Israel PPL Amendment 13

Amendment 13 to the Protection of Privacy Law, 5741-1981

Flag of IL
State of IsraelOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
August 14, 2025
Enacted
August 5, 2024
Enforcing Authority
Privacy Protection Authority (PPA)
Consent Model
Opt-in
Applies To
All entities processing personal data of Israeli residents; extraterritorial application

Overview

Amendment 13 to Israel's Protection of Privacy Law is a sweeping reform approved by the Knesset in August 2024 and effective from August 2025. It introduces GDPR-level enforcement capabilities including 5% turnover penalties, a private right of action without proof of harm, and extraterritorial scope. IP addresses, online identifiers, and geolocation data are explicitly defined as personal data.

What This Means for Your Website

  • Consent is required before processing personal data of Israeli visitors
  • IP addresses, online identifiers, and geolocation data are explicitly personal data
  • Data subjects can sue for statutory damages of ILS 10,000-100,000 without proving harm
  • The PPA's expected binding cookie guidance will make consent banners essential
  • Extraterritorial scope means the law applies to foreign entities processing Israeli residents' data
  • A mandatory privacy protection officer must be appointed

Key Requirements

The PPA enforces the law with penalties up to 5% of annual turnover, statutory damages of ILS 10,000-100,000 (no proof of harm required), up to 3 years imprisonment, and processing suspension orders. The private right of action creates direct litigation risk from individual data subjects. Special requirements apply to data brokers. The expanded sensitive data definition covers biometrics, genetics, criminal records, sexual orientation, and financial details.

How ConsentStack Handles This

ConsentStack applies opt-in consent collection for Israeli visitors, treating IP addresses and online identifiers as personal data in line with the law's explicit definitions and supporting compliance with the PPA's evolving cookie guidance.

Penalties

Up to 5% of annual turnover. ILS 10,000-100,000 statutory damages (no proof of harm required). Up to 3 years imprisonment. Processing suspension orders.

Revenue-based
5% of annual revenue

Key Requirements

  • Consent required for personal data processing
  • Mandatory privacy protection officer appointment
  • IP addresses, online identifiers, and geolocation data are personal data
  • Expanded sensitive data definition (biometrics, genetics, financial details)
  • Data subjects can sue without proving harm (statutory damages up to ILS 100,000)
  • Specific requirements for data brokers

Notable Provisions

  • Private right of action WITHOUT proof of harm (statutory damages up to ILS 100,000)
  • Extraterritorial scope
  • 5% turnover penalty ceiling
  • PPA can order deletion of unlawfully obtained data and prohibit processing
  • Specific data broker requirements

Other Middle East & North Africa Regulations

UAE PDPLUnited Arab Emirates (federal, excluding DIFC and ADGM free zones)
The UAE's first federal data protection law, making consent the default legal basis for processing. The UAE operates a unique three-regime system where federal law, DIFC, and ADGM each have separate data protection frameworks. Executive Regulations are still pending, creating enforcement uncertainty around detailed implementation requirements.
KSA PDPLKingdom of Saudi Arabia
Saudi Arabia's first comprehensive data protection law, actively enforced by SDAIA with 48 decisions in its first year. Has the strictest cross-border data transfer restrictions in the Middle East. Consent is the primary legal basis, and the very active enforcement record signals high compliance risk for organizations.
Egypt PDPLEgypt
Egypt's first comprehensive data protection law, with Executive Regulations delayed five years before operationalization in November 2025. Requires explicit consent, PDPC licensing for certain processing, and criminal penalties including imprisonment. Cross-border transfers require PDPC licensing.
Bahrain PDPLKingdom of Bahrain
Bahrain's comprehensive data protection law with a notable prohibition on cookie walls. Consent obtained through forced or obligated browsing is explicitly void. Cookie walls or making website access conditional on cookie acceptance are prohibited, making genuine voluntary consent a strict requirement for CMP implementations.
Algeria Law 18-07Algeria
Algeria's data protection law was significantly modernized by the 2025 amendment (Law 25-11), introducing DPO requirements and DPIA obligations that bring the framework closer to GDPR standards. The ANPDP was formally established in 2023, making the law enforceable. Criminal penalties including imprisonment apply.
Morocco Loi 09-08Morocco
Among the first data protection laws in Africa, modeled after the French Data Protection Act. The CNDP is an autonomous supervisory authority. All processing activities must be declared to the CNDP prior to implementation. The CNDP takes a graduated enforcement approach with warnings before fines or criminal referrals.

Frequently Asked Questions

Can individuals sue without proving harm under Amendment 13?

Yes. Data subjects can claim statutory damages of ILS 10,000-100,000 without needing to prove actual harm — a powerful enforcement mechanism.

Does Amendment 13 apply extraterritorially?

Yes. The law applies to all entities processing personal data of Israeli residents, regardless of where the entity is located.

Are cookies covered under Amendment 13?

While there are no explicit cookie provisions yet, IP addresses and online identifiers are defined as personal data, and the PPA's opt-in recommendations are expected to become binding guidance.

Stay compliant with Israel PPL Amendment 13

ConsentStack helps you implement Opt-in consent for State of Israel automatically.

Get started