Israel's Privacy Protection Law and How It Applies to Cookies
Israel enacted its Privacy Protection Law (PPL) in 1981, making it one of the earliest standalone data protection statutes outside Europe. The law governs the collection, storage, use, and transfer of personal data held in databases, and it has been amended multiple times to keep pace with technological change.
Cookies are not mentioned anywhere in the PPL's text. There is no Israeli equivalent of the EU's ePrivacy Directive, and no dedicated regulation targeting browser-based tracking technologies.
That does not mean cookies fall outside the law's scope. The Israeli Privacy Protection Authority (PPA) has published guidance stating that data collected through cookies qualifies as personal data when it can identify an individual, directly or indirectly. Under that interpretation, setting analytics or advertising cookies on a visitor's device without proper notice may breach the PPL's notification and consent requirements.
What the PPA Recommends for Cookie Consent
The PPA's position distinguishes between two categories of cookies:
Essential cookies - required for the basic functioning of the service (session identifiers such as
PHPSESSID, authentication tokens, load-balancing cookies). These do not require separate consent.Non-essential cookies - analytics trackers like
_ga, advertising pixels such as_fbp, and similar third-party technologies. The PPA recommends an opt-in model for these.
This distinction mirrors the approach taken under the GDPR and ePrivacy framework, where cookie categories determine whether prior consent is needed. Although the PPA's position is framed as a recommendation rather than a binding regulation, ignoring it carries risk. The Authority has signalled that cookie-related data collection can trigger sanctions if it violates the PPL's consent and notification duties.
Amendment 13: A Turning Point for Israeli Data Protection
Amendment 13 to the Privacy Protection Law was enacted in August 2024 and entered into force on 14 August 2025. It represents the most significant overhaul of Israeli privacy law in decades, aligning the framework far more closely with the GDPR.
Key changes relevant to website operators include:
| Area | Before Amendment 13 | After Amendment 13 |
|---|---|---|
| Consent standard | General requirement for notification | Informed, voluntary, and explicit consent for sensitive data |
| Administrative fines | Limited sanctions; primarily criminal route | Fines up to 5% of annual turnover for large organisations |
| Small business cap | No specific cap | 140,000 ILS (approx. USD 45,000) per year |
| DPO requirement | Not mandatory | Required for public bodies, data brokers, large-scale sensitive data processors |
| Data subject rights | Access and correction | Expanded to include deletion, data portability, and restriction of processing |
| Database registration | Mandatory for databases over 10,000 records | Replaced with notification duty for sensitive data above 100,000 records |
For cookie compliance specifically, the strengthened consent standard and the new administrative fines mean the PPA's opt-in recommendation now carries real teeth. A per-data-subject penalty structure - 50 NIS per person, or 100 NIS for sensitive data, with a minimum of 30,000 NIS - can accumulate quickly on a high-traffic website.
Israel's EU Adequacy Status and What It Means for Cookies
Israel holds an EU adequacy decision, meaning the European Commission recognises Israeli data protection standards as essentially equivalent to those within the EEA. This decision was reaffirmed under the GDPR review process.
The adequacy status matters for cookie compliance in a practical sense. If your website targets both EU and Israeli visitors, the consent mechanisms you deploy for GDPR compliance will generally satisfy Israeli requirements as well. A cookie banner that collects opt-in consent before firing non-essential cookies meets the PPA's recommended standard.
One detail worth noting: the EU adequacy decision is explicitly limited to Israel's pre-1967 borders and does not extend to settlements in occupied territories.
Comparing Israel's Cookie Rules with the GDPR
Websites operating across both jurisdictions benefit from understanding where the two frameworks converge and diverge.
| Aspect | GDPR / ePrivacy | Israel PPL (post-Amendment 13) |
|---|---|---|
| Cookie-specific law | Yes - ePrivacy Directive, Article 5(3) | No - general data protection principles apply |
| Consent model | Opt-in for non-essential cookies | PPA recommends opt-in (not strictly codified) |
| Supervisory authority | National DPAs (CNIL, ICO, etc.) | Privacy Protection Authority (PPA) |
| Maximum fine | EUR 20 million or 4% of global turnover | 5% of annual turnover (Amendment 13) |
| DPO required | For large-scale processing, public bodies | For public bodies, data brokers, systematic monitoring |
| Right to deletion | Yes (Article 17) | Yes (Amendment 13) |
The practical takeaway: if your site already complies with GDPR cookie consent requirements, you are well positioned for Israel. The main gap is awareness - many website owners do not realise that Israeli law applies to data collected from visitors located in Israel, regardless of where the website is hosted.
Enforcement and Recent PPA Activity
The PPA has historically focused enforcement on database security breaches and unsolicited marketing rather than cookie tracking. Direct cookie-related fines have not been issued to date.
That picture is changing. In early 2025, the PPA fined both EY and PwC Israel for scanning visitor identification documents without adequate consent notices - a signal that the Authority is willing to act on consent failures tied to digital data collection.
With Amendment 13's expanded enforcement toolkit now active, the PPA can issue administrative orders, monetary sanctions, and cease-and-desist directives. It can also order the suspension of data processing entirely. Websites setting third-party cookies without consent are increasingly exposed to regulatory action.
Compliance Checklist for Israeli Cookie Consent
Use this checklist to audit your website's cookie practices against Israeli requirements:
Audit your cookies - identify every cookie your site sets, including those placed by third-party scripts such as
_ga,_fbp, and_gid. A cookie scanner automates this process.Categorise each cookie - separate essential cookies from analytics, marketing, and functional cookies.
Implement opt-in consent - block non-essential cookies until the visitor actively agrees. Pre-ticked boxes or implied consent through continued browsing do not meet the PPA's recommended standard.
Display a clear cookie banner - explain what data you collect, why, and which third parties receive it. Use plain language.
Publish a cookie policy - list each cookie by name, purpose, duration, and provider. Link to it from your banner. Guidance on structuring this is available in the cookie policy template guide.
Record consent - store proof that each visitor consented, including timestamp and the categories they accepted.
Allow withdrawal - visitors must be able to change or revoke their consent at any time.
Review database registration - if you process sensitive data for more than 100,000 individuals, notify the PPA under Amendment 13's new threshold.
Cookie Consent for Websites Targeting the Middle East
If your website serves visitors across the Middle East, Israel's requirements sit alongside other regional frameworks. Saudi Arabia's PDPL imposes its own consent obligations for personal data processing, while Egypt's privacy law covers data collected from Egyptian residents. Turkey's KVKK follows a GDPR-influenced model with explicit consent requirements for cookies.
A geo-aware cookie banner that adjusts consent flows based on the visitor's location handles these overlapping requirements efficiently. Kukie.io's geo-detection feature applies the correct consent rules for each jurisdiction automatically.
Frequently Asked Questions
Does Israel have a specific cookie law?
No. Israel does not have a dedicated cookie law equivalent to the EU's ePrivacy Directive. Cookie consent falls under the general Privacy Protection Law (1981) and PPA guidance recommending opt-in consent for non-essential cookies.
Do I need consent before setting cookies for Israeli visitors?
The PPA recommends obtaining opt-in consent before setting non-essential cookies such as analytics and advertising trackers. Essential cookies required for your site to function do not need separate consent.
What are the fines for privacy violations in Israel after Amendment 13?
Amendment 13 introduced administrative fines of up to 5% of annual turnover for large organisations and a cap of 140,000 ILS per year for smaller businesses. Per-data-subject penalties of 50 to 100 NIS also apply.
Is Israel considered GDPR-adequate for data transfers?
Yes. The European Commission has recognised Israel under an adequacy decision, meaning personal data can flow from the EEA to Israel without additional safeguards such as standard contractual clauses.
Does Amendment 13 require a Data Protection Officer?
Amendment 13 requires a DPO for public bodies, data brokers, organisations conducting systematic monitoring at scale, and those processing sensitive data in large volumes. Most small websites are unlikely to meet these thresholds.
Can I use the same cookie banner for GDPR and Israeli compliance?
In most cases, yes. A GDPR-compliant cookie banner that collects opt-in consent before firing non-essential cookies meets the standard recommended by the Israeli PPA.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
