Turkey’s e-commerce market offers significant opportunity, but it is also one of the areas where legal compliance mistakes appear fastest and most visibly. An online seller can face risk not only under e-commerce legislation, but also under consumer law, data protection law, advertising rules, product safety legislation, and commercial electronic messaging rules. For that reason, e-commerce compliance in Turkey is not a single filing or a one-time website review. It is a layered legal discipline that affects how a business registers, presents itself online, forms contracts, stores customer data, sends marketing messages, manages cancellations and returns, and sells goods through its own website or through marketplaces.
For most businesses, the governing framework starts with Law No. 6563 on the Regulation of Electronic Commerce and its secondary legislation, but it does not end there. Consumer-facing online sales also fall under Law No. 6502 on Consumer Protection and the distance contracts regime. Personal data processing is governed by the Personal Data Protection Law No. 6698. Commercial electronic messages are subject to a separate regulatory framework connected to consent, opt-out rights, and the İleti Yönetim Sistemi, or IYS. If physical products are sold online, Law No. 7223 on Product Safety and Technical Regulations may also become relevant. In short, an online business in Turkey must think like a retailer, a platform operator, a data controller, and sometimes a product-market operator at the same time.
The First Question: Who Is Actually Covered?
A common misunderstanding is that Turkish e-commerce law applies only to large online marketplaces. Official Trade Ministry guidance makes clear that ETBİS registration is required before starting operations for electronic commerce service providers operating in their own electronic commerce environment, electronic commerce intermediary service providers, and also Turkey-based service providers that do not conduct e-commerce domestically but conclude contracts or receive orders through a foreign-based marketplace. The same official FAQ also states that domestic sellers using domestic marketplaces are not themselves subject to ETBİS registration solely for those marketplace sales, and that social media sellers are not subject to ETBİS registration and notification obligations. That said, exemption from ETBİS does not mean exemption from consumer, advertising, tax, or data-protection law.
This distinction matters because many businesses assume they are “too small” or “only marketplace-based” and therefore legally invisible. Turkish law is more nuanced. A business selling only through a domestic marketplace may avoid a direct ETBİS filing obligation, but it still remains exposed to distance-contract rules, misleading advertising restrictions, commercial-message rules, and KVKK obligations if it processes customer data. Likewise, a business selling via Instagram or similar channels may not need ETBİS registration under the cited FAQ, but once it takes orders, collects payment, ships goods, or sends marketing communications, other legal duties immediately come into play. The safest approach is therefore not to ask only whether ETBİS applies, but whether the business is creating a consumer, marketing, and data-processing footprint in Turkey.
Website and Marketplace Disclosure Obligations
For online businesses operating through their own websites, Turkish compliance begins with transparency. The Trade Ministry’s official e-commerce FAQ states that service providers must display identifying information before starting e-commerce activity in their own environment, including a serviceable KEP address, e-mail address, telephone number, and, depending on status, business name or registered trademark, as well as trade name, MERSİS number, and central address for merchants, or name, tax number, and central address for tradespeople. The same official material also explains that where sales are conducted through a marketplace, sellers must display certain minimum information in the area allocated to them by the intermediary service provider.
The same official FAQ goes even further by requiring an “operation guide” on the homepage. According to the Ministry, this should explain the technical steps necessary for formation of the contract, whether the electronic contract will be stored and whether the buyer can access it later, how long that access will be available, how the buyer can identify and correct input errors before placing an order, the privacy rules regarding personal data obtained through e-commerce transactions, and any alternative dispute-resolution mechanisms. In practical terms, this means the checkout flow is not only a design matter. It is a legal structure. A Turkish-compliant checkout must be capable of showing the buyer the steps of contracting, providing an order summary, and allowing correction of mistakes before final confirmation.
ETBİS Registration Is Not a Formality
ETBİS is one of the most visible compliance obligations for online businesses in Turkey. The Ministry’s official FAQ states that covered businesses must register before starting activity, and that ETBİS requires detailed information such as the KEP address, type of electronic commerce, goods and services sold, payment methods, second-hand sales status, payment and e-money service relationships, cargo and logistics providers, e-commerce infrastructure providers, and even the country and address of databases where personal and customer data are stored. For cross-border e-commerce, annual reporting on the volume of such trade by country and payment method must be submitted by the end of March each year, and changes to previously submitted information must generally be notified within thirty days.
This makes ETBİS much more than a registration form. It is, in effect, a compliance map. The business is disclosing how it operates, how it is paid, who its logistics partners are, where its data lives, and whether it engages in cross-border trade. That means the information entered into ETBİS should be consistent with contracts, privacy documentation, logistics arrangements, payment infrastructure, and operational reality. If the website says one thing, the data architecture shows another, and ETBİS contains a third version, the company has already created avoidable risk. Even the official FAQ’s reference to database location shows that Turkish e-commerce compliance is inseparable from data governance.
The same official sources also show that KEP is not optional for service providers operating their own e-commerce environments. The Ministry’s FAQ expressly states that the 29 December 2022 Regulation on Electronic Commerce Intermediary Service Providers and Electronic Commerce Service Providers requires a “serviceable KEP address” to be maintained. This is important because many foreign-owned or digitally native businesses focus on ordinary e-mail support and overlook KEP. In Turkey, however, KEP is not just another communication channel; it is part of the formal notification infrastructure of the legal system.
Distance Contracts and Consumer Rights
Consumer law is the area where online businesses in Turkey most often face immediate enforcement exposure. Law No. 6502 states that consumers in distance contracts have a fourteen-day right of withdrawal without giving any reason and without penalty. The law also provides that the seller or supplier bears the burden of proving that the consumer was duly informed about the right of withdrawal. If that information is not properly provided, the consumer is not bound by the normal fourteen-day period, and the right may extend up to one year after the original withdrawal period would otherwise have expired. The same law further states that goods sales must in any event be performed within thirty days from receipt of the order, failing which the consumer may cancel the contract.
These are not abstract consumer-rights principles. They are operational duties. The order page, pre-contract disclosures, withdrawal form, cancellation workflow, refund handling, and delivery promise must all support the legal regime. If the merchant’s website buries the withdrawal information, makes cancellation harder than ordering, or promises dispatch and delivery terms it cannot meet, the business may create a compliance problem with every affected transaction. For subscription-style services, digital offers, and pre-orders, the same analysis becomes even more important because customer communication and proof burdens matter just as much as the written policy text.
Marketplaces also carry meaningful responsibility. Under Law No. 6502, intermediaries in distance contracts acting through a system they have formed are responsible for keeping transaction records and producing them upon request, and the Trade Ministry’s consumer guidance further states that intermediary service providers are jointly and severally responsible together with the seller or supplier for making the pre-information, confirming it, and proving that it was made. This is one of the most important features of Turkish e-commerce law today: marketplaces are not merely passive digital noticeboards. If they structure the transaction environment, they can carry their own legal duties toward consumers and regulators.
Recent official penalty announcements show that this is not a symbolic duty. The Ministry announced that as of 1 January 2026, violations concerning distance-contract information obligations, withdrawal rights, and consumer rights in electronic commerce may trigger an administrative fine of TRY 3,973 per non-compliant transaction or contract, while failure by intermediary service providers to establish and keep continuously available a system allowing consumers to transmit and track requests and notifications carries a 2026 administrative fine of TRY 6,380,408. These figures make one point clear: Turkish regulators now expect e-commerce systems to be built for compliance, not patched after complaints begin.
Commercial Electronic Messages, Consent, and IYS
Marketing compliance is another critical pillar. The Ministry’s official “General Information” page on commercial electronic messages states that consent must generally be obtained by the service provider before commercial electronic messages are sent, and that such consent remains valid until the recipient exercises the right to refuse. The same page also explains that prior consent is not required for messages sent to recipients who are merchants or tradespeople, although those recipients still retain the right to refuse. The Ministry additionally states that consent may not be requested by sending a commercial electronic message to the recipient’s electronic communication address.
Turkey has also institutionalized this area through IYS. The official IYS site describes itself as the national platform through which commercial electronic message permissions and complaint processes are managed. The Ministry also operates the renewed Ticari Elektronik İleti Şikâyet Sistemi and states that complaints regarding such messages can be made through the system created for that purpose. In 2025, the Ministry further announced that companies offering integrator services for IYS-related operations had to obtain authorization by 31 March 2025, otherwise they could not carry out any processing on behalf of service providers regarding commercial electronic messages through IYS. This means outsourced message-management arrangements also require compliance review.
For online businesses, the legal lesson is simple: mailing lists, SMS campaigns, abandoned-cart reminders, discount alerts, and cross-sell campaigns should all be reviewed through Turkish consent logic, not merely through global CRM settings. A message that seems routine in another jurisdiction may still be problematic in Turkey if consent records are incomplete, opt-out rights are not respected, or the message was sent through an unauthorized chain. Where customer data is used to target those messages, KVKK obligations arise in parallel.
KVKK, VERBİS, and Data Transfers
No modern e-commerce business can comply in Turkey without a working data-protection framework. The Personal Data Protection Law states that it applies to natural and legal persons processing personal data by automated means or by non-automated means as part of a data filing system. The VERBİS by-law further explains that data controllers under registration obligation must register before beginning processing, must prepare a personal data processing inventory, and that the inventory forms the basis for registry entries, information notices, and other compliance steps. The same by-law also states that data controllers not established in Türkiye must register through a representative where registration applies.
For online businesses, this affects almost everything: account creation, payment records, shipping information, support tickets, cookies and behavioral data where personal-data rules are triggered, campaign preferences, and loyalty-program data. If the company is subject to VERBİS registration, the inventory must reflect real business processes, categories of data, recipient groups, storage periods, foreign transfers, and security measures. The by-law also makes clear that registration does not remove other obligations under the law. In other words, VERBİS is not a substitute for a privacy program; it is one visible part of it.
Cross-border transfers are especially important in e-commerce because customer data is often stored or accessed through foreign cloud services, global CRM tools, or group-wide systems. The Authority’s official guidance on Article 9 states that personal data may be transferred abroad where explicit consent exists, or without explicit consent where another legal basis exists and adequate protection is provided or other recognized safeguards apply. For online businesses using regional or global infrastructure, Turkish compliance therefore requires a real transfer analysis rather than an assumption that international hosting is automatically lawful.
Advertising, Discounts, and Enforcement Risk
Another major risk area is advertising. The Trade Ministry warned in December 2025 that year-end discount campaigns and similar promotional practices were being closely monitored and that misleading promotions would be met with administrative sanctions. That warning matters because e-commerce businesses often treat campaign wording as purely commercial. In Turkey, discount banners, “last chance” statements, urgency claims, comparative pricing, and campaign conditions can all become legal issues if they mislead consumers or fail to match actual commercial practice.
The Advertising Board’s February 2026 bulletin shows how concrete this enforcement has become. In that bulletin, administrative fines of TRY 1,083,706 and suspension sanctions were imposed on large marketplace operators including Çiçeksepeti and D-Market for advertisements found to violate the Regulation on Commercial Advertisement and Unfair Commercial Practices and Article 61 of Law No. 6502. For online businesses, the message is straightforward: compliance risk no longer sits only in contract terms and privacy notices. It also sits in homepage claims, campaign pages, product pages, influencer-driven promotions, and “discounted price” presentation logic.
Product Safety and Online Sale of Goods
Where an online business sells physical goods, product-safety law may add another layer of compliance. The official English text of Law No. 7223 explains that it establishes the general framework for Turkey’s product-safety system, including technical regulations, conformity assessment, CE marking, market surveillance, and penalties for non-compliance. The Turkey Product Rules Database also states that the law’s purpose is to protect the health and safety of humans, animals, plants, and the environment and to ensure that economic operators fulfil their legal obligations when placing safe and compliant products on the market. This means online sellers of goods cannot assume that compliance ends with a compliant checkout page. The product itself may require labeling, conformity documents, or sector-specific compliance before it can be sold lawfully.
That point is especially important for electronics, cosmetics, textile products with labeling rules, food products, children’s items, and other categories where sector-specific legislation may apply. Online channels do not displace these rules. They expose them. An e-commerce merchant that sources quickly and uploads products faster than its compliance review may unknowingly place non-compliant goods on the Turkish market. For businesses using marketplace models, product-risk review should therefore sit alongside consumer and advertising review from the start.
Building a Practical Compliance Model
An effective e-commerce compliance model in Turkey should begin with classification. The business must know whether it is operating its own website, a marketplace, a hybrid model, or a foreign cross-border sales structure. It then needs a legal map covering ETBİS, KEP, website disclosures, contract architecture, withdrawal workflows, recordkeeping, complaint handling, advertising review, IYS marketing permissions, KVKK notices and inventories, data-transfer mechanisms, and product-level obligations if goods are sold. The official materials cited above show that Turkish regulators increasingly connect these issues rather than treating them in isolation.
The best compliance programs are not the most theoretical. They are the ones that match the real transaction flow. The order button, cancellation interface, returns process, call-center script, campaign approval process, data-hosting architecture, and seller-onboarding workflow should all reflect the legal model. If they do not, the written policy will not protect the company for long. In Turkey, regulators increasingly test what the consumer actually experiences and what the company can actually prove, not merely what appears in internal policy binders.
Conclusion
E-commerce compliance obligations for online businesses in Turkey are no longer limited to having terms and conditions on a website. The legal framework now touches registration, identity disclosure, contract mechanics, withdrawal rights, delivery commitments, consumer complaint systems, electronic marketing permissions, personal data processing, cross-border transfers, advertising practices, and product compliance. Official 2026 penalty notices and recent enforcement bulletins show that these rules are active, not dormant.
For that reason, any online business targeting Turkey should treat compliance as part of business design, not as an afterthought. The safer approach is to build the website, marketplace strategy, marketing system, privacy architecture, and product workflow around Turkish legal requirements from the outset. That approach reduces regulatory risk, improves dispute defensibility, and creates a more durable e-commerce operation in the Turkish market.
Yanıt yok