New Principle Decision from KVKK on Clubcard Practices

The Personal Data Protection Board (KVKK) published a Principle Decision dated February 2^nd, 2026 and numbered 2026/266 in the Official Gazette on February 28th, 2026. It introduces fundamental changes to clubcard (loyalty card) programs widely used in various sectors such as food, clothing, technology, and cosmetics. With this decision, transactions made at the checkout especially at the staffed tills by merely stating a mobile phone number without further verification have been deemed unlawful.

Businesses must urgently update their data processing procedures to avoid legal and financial penalties. So, what does this decision mean and what should businesses change?

What Was the Existing Problem with Clubcards as per Personal Data Regulation?

In many stores, consumers would simply tell the cashier their mobile phone number or clubcard number to earn discounts or points while shopping. According to the complaints reaching the Personal Data Privacy Authority, this situation led to various violations:

• Cashiers could complete the shopping process using mobile phone or clubcard digits shared by third parties without entering any transaction approval code into the system.
• Businesses could carry out through the cardholder’s account without their knowledge and consent.
• Data Controllers issued Invoices and customer transaction information (purchased product, date, etc.) for these purchases in the name of the actual cardholder who did not make the transaction, creating incorrect records.

The Personal Data Privacy Board’s Legal Evaluation: Relying Solely on the Contract is Not Sufficient

The KVKK stated that conducting a transaction by a third party stating a number without the knowledge and consent of the actual cardholder cannot be based on any of the data processing conditions. Furthermore, this situation clearly violates the principle of personal data being “accurate and, when necessary, up-to-date”.

One of the most remarkable points relates to the data security obligation. Even if data controllers (businesses) place the responsibility on the customer in the Membership Agreement to “not let third parties use the card,” this situation does not eliminate the businesses’ obligation to ensure personal data security.

What Should Businesses (Data Controllers) Do Next to be Compliant to Personal Data Laws?

This decision mandates an end to existing unsecure practices that allow shopping via clubcards. The new verification mechanisms that businesses can implement are:

• Sending a single-use verification code via SMS to the customer’s mobile phone number. Then having this code stated to the cashier.
• Scanning a barcode or QR code generated via a mobile application or website at the checkout.
• Presenting and scanning the physical clubcard at the checkout or entering the card password via the point-of-sale device.
• Customers can opt in online to approve specific transactions, like spending credits, using only their phone number.

Businesses can offer alternative verification methods to different user groups based on the transaction’s risk level.

Pay Attention to the 6-Month Compliance Period!

The Board has granted data controllers a 6-month compliance period to take technical and administrative measures. This compliance period has started upon the publication date of the decision. Businesses that do not take the necessary security measures within this period and continue the previous practices will face fines.

We Are Here for Your Legal Support to audit the compliance of your business’s clubcard programs and KVKK compliance processes. To revise your membership agreements, and protect yourself from administrative fines, you can contact our law firm.

To reach our latest blog posts please visit here.

Legal Disclaimer: The information provided in this article is for general informational purposes only. It does not constitute legal advice, professional counsel, or a binding legal opinion. While we strive for accuracy, laws and regulations are subject to change. Accessing this article does not establish an attorney-client relationship between the reader and Karacabey Legal. We advise consulting a qualified attorney about your specific situation before taking any action.