English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Language
English
עברית
Français
Deutsch
Русский
Español
简体中文
日本語
Dutch
Türkçe
Home
About us
About us
CV at a glance
Global reach
Pro Bono
What we do
Practice area
The team
Knowledge center
Insights & News
Client updates
Credentials
Doing business in Israel
Barnea blog
Join us
Work at Barnea
Intern at Barnea
Contact
© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Client updates
16 March 2026
by Avishay Klein
Liav Shapira
         
Antitrust and Competition
Banking & Finance
Capital Markets
Corporate
Employment
High Tech
Infrastructure
Internet
Litigation
NPO
Private Clients
Real Estate
Regulation
Tax
White Collar

Israel’s Privacy Protection Authority Issues Position Statement on Consent to Processing of Personal Data and Its Implications for Organizations

Summary

  • Privacy Protection Authority’s position statement: In February 2026, the PPA published the final version of its position statement regarding obtaining consent for the processing of personal data in Israel. This document reflects the PPA’s position on the requirements for acquiring informed consent, following the early 2025 draft and the completion of the public participation process.
  • The PPA’s stance: The position statement presents a stricter interpretation of the law that more closely aligns with international standards, especially the GDPR. Under this approach, data subjects must issue active, free, and informed consent, while the ability to rely on the concept of “tacit consent” found in the law is significantly limited.
  • Practical implications: From a practical standpoint, the position statement imposes more stringent requirements on organizations for obtaining consent, especially via digital interfaces. Noncompliance may lead to supervision, audits, fines, and monetary sanctions. The PPA outlines standards, such as presenting clear, straightforward, and accessible disclosures; avoiding misleading designs or wording; preferring opt-in mechanisms, particularly for sensitive data; making adjustments for unique populations, including minors; addressing power disparities; and providing a convenient opt-out mechanism to withdraw consent at any time.     
  • Preparations for the future: The stricter consent requirements mean that organizations should review their data processing and consent procedures and revise relevant interfaces and documents to minimize regulatory and legal exposure. We recommend that organizations map consent collection junctures, revise privacy policies and agreements, implement opt-out mechanisms, and provide intraorganizational training.  

The Privacy Protection Authority published its final position statement in February 2026 regarding what constitutes valid consent under Israeli privacy protection laws and the rules for obtaining consent, particularly in digital interfaces such as websites and applications.

 

This final position statement is a direct continuation of the draft published in early 2025 and the subsequent public participation process, during which the PPA presented its professional comments and reservations.

 

According to Israeli law, personal data about an individual may be processed either pursuant to legal authorization or with the data subject’s consent.

 

In its final position statement, the PPA presents a stricter interpretation of the law that more closely aligns with the approach used in European law (the GDPR), under which data subjects must issue active, free, and informed consent. At the same time, the PPA limits the possibilities of relying on the concept of “tacit consent” found in the law.

 

In practical terms, the PPA’s interpretation reflects the imposition of more stringent requirements for obtaining consent, particularly in digital interfaces. Failure to comply may lead to audits, fines, and monetary sanctions.

 

Principle of Disclosure and Transparency

In its position statement, the PPA emphasizes the requirement in Section 11 of the Privacy Protection Law, as amended and expanded under Amendment 13 to the Privacy Protection Law, which establishes the principle of adequate disclosure and transparency when collecting personal data from data subjects.

 

Standards for Examining the Validity of Consent

  • Reinforcing transparency and the disclosure obligation: Data subjects must be aware of the consequences of the use of their data. This includes understanding the purposes of the use, the scope of data processing, the types of data collected, the entities to whom the data may be transferred, the associated risks, and their right to refuse to provide such data.
  • Mode of disclosure: Organizations must diligently present the consent and accompanying disclosures in a clear, accessible, straightforward, and understandable manner. Interface design or wording techniques that may mislead users or cause them to provide consent against their will (dark patterns) are prohibited.
  • Validity of “informed” consent: The validity and scope of consent depend on the information actually disclosed to data subjects prior to providing consent. When the disclosure is partial or ambiguous, it may be difficult to rely on such consent, and organizations may be required to demonstrate that they provided sufficient explanations.
  • Preference for active consent (opt-in): Even in instances where relying on tacit consent is permitted, the PPA recommends that organizations seek explicit consent, particularly when processing sensitive data or using it in a way that may significantly infringe upon data subjects’ privacy.
  • Unique populations: When a service primarily targets populations with unique characteristics, such as people with disabilities or minors, organizations must adapt both the presentation of the information and the method of obtaining consent.
  • Contending with power disparities: In circumstances involving significant power disparities—such as employment relations, essential services, or monopolies—the PPA expects organizations to demonstrate that consent was given freely and not due to coercion or lack of alternatives.
  • Withdrawal of consent: The PPA clarifies that data subjects should be able to withdraw consent at any time, in a convenient, simple, and accessible manner, even though this requirement is not explicitly stated in Israeli law.

 

Implications for Businesses and Organizations

The stricter consent requirements require organizations to review and revise their personal data processing procedures, especially those in direct contact with users or customers (B2C). Organizations that fail to adapt user interfaces and consent mechanisms in line with the interpretation presented in the position statement may expose themselves to regulatory sanctions and legal risks, including:

 

  • Supervision and enforcement by the PPA, including demands to change policies and data processing procedures.
  • Termination or suspension of database registration in cases of serious violations.
  • Administrative fines and monetary sanctions for processing data without valid consent.
  • Privacy infringement lawsuits by data subjects, including demands for compensation for infringement of their rights.

 

Recommendations to Clients

To avoid legal and regulatory exposure, we recommend conducting a comprehensive review and revision of consent procedures:

 

  • Map existing consent procedures: Identify junctures at which consent is obtained for the collection and use of personal data and review how data subjects are informed about the intended uses of their personal data, as well as identify junctures where personal data is collected without consent being obtained.
  • Check compliance with the new guidelines: Ensure that explicit, informed consent is being given and that reliance on tacit consent (if at all) occurs only in appropriate circumstances, in accordance with the level of data subjects’ awareness of the implications, including taking into account the sensitivity of the data collected and the power dynamics between the parties.
  • Revise consent mechanisms in digital interfaces (websites and applications): Adapt procedures for different devices (laptops and smartphones), avoid sweeping consents, highlight key disclosures and exceptional uses, and use creative and interactive means of illustration (such as explanatory videos, banners, and images).
  • Revise privacy policies and agreements: Revise privacy policies, articles of association, and commercial agreements to reflect data collection practices, actual data uses, and clear, transparent, and readily understandable consent mechanisms.
  • Consider implementing an opt-out mechanism: Formulate a clear and simple process that enables data subjects to withdraw their consent at any time in cases where there is no real justification for continuing to retain or process their personal data.
  • Train employees and managers: Increase and ensure organizational awareness of the latest requirements and strengthen practices related to transparency toward various data subjects, including customers, end-users, employees, etc.

 

Barnea Jaffa Lande’s PrivacyCyber and AI Department is at your service to assist you in understanding the implications of the PPA’s position statement and the risks deriving from the PPA’s requirements, assessing their impact on your activities, and preparing your organization to comply with the standards presented in the position statement.

 

***

 

Dr. Avishay Klein is a partner and head of the firm’s Privacy, Cyber and AI Department.

Adv. Liav Shapira is a partner in the Privacy, Cyber and AI Department.

 

Tags: Data Protection | Israel’s Privacy Protection Authority | Personal data
// load AI chatbot on test page