Significant Shift in the Israeli Privacy Protection Authority’s Definition of Consent

The Israeli Privacy Protection Authority (PPA) has issued a new statement introducing a significant change in the interpretation of the law and in the required methods for obtaining consent to the collection and processing of personal data. While the dry wording of the law enabled reliance on tacit or implied consent, the PPA now clarifies that explicit, informed and free consent must be prioritized.

The PPA is focusing on section 11 of the Privacy Protection Law, which was recently updated and expanded in Amendment 13 to the Privacy Protection Law and obligates compliance with the principles of disclosure and transparency when collecting data subjects’ personal data.

The PPA’s statement clarifies that existing mechanisms for obtaining “consent,” such as pre-marked checkboxes, general notices about use of information, or inference of tacit consent from use of a product or service, may be considered “suspicious consent.” In such instances, the party controlling the data will be obligated to prove that data subjects gave informed and reasoned consent, after fully understanding the purposes of the data collection and use, and to justify the validity of the consents.

What are the main changes?

1. Limiting reliance on tacit consent (non-explicit consent)

According to the PPA’s new statement, inaction or the absence of objection on the part of a customer or user will not be considered valid consent. Businesses will no longer be able to assume that people are consenting to the processing of their personal data simply because they have not actively objected. Consequently, there is a clear preference for opt-in mechanisms (i.e., the data subject’s active and informed consent), particularly when sensitive information is being collected or whenever inherent power disparities exist between the parties. Furthermore, when it comes to the collection of information that is not essential for the provision of a service, such as profiling or personalized marketing, businesses will no longer be allowed to rely on tacit consents or implied consents due to an absence of an objection or opt-out mechanisms. Businesses will be obligated to obtain explicit and separate consents for each use of personal data that exceeds the primary purpose for which the data were collected. Moreover, sweeping consent clauses in contracts will no longer be considered valid and will have to be meticulously worded, transparent and conspicuously displayed.

2. Prioritizing transparency and the duty to inform

The PPA states that data subjects must be informed of the implications of use of their personal data, must understand the purposes for which their personal data are being collected and used, the scope of the data processing, the risks involved and their right to refuse. The party requesting consent (the data collector, controller or processor) must provide the relevant information in a clear, accessible and readily understandable manner, particularly to vulnerable populations, such as minors and people with disabilities.

3. Contending with power disparities and “suspicious consents”

Whenever a material power disparity exists between the parties, such as between employer and employee, between an essential service provider and a consumer or between a public service entity and citizens, the party requesting consent will be obligated to prove that the consent was given freely and not as a result of pressure or the lack of any real alternative. The PPA also stresses that consents obtained through “dark patterns” (interface design techniques that mislead users into giving consent against their will or without any real knowledge of the contents of the consent) could be considered invalid.

4. Opting out

The PPA clarifies that data subjects who have given their consent must be allowed to retract their consent at any time, to the extent possible, and must be allowed to do so in a convenient, simple and accessible manner. The PPA is demanding that businesses comply with opt-out instructions, especially when further data processing could violate a person’s privacy.

The implications for businesses and organizations

The PPA’s more stringent consent requirements obligate companies – especially companies interacting directly with users or customers (B2C) – to review and adjust their personal data processing mechanisms. Companies that fail to do so expose themselves to regulatory sanctions and legal risks, including:

• Ÿsupervision and enforcement by the PPA, including demands to revise policies and data processing procedures;
• Ÿsuspension or cancellation of database registration in instances of serious violations;
• Ÿadministrative penalties and financial sanctions in respect of processing information without valid consents;
• Ÿprivate lawsuits by data subjects who can demand compensation for violation of their rights.

Recommendations to clients

In order to prepare for these changes (assuming that the directive is passed) and avoid legal and regulatory exposure, we recommend that you conduct a comprehensive review of your procedures for obtaining consent, including:

• Ÿ Map your existing consent processes – to identify junctures where you request consent for the collection and use of personal data and review how you inform data subjects about the purposes for which you wish to use their personal data, as well as junctures where you collect personal data without requesting consent.
• ŸCheck whether your procedures comply with the new draft directives – to ensure that explicit informed consents are being given, and that tacit consents are only used in the appropriate instances, depending upon the circumstances of the consent collection and the level of the data subject’s awareness of the implications, inter alia, while taking into account the sensitivity of the data you are collecting and the power relations between you and the data subject.
• Ÿ Update your privacy policy and agreements – revise your privacy policy documents, articles of association and commercial agreements so that they include detailed, clear, transparent and readily understandable consent mechanisms.
• ŸConsider implementing an opt-out mechanism – formulate a clear and simple process enabling data subjects to retract their consent at any time, whenever there is no real justification for continuing to retain or process their personal data.
• ŸTrain employees and managers – increase organizational awareness of the new requirements or refresh existing practices in order to ensure that your managers and employees are implementing proper procedures for transparently informing various data subjects, including customers and end-users.

Summary

The Privacy Protection Authority is looking to impose more stringent standards for defining valid consent to the processing of personal data and to more closely align with the corresponding requirements of the European GDPR (general data protection regulation). While this imposes increased obligations on businesses and organizations, it also highlights the need to create practices, raise awareness and formulate transparent and fair privacy policies – both internally and externally.

The PPA’s statement has been published and is now open for public comments until March 24, 2025. We are at your service to provide advice and guidance and to answer any questions in this regard.

***

Dr. Avishay Klein is a partner at Barnea Jaffa Lande & Co. and heads the firm’s Privacy, Cyber and Artificial Intelligence department.

Adv. Liav Shapira is an associate in the department.