted that if users enabled push notifications for an application through their phone settings, they were forced to tolerate marketing notifications even if they only wanted to receive updates on orders, shipping, returns, etc., and deemed this an unfair commercial practice.

The Advertising Board assessed that (i) informational and (ii) marketing notifications should be kept separate and considered obtaining consent for both purposes through phone settings as an unfair commercial practice .

• Regarding the Personal Data Protection Board (" the Board "), we had previously mentioned in the same Information Note that the "Guide on Recommendations for the Protection of Privacy in Mobile Applications" and the draft "Guide on the Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation," the final version of which has not yet been published, require explicit consent for push notifications and the provision of an in-app preference interface . Thus, we indicated that permissions regarding push notifications are now on the radar of both the Board and the Advertising Board, and we recommended that mobile application providers consider the principles of both boards when reviewing their push notification mechanisms.

• With the new Board decision titled “Public Announcement Regarding Push Notifications Sent via Mobile Applications ” (“ Decision ”) , published on January 14th and which is the subject of this article, the appropriateness of this approach has now been reinforced.

Ø What does the Board Decision say?

The decision, very similar to the Advertising Board's approach, stated that push notifications are based on user permissions given via the device and personal data processing activities carried out with these permissions, and it was determined that the push notification consent offered during the installation phase of a mobile application was designed as a "single consent" for multiple purposes .

Thus, it has been stated that the purposes of (i) “real-time tracking of order status” and (ii) “staying informed about campaigns” are combined, and users are required to accept campaign and advertising notifications in order to receive operational notifications, which are a natural part of the service, such as order tracking .

The Board emphasizes that when obtaining explicit consent, attention should be paid to the "granularity" principle, which we see in the literature and in the Board's assessments. Under this principle, if there are multiple data processing purposes, a separate and independent right of choice should be granted for each purpose . Requesting a single statement of consent for multiple purposes is considered an example of "blanket consent," forcing the user into collective acceptance or collective rejection .

The decision also emphasizes that mobile applications must be configured to meet these requirements and that users must be asked, via in-app settings and device operating system settings, what types of notifications they wish to receive. It states that applications that do otherwise will violate the "obligation to take necessary technical and administrative measures to prevent unlawful processing of personal data . "

OUR OPINION: It is true that the requirement for separate consent for push notifications by mobile device operating systems makes it difficult to establish a consent mechanism in this regard. However, with this Decision, we can say that the approaches of both the Advertising Board and the Personal Data Protection Board regarding obtaining consent for push notifications are now clear and parallel; non-compliance with these approaches will create risks for application providers in the eyes of both institutions.