MARKETING IN FINTECH WITHOUT COMPROMISING PRIVACY: A DATA PROTECTİON PERSPECTİVE FROM TÜRKİYE
The fintech sector has been growing rapidly through innovative products and services, and this growth has been accompanied by an increasing diversification of marketing practices and techniques. By its nature, marketing activities involve the processing of personal data, and in the fintech context such data is often closely linked to individuals’ financial behaviour, transaction patterns and economic profiles. As a result, marketing activities in the fintech sector constitute a particularly sensitive area of data processing compared to other industries.
For fintech companies operating in Türkiye, compliance with personal data protection legislation in marketing activities is not merely a legal obligation but also a key factor in meeting users’ legitimate expectations of privacy. The blurring of boundaries in the use of personal data for marketing purposes may undermine users’ trust and expose fintech companies to reputational risks as well as risks affecting sustainable customer relationships. Accordingly, the use of data in fintech marketing must be approached in a manner that is carefully balanced with privacy principles.
This article examines the privacy dimension of fintech marketing by analysing the limits within which personal data may be used in marketing activities and the legal risks arising from data-driven and behavioural marketing models. In this context, it is argued that expectations regarding the protection of personal data in the fintech sector are no longer limited to general legislative provisions but have acquired a more concrete framework shaped by sectoral practices and the regulatory approach. The aim of this analysis is to provide an assessment of how fintech marketing can be structured in compliance with both applicable regulations and the reasonable privacy expectations of data subjects.
- Legal Framework for the Protection of Personal Data
The primary legal framework governing the protection of personal data in Türkiye is set out under the Personal Data Protection Law No. 6698 (the “Law”). Under the Law, personal data may only be processed on the basis of at least one of the lawful grounds expressly provided therein. Regardless of the lawful basis relied upon, data controllers are required to fulfil their obligation to inform data subjects through written, electronic or other appropriate means.
In addition to the existence of a lawful ground for processing, compliance with core data protection principles—such as transparency, purpose limitation, data minimisation and proportionality—is essential for the lawful processing of personal data. In this respect, the obligation to inform is not a mere formal requirement but a fundamental mechanism enabling data subjects to understand by whom, for what purposes and on what legal grounds their personal data is processed.
In marketing-related data processing activities, reliance on explicit consent as a lawful basis is often required. For consent to be valid under the Law, it must be specific, informed and freely given. Accordingly, consent that is tied to access to core services or embedded within general terms and conditions may be deemed invalid to the extent that it fails to offer a genuine choice to the data subject.
- The Personal Data Nature of Marketing Data
One of the recurring compliance challenges in fintech marketing practices is the misinterpretation of the concept of personal data. In practice, aggregated metrics, campaign performance data or behavioural patterns are often assumed not to constitute personal data and therefore to fall outside the scope of the Law.
However, data processed in fintech marketing activities may include not only directly identifiable information such as contact details, but also indirect or derived data such as application usage habits, transaction behaviour, customer segmentation and preference data obtained through inference. The approach adopted by the regulatory authority demonstrates that personal data is not limited to explicit identifiers; rather, any information that enables the identification of an individual, directly or indirectly, including through profiling or analytical linkage, falls within the scope of data protection[1].
- Balancing Marketing Objectives and Privacy
A key consideration in fintech marketing activities is ensuring that commercial objectives do not override the data subject’s right to privacy. Users should be able to understand who processes their data and for what purposes, anticipate how their data may be used in the future, and be confident that marketing practices do not exceed their reasonable expectations. Where this balance is not maintained, the secondary use of personal data for commercial purposes may pose a risk of infringing privacy rights.
The correct identification of the legal basis for processing in marketing activities is also critical to the protection of privacy. Explicit consent is not merely a legal ground but an expression of the data subject’s will with respect to their privacy. Consent must therefore be freely given, must not be made a condition for access to a service, and must not be framed in an overly broad or ambiguous manner.
Recent guidance issued by the Personal Data Protection Authority emphasises that privacy extends beyond the confidentiality of information and encompasses the data subject’s right to exercise control over how their data is processed. Accordingly, the voluntary disclosure of personal data by individuals does not eliminate their right to privacy, nor does it automatically render the unrestricted or unforeseeable reuse of such data for marketing purposes lawful. In particular, secondary processing activities involving behavioural analysis or segmentation must be based on a clear and separate lawful ground.[2]
The principle of transparency requires more than mere information; it necessitates that control rights can be exercised in practice. Users should therefore be provided with effective mechanisms to manage marketing preferences, withdraw consent and exercise influence over data processing decisions. Privacy protection depends on marketing preferences being managed through visible, accessible and user-driven mechanisms.
Marketing practices involving profiling, targeting and behavioural analysis touch upon a particularly sensitive area of privacy, as they may generate outcomes relating to individuals’ economic behaviour. Profiling processes must therefore remain proportionate and limited to the purposes for which they are carried out, in accordance with the principle of data minimisation. Profiling activities that exceed their stated marketing purpose or that result in decision-making with significant effects on the data subject must be based on a distinct and explicit lawful ground under the Law.
- Legal Limits of the Use of Cookies for Marketing Purposes
Technical tools such as cookies, which are commonly used in marketing activities, require separate legal assessment due to their direct connection with personal data processing.
While cookies themselves do not necessarily constitute personal data, they may contain personal data. Data processed through cookies may include non-personal information such as language preferences, as well as personal data such as IP addresses, usernames or email addresses. As the Law covers all information relating to an identified or identifiable natural person, data processed via cookies may qualify as personal data where it can be associated with an identifiable individual, either on its own or in combination with other data.
Where cookies are used solely for functions that are technically necessary for the provision of a service explicitly requested by the user—and without which the service cannot be delivered—personal data may be processed without obtaining explicit consent. However, cookies used for additional purposes such as behavioural advertising, analytics or market research require explicit consent. In this respect, consent requirements extend to advertising-related cookies used for purposes including frequency capping, financial logging, ad affiliation, detection of click fraud, market research, product development and debugging.[3]
Accordingly, situations in which data initially processed without explicit consent subsequently give rise to a consent requirement due to secondary purposes may be illustrated through practical examples. In fintech applications, cookies used to ensure the continuity of payment or money transfer transactions requested by the user may be considered technically necessary and therefore processed without consent. However, where data obtained through such cookies is later used to analyse users’ spending habits or to conduct marketing and promotional activities relating to financial products and services, the processing exceeds the original purpose of service provision and requires explicit consent. Similarly, cookies used to prevent fraud or detect irregular transactions may be processed without consent where they are necessary for the secure provision of financial services; yet, the use of data obtained through such cookies for commercial analysis, profiling or marketing purposes renders explicit consent mandatory.
- Consequences of Non-Compliance with Legal Obligations
Under the Law and the related secondary legislation—including the Regulation on the Data Controllers’ Registry and the Communiqué on the Procedures and Principles to Be Followed in Fulfilment of the Obligation to Inform—unlawful processing of personal data for marketing purposes may expose data controllers to administrative fines. Failure to fulfil the obligation to inform is separately sanctionable under Article 18(1)(a) of the Law. Where personal data are processed without a valid processing condition, including where the purported explicit consent does not satisfy the statutory requirements, the Board may treat the failure to prevent unlawful processing as a breach of the data-security obligations under Article 12(1), subject to an administrative fine under Article 18(1)(b).[4] The Board may also, pursuant to Article 15(7), order the data controller to bring the processing into compliance with the Law, which may require the cessation of the unlawful processing activity.
Such violations are not limited to administrative sanctions alone. Depending on the nature and severity of the non-compliance, the Personal Data Protection Authority may initiate investigations ex officio or upon complaint and may publicly announce its decisions. Consequently, non-compliance with data protection obligations in marketing activities may expose fintech companies to both legal and operational risks.
- Conclusion
The increasing interdependence between marketing activities and personal data in the fintech sector renders privacy protection a strategic compliance issue. The processing of data relating to users’ financial behaviour creates heightened privacy expectations, necessitating that fintech companies adopt an approach grounded in transparency, proportionality and user control. Privacy violations not only give rise to legal sanctions but may also result in loss of user trust, reputational damage and harm to long-term customer relationships. Sustainable fintech marketing therefore depends on a data usage approach that places the protection of privacy at its core.
[1] Personal Data Protection Board Decision dated 10 March 2022, No. 2022/229, available at https://www.kvkk.gov.tr/Icerik/7275/2022-229 ; Personal Data Protection Board Decision dated 23 December 2021, No. 2021/1303, available at https://www.kvkk.gov.tr/Icerik/7288/2021-1303.
[2] Personal Data Protection Board Decision dated 1 September 2022, No. 2022/861, available at https://www.kvkk.gov.tr/Icerik/7580/2022-861.
[3] Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu), Guidelines on Cookie Practices (Çerez Uygulamaları Hakkında Rehber) (20 June 2022), available at: https://www.kvkk.gov.tr/Icerik/7353/Cerez-Uygulamalari-Hakkinda-Rehber.
[4] According to the 2026 official table of administrative fines: the fine range for breach of the obligation to inform (Article 18(1)(a)) is TRY 85,437–1,709,200; the fine range for breach of data-security obligations (Article 18(1)(b)) is TRY 256,357–17,092,242.