Breaking down data rules from around the globe

Privacy laws

Israels Provacy Protection Act

Israel's Privacy Protection Law: A Complete Guide for Compliance

Many countries have enacted privacy regulations that regulate how organizations must handle the personal data of individuals. Israel’s Privacy Protection Law (PPL) is a data protection framework of Israel that provides Israeli citizens with data privacy rights and sets obligations for businesses. Whether you operate locally or handle data from Israeli citizens, you must understand the PPL principles and comply with them.

This article will delve into Israel's data protection framework, focusing on key obligations for businesses, recent amendments, data subject rights, and the unique aspects that distinguish the PPL from other major data privacy laws like the GDPR.

What Is Israel’s Privacy Protection Law (PPL)?

Israel's Privacy Protection Law (PPL) is the primary privacy legislation governing the collection, use, and storage of personal data of Israeli citizens, aiming to protect individuals' privacy while setting obligations for businesses.

Originally enacted in 1981, the PPL, also called 5741-1981, establishes guidelines for the collection, use, and management of personal data to protect individuals' privacy rights.

The law is enforced by the Privacy Protection Authority (PPA) and applies to both private and public entities in Israel.

Israel’s Privacy Protection Law requires businesses to implement adequate safeguards to protect personal data from unauthorized access, use, or disclosure, emphasizing the importance of data security in maintaining trust with individuals. Non-compliance can result in significant penalties, including fines and enforcement actions by Israel’s PPA.

In recent years, proposed reforms and the Privacy Protection Bill have sought to modernize Israeli data protection law and align it more closely with international standards such as the GDPR. Recent updates include detailed data security requirements and provide individuals with data subjects’ rights, such as access to their Personal Information.

The scope of Israel’s data privacy law applies to organizations operating within Israel and to foreign entities processing data of Israeli citizens.

Amendment 13 to Israel’s Privacy Protection Law

Amendment 13, effective August 14, 2025, introduced significant updates to Israeli data protection law, strengthening the protection of personal data, enhancing data security, and aligning the PPL more closely with global standards like the GDPR.

Below are the key aspects of Amendment 13:

  • Enhanced data security requirements
    Organizations are required to implement robust security measures to protect personal data against unauthorized access, use, and breaches. The amendment specifies security protocols, such as data encryption, access control, and regular security audits. Companies are also required to assess and classify personal data based on sensitivity levels and implement specific security measures for each type of data.
  • Appointment of a Data Protection Officer (DPO)
    If an organization handles a substantial amount of personal data or sensitive information, it must appoint a DPO. The functions of the DPO include overseeing compliance with the PPL and Amendment 13, conducting risk assessments, and ensuring that the company’s data processing activities comply with the law.
  • Increased enforcement powers for the PPA
    The PPA achieved broader enforcement powers. The PPA can conduct routine audits, investigate data breaches, and impose administrative fines on organizations that violate the Israeli data privacy law.
  • International data transfers
    Amendment 13 also introduced specific requirements for the transfer of personal data outside of Israel. Organizations transferring data abroad must ensure that the receiving country offers an adequate level of data protection and must establish data transfer agreements with companies in the receiving country.

Who Must Comply with Israel’s Privacy Protection Law?

The PPL applies to any entity or individual that owns, manages, or controls a database containing Personal Information of Israeli residents.

Israel’s privacy compliance scope includes:

  • Israeli companies and organizations.
  • Foreign businesses offering goods, services, or data processing involving Israelis.
  • Public authorities and government institutions.

Like the EU’s GDPR, Israel’s PPL has an extraterritorial reach. This means that the PPL applies to your business even if you don’t have a physical business presence in Israel but collect or process personal data of Israeli residents.

Are certain business activities exempt?

Household or personal activities are exempt from the PPL requirements.

There are no other exceptions in terms of material scope, and there is no threshold for business income for the Israeli data privacy law to apply. Whether you’re processing personal data for marketing, customer management, or other operations, you must comply with the PPL.

Key Principles of Israel’s Privacy Protection Law

The Israel Privacy Protection Law is built on several foundational principles that guide all data processing activities in Israel.

Key principles of the Israeli data protection law include:

  • Purpose limitation
    Data must be collected only for a specific, declared purpose. The data can’t be used for other purposes not specified during the data collection process.
  • Data Minimization
    Organizations should only collect information necessary for the declared purpose, needed to deliver the product or service.
  • Proportionality
    Businesses must keep data and process it proportional to their purpose. Avoid excessive data processing that goes beyond what is necessary for your specific goals.
  • Accuracy and integrity
    Data must be accurate and up to date.
  • Transparency
    Individuals have the right to know how their data is being handled.
  • Security
    Organizations must implement appropriate technical and organizational data safety measures against unauthorized access or breaches.
  • Data retention 
    Businesses must securely dispose of or delete individuals’ data when the purpose for processing data is complete. Review the information stored in your databases once a year to ensure you’re not holding data that is no longer necessary to you.

These privacy protection principles ensure responsible data handling and strengthen user trust in a business.

Is there a requirement to appoint a Data Protection Officer under the Israeli PPL?

Yes, if an organization handles a substantial amount of personal data or sensitive information, it must appoint a Privacy Protection Officer and a Data Security Officer. This is the new requirement of Amendment No. 13.

The functions of the DPO include overseeing compliance with the PPL and Amendment 13, conducting risk assessments, and ensuring that the company’s data processing activities comply with the law.

The DPO must have comprehensive knowledge of Israeli privacy and data protection laws, a sufficient understanding of information technologies, and sufficient authority and independence.

Key Definitions Under Israeli Data Protection Law

The Israeli Privacy Protection Law includes several key definitions important for responsible data management. Understanding these terms is essential for organizations aiming to comply with Israel’s PPL.

  • Personal Data
    Personal data is defined as information relating to an identified or identifiable person, which can include a name, ID number, health status, or online identifiers. The updated definition, effective August 14, 2025, aligns with broader international standards, and includes more data, such as physical or social information, personal status, economic situation, professional qualifications, and opinions that can be used to identify someone with reasonable effort.
  • Sensitive data
    Sensitive data includes more private data categories, such as medical history, political opinions and beliefs, intimate affairs, or criminal records. Collecting or processing sensitive data typically requires explicit consent and higher security measures.
  • Data processing
    It encompasses the collection, disclosure, transfer, and delivery of personal data.
  • Database
    A database is defined as a collection of information maintained electronically for computerized processing. If the data is collected only for personal use without business purposes, or if collected data contains only names, addresses, and contact details, provided these do not infringe on privacy rights and the owner or controlling entity does not hold any additional collections, such data is exempted from the database.
  • Data controller
    Data controller, or Database owner refers to the entity that owns the database(s).
  • Data processor
    Not directly defined in Israeli data protection law, the term “data processor” refers to as "Database Holder," an entity that permanently possesses and is authorized to use the database.
  • Data subject
    The individual whose personal data is contained within the database.
  • Data breach
    It refers to any event that raises concern about a breach in data integrity, unauthorized access or sharing of information.

Data Subject Rights in Israel’s Personal Data Protection Law

Israel's Protection of privacy law (PPL) grants data subjects several rights aligned with global standards.

Israeli residents have these data subject rights:

  • Right of access
    Data subjects have the right to access their personal data held in databases.
  • Right to rectification
    Data subjects have the right to request the correction of inaccurate, incomplete, unclear, or outdated personal data.
  • Right to deletion
    Individuals may request deletion if data is incorrect, incomplete, unclear, or outdated, if it is used for direct marketing, or if data is no longer needed.
  • Right to object
    Data subjects have the right to object to the processing of personal data in certain situations, such as for direct marketing.
  • Right to restriction of processing
    Data subjects have the right to restrict the processing of data under certain circumstances.
  • Right to withdraw consent
    Data subjects have the right to withdraw consent for data processing at any time.
  • Right to data portability
    The right to data portability allows individuals to easily transfer their personal data between service providers. Businesses must provide the data in a structured, commonly used, and machine-readable format.
  • Right to complain
    Data subjects have the right to complain with the PPA if they believe their privacy rights have been infringed.

Data Security Obligations for Organizations

Organizations must maintain reasonable data security measures to prevent unauthorized access, loss, misuse, or breaches. The 2017 Data Security Regulations set out detailed obligations regarding data security, including:

  • Entities must implement role-based access controls.
  • Entities must regularly audit their security practices.
  • Entities must encrypt sensitive data.
  • Entities must train staff on personal data security and privacy awareness.

Failure to meet these security requirements may lead to enforcement actions or fines.

Cross-Border Data Transfers: What You Need to Know

Transferring personal data of Israeli residents outside Israel is permitted only if the destination country ensures an adequate level of data protection.

The Privacy Protection Authority maintains a list of approved countries that provide sufficient safeguards for cross-border data transfers.

Organizations transferring data to non-approved countries must include contractual clauses or obtain the data subject’s consent.

Failure to meet these international data transfer requirements may lead to enforcement actions or fines.

Israel is a so-called adequacy decision country under the Europe’s GDPR, meaning that it ensures adequate data protection for both data storage and transfer internationally. So, EU companies can transfer personal data of EU citizens to Israel. 

Penalties and Enforcement under Israel’s PPL

The Privacy Protection Authority (PPA) has the power to investigate, issue sanctions, and publicize enforcement actions.

Non-compliance with Israel's Privacy Protection Law can lead to criminal penalties (including imprisonment), administrative fines and orders from the PPA, and civil lawsuits.

  • Criminal penalties
    Penalties can include imprisonment for up to five years for willful infringement for individuals who willfully infringe on privacy or violate the obligation to keep personal data confidential.
  • Administrative penalties
    The PPA can impose administrative fines for a range of failures, including those related to data security and database registration. It can also issue orders to cease violations, issue administrative warnings, or suspend database registrations and restrict an organization's capability to process personal data.
  • Civil penalties
    Individuals who are affected by a violation can file civil lawsuits for damages, even if they cannot prove direct harm.

Consent Requirements under Isrrael’s PPL

Organizations must obtain informed and explicit consent before collecting any personal data from Israeli residents.

When obtaining informed consent, organizations must inform individuals about:

  • Whether providing the data is mandatory or voluntary.
  • Why is the data being collected?
  • How long will the data be kept?
  • Disclose all third parties with whom you will share the data, and for what purposes.
  • The identity and contact details of the data controller.
  • The possibility of refusing to provide the data and the consequences of refusing to provide the requested data.
  • The individual's rights to access and correct their personal data.

 

There are certain exceptions where personal data can be processed without explicit user consent. Explicit user consent is not required in situations where:

  • The processing is necessary to fulfill a legal obligation.
  • The processing is essential for safeguarding the vital interests of the data subject.
  • The processing is required for the performance of a contract to which the data subject is a party.

Practical Compliance Checklist for Businesses in 2025

Non-compliance with Israel’s PPL, companies risk penalties and reputational damage. Recent years have seen an increase in privacy audits and enforcement activity, so it is essential to achieve compliance with Israel’s privacy protection law.

To comply with the PPL, organizations should meet these practical PPL compliance checklist requirements:

  1. Identify and classify all personal data the organization collects or processes.
  2. Review and update privacy policies, privacy notices, and consent forms.
  3. Obtain free, specific, informed, and unambiguous user consent before collecting any personal data.
  4. Register required databases with the PPA
  5. Implement data security and breach response procedures.
  6. Respect purpose limitation and data minimization principles
    Collect only the necessary data needed for the specified purpose. Collect personal data for the purposes disclosed at the time of collection and not process it further in a manner incompatible with those original purposes.
  7. Respect data retention principle
    Delete individuals’ data when the purpose for processing data is complete.
  8. Train employees on privacy and data protection best practices.
  9. Conduct annual data security audits.
  10. Establish a cross-border transfer compliance plan.
  11. Regularly review and update consent mechanisms to align with any legal updates.
  12. Implement a Consent Management Platform (CMP)

A CMP is used to deliver cookie notice and inform individuals about their data collection, obtain and store cookie consent, create a Privacy Policy, and respect user consent according to the PPL rules.

CookieScript could be the best option. It delivers the right balance of compliance, speed, affordability, and ease of use. You’ll get a fully compliant consent management tool for as little as €8 per month/ per domain for basic features or for €19 per month/ per domain for full compliance.

 

CookieScript CMP has the following features:

 

You can also get a 14-day free trial.

In Spring 2025, CookieScript received its fourth consecutive G2 badge as the Best Consent Management Platform

The platform is also recognized as a Google-certified CMP in the Gold tier, highlighting its compliance with privacy and the latest consent management requirements.

By following this Israel privacy compliance guide, businesses could avoid costly enforcement actions and maintain consumer trust.

Register for free Show pricing plans

Frequently Asked Questions

What is Israel’s Privacy Protection Law?

Israel's Privacy Protection Law (PPL), originally enacted in 1981, is the primary privacy legislation governing the collection, use, and storage of personal data of Israeli citizens, aiming to protect individuals' privacy while setting obligations for businesses. Amendment 13, effective in 2025, introduced significant updates to Israeli data protection law, strengthening the protection of personal data, enhancing data security, and aligning the PPL more closely with global standards like the GDPR. Use CookieScript CMP to comply with the Israeli PPL.

How does Israel’s Data Protection Law address consent?

Organizations must obtain explicit consent before collecting any personal data from Israeli residents. Only informed consent is valid, meaning that it must be free, specific, informed, and unambiguous. Use CookieScript CMP to obtain and store user consent from Israeli citizens.

What are penalties for non-compliance with Israel’s PPL?

Non-compliance with Israel's Privacy Protection Law can lead to criminal penalties (including imprisonment), administrative fines and orders from the PPA, and civil lawsuits. The Privacy Protection Authority (PPA) has the power to investigate, issue sanctions, and publicize enforcement actions. Use CookieScript CMP to comply with the Israeli PPL and avoid penalties.

Can personal data from Israeli citizens be transferred outside from the country?

Transferring personal data of Israeli residents outside Israel is permitted only if the destination country ensures an adequate level of data protection. The Privacy Protection Authority maintains a list of approved countries that provide sufficient safeguards for cross-border data transfers. Organizations transferring data to non-approved countries must include contractual clauses or obtain the data subject’s consent. CookieScript CMP can help companies to comply with the Israeli PPL.

Is there a requirement to appoint a Data Protection Officer under the Israeli PPL?

Yes, if an organization handles a substantial amount of personal data or sensitive information, it must appoint a Privacy Protection Officer and a Data Security Officer. The functions of the DPO include overseeing compliance with the PPL and Amendment 13, conducting risk assessments, and ensuring that the company’s data processing activities comply with the law.

What are the key differences between Israel’s Privacy Protection Law vs. GDPR?

Israel’s PPL shares many similarities with the EU GDPR, including rights for individuals and data security principles. However, there are notable differences. Legal basis: the GDPR allows multiple lawful bases, the PPL is consent focused. The GDPR sets much higher fines, up to 4% of global turnover, while the PPL fines are lower. The supervisory body of the PPL is the Privacy Protection Authority (PPA), while the PPL has national DPAs in each EU state. Despite these differences, Israel has received an adequacy decision from the EU, meaning that companies can transfer the EU citizens’ data to Israel for processing.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.