Simple Web
Marketing
Privacy Protection Law Amendment 13: A Practical Guide for Business Owners (2026)
Privacy Protection Law Amendment 13 has been in force since August 2025 and requires explicit consent, a designated DPO, and exposes you to fines of up to 10,000 NIS per claim. Here is what you need to do on your site.
Simple Web TeamApril 2, 2026Updated: April 16, 20265 min read
Privacy Protection Law Amendment 13 entered into force on August 14, 2025, and it is the biggest reform of Israeli privacy law in decades. It affects every business that collects, processes, or stores personal data, which in practice means almost every business in Israel. In this article we break down exactly what the law requires and what you must do on your website. We also cover the consequences of non-compliance, which can reach 10,000 NIS per civil claim.
What Amendment 13 is and what it requires
Amendment 13 aligns Israeli law with European GDPR standards. The core principles: explicit, informed consent (not "implied consent"), right of access and rectification, right of erasure ("right to be forgotten"), notification of security events, and in some cases - appointment of a Data Protection Officer (DPO).
The law applies to anyone defined as a "database owner": any business that collects data on 10,000 people or more, or that collects "sensitive data" (health, religion, sexuality, ethnicity, financial status, political views). In practice, most businesses running a site with a contact form + Analytics + Meta Pixel fall under one of those definitions.
The sanctions are sharp: administrative fines of up to 320,000 NIS, mandatory reporting to the Privacy Protection Authority within 72 hours of a security event, and civil claims of up to 10,000 NIS per affected person without proof of damage. This has already moved beyond theory, with the first rulings published in 2026.
What you need to do on the site - a practical checklist
1. A real Cookie Consent banner. Not "this site uses cookies, continued use means you agree." You need active consent: the option to reject, to choose categories (functional/analytics/marketing), and to keep using the site even if the user rejected. Tag Manager and Meta Pixel do not load before consent.
2. An updated, detailed privacy policy. Must include: what data is collected (name, email, IP, cookies), why it is collected, who it is shared with (Google Analytics? Meta? Mailchimp?), how long it is retained, and the user's rights. The link must be available on every page, not only in the footer.
3. Signup forms with double opt-in. A checkbox for "I agree to receive marketing messages" cannot be pre-checked; the user must choose actively. You also have to keep a record of the consent (when, how, from which IP).
4. Right of erasure and rectification. The user can ask to have their data deleted. You need a clear process: how they reach out (email? form?), how quickly you respond (within 30 days), and how the data is actually deleted across all systems - CRM, Mailchimp, Facebook, Google.
5. Data Protection Officer (DPO). Mandatory for businesses processing a large volume of data (10,000+) or sensitive data. The officer can be internal or external (Outsourced DPO). Their contact details must appear on the site.
6. Security event notification. If there was a data breach - mandatory reporting within 72 hours to the Privacy Protection Authority and to affected parties. It is important to have a procedure ready in advance.
Common mistakes I see on Israeli sites
Mistake #1: A "this site uses cookies" banner only. Not enough. You need an active option to reject and to choose categories. Most Israeli sites still use the old banner, which leaves them directly exposed to claims.
Mistake #2: Meta Pixel and Google Analytics loading before consent. This is a serious violation. These scripts collect data the moment the page loads. They must load only after the user clicks "agree."
Mistake #3: "I have read and agree" box pre-checked by default. Completely invalid under Amendment 13. The user must check it themselves.
Mistake #4: A generic privacy policy copied from another site. The policy must be specific to your business - which tools you use, who you share data with, etc. A generic policy does not meet the requirements.
Mistake #5: No erasure mechanism. The user cannot find how to delete their data. Within 30 days of a request - you must respond. Without a clear mechanism, you are exposed.
What Simple Web is doing about it
In every site we have built since 2025, a full Consent Management module is in place: an active banner with 3 categories, conditional script loading, consent logging, and a tailored privacy policy. We also build an automated erasure request flow connected to the CRM and email tools.
In addition, we run Privacy Audits for existing clients, going over the site to identify exposures and fix them. The audit costs 1,500 NIS and usually pays for itself by preventing a single claim.
Summary: Amendment 13 may look like one more regulatory burden, but in practice it is an opportunity to build trust with customers. A site that respects privacy is a site that generates higher-quality leads and long-term trust. The cost of non-compliance is far higher than the cost of compliance. Want a check of your site? Get in touch for a free 20-minute Privacy audit.
FAQ
August 14, 2025. Businesses that had not adapted by then are exposed to sanctions. As of April 2026, the Privacy Protection Authority has already begun enforcing.
In most cases yes. The 10,000 threshold applies only to some obligations (such as database registration). But the basic duties - consent, transparency, right of erasure - apply to every business that collects personal data.
It depends on the scale of activity. A DPO is mandatory for anyone processing data on 10,000+ people, or anyone processing "sensitive data" (health, religion, etc.). The DPO can be external (an outsourced service) at a cost of 800–2,500 NIS per month.
Basic adaptation (Consent banner, updated privacy policy, compliant forms) - 2,500–5,000 NIS one-time. A full solution with an external DPO, automated erasure flows, and Privacy by Design - 10,000–25,000 NIS. Far cheaper than a first claim.
First - do not ignore it. Reach out immediately to a lawyer specializing in privacy law. In parallel - check whether you have professional liability insurance that covers it. Many policies include Cyber/Privacy coverage. Responded to correctly and quickly, most cases end in settlement.
Complicated. GA4 in default settings does not meet the requirements - it sends data to the US and allows IP tracking. You can configure it properly (IP anonymization, Consent Mode v2, Data Retention 2 months), but it requires manual setup. Recommended to consult an expert.
Tags:
Recent posts
How to Choose a Digital Marketing Agency in 2026
April 21, 2026
Digital Marketing ROI: How to Measure Real Success
October 16, 2025
Marketing Automations: Save Time, Earn More
November 15, 2025