What Foreign Organizations Need to Know
After a year-long consultation process, the Israeli Privacy Protection Authority (PPA) published a final opinion in February 2026 clarifying how consent should be obtained and assessed under Israeli privacy law. The opinion is expected to play a central role in regulatory enforcement following the entry into force of enhanced enforcement powers under Amendment 13 to the Protection of Privacy Law. For foreign companies and privacy professionals, the document is significant because it clarifies how Israel’s consent‑based system operates - a system that differs in important ways from the EU GDPR model.
Executive summary
Israeli privacy law recognises only two lawful bases for processing personal data: the data subject’s informed consent or specific legal authorisation. Unlike the European GDPR, there is no inherent concept of a multi-basis framework; other bases exist only to a limited extent, mainly as a defence against breach.
Importantly, consent under Israeli law is not equivalent to GDPR consent. In many circumstances, consent may be implied and opt‑out mechanisms remain a lawful way of obtaining consent in specific situations. This marks a significant difference from the stricter requirements of the European model.
The Privacy Protection Authority’s recent opinion brings the concept of consent closer to the GDPR and provides further clarity on several critical aspects. It sets out what constitutes “informed consent”, specifies when implied consent is valid, and clarifies the circumstances in which opt‑in consent is required. Additionally, it outlines situations where a defence might apply in cases of alleged breach.
The structural context: consent under Israeli privacy law
Under the Protection of Privacy Law, processing of personal data is lawful only if it is carried out with the data subject’s informed express or implied consent, or pursuant to specific legal authorisation. Unlike the GDPR, Israeli law does not recognize multiple alternative lawful bases such as legitimate interests, contractual necessity, or vital interests. As a result, consent plays a far more central role in Israeli privacy law than in the European framework.
Israeli consent is not GDPR consent
A second critical point for foreign audiences is that consent under Israeli law is conceptually different from consent under the GDPR.
While GDPR consent is narrowly construed and intended as a residual legal basis, Israeli consent may be explicit or implied, derived from conduct, embedded in contractual arrangements (thereby making transactions conditional on consent), or implemented through opt-in mechanisms, provided adequate notice is given. In practice, Israeli regulators and courts have traditionally evaluated consent primarily through the lens of reasonable expectations, rather than through rigid formal requirements. The PPA’s 2026 opinion refines and qualifies this approach.
What the PPA’s February 2026 opinion clarifies
The opinion places strong emphasis on “informed consent”. Consent, whether explicit or implied, must be based on a real understanding of what personal data is collected, for what purposes it is used, and the consequences of consent or refusal.
Importantly, the PPA stresses that compliance with the statutory duty to provide notice is a minimum requirement, but not always sufficient to establish informed consent. In certain circumstances, such as power imbalances (including, interestingly, when the controller has a dominant position), heightened privacy risks, or the use of new technologies, the Authority expects enhanced disclosure, presented clearly and prominently.
Implied consent remains possible, but…
Contrary to early concerns raised by the draft version of the opinion, the final text confirms that implied consent remains permissible under Israeli law, including in digital environments.
However, implied consent is valid only where the data subject was properly informed, the processing aligns with the legitimate expectations arising from the interaction, and the individual had a genuine opportunity to object or opt out (unless the processing is necessary and related to the transaction at hand, in which case consent to the processing can be a condition of the transaction).Mere silence, inaction, or failure to read a privacy policy is not sufficient in itself. The assessment is contextual and fact‑specific.
When opt‑in consent is required
The opinion also identifies circumstances in which opt-out or implied consent is insufficient, and explicit consent is required. These include, in particular: secondary or out-of-context uses of personal data that are not integral to the original transaction or service; creation of new profiles or classifications about individuals that exceed what users would reasonably expect; direct marketing activities carried out for third parties (commonly referred to in Israeli law as “direct mail services”); and situations involving significant power imbalances, such as employment relationships. In these scenarios, the PPA expects an affirmative, informed indication of consent.
The role of statutory defences and the emergence of “legitimate interest” terminology
While consent plays a central role in Israeli privacy law, it is not the only mechanism through which processing may be lawful.
The Protection of Privacy Law also provides a list of statutory defences that may justify processing that would otherwise constitute a “breach of privacy”. These defences appear primarily in section 18 of the Law and include, among other things, processing in good faith required to comply with a legal, moral, societal or professional obligation, to protect a legitimate personal interest, or as part of the lawful pursuit of one’s occupation. In addition to good faith, the defences are generally subject to proportionality and are narrowly construed. Unlike the GDPR, these defences are not framed as autonomous lawful bases for processing. Rather, they operate as justifications that may defeat liability for what would otherwise be considered an infringement of privacy. This structural distinction is important: Israeli law does not offer an abstract balancing test at the entry point to processing but instead examines whether the controller can rely on a defence in light of the concrete circumstances.
The PPA’s February 2026 opinion contains a notable linguistic development: the term “legitimate interest” (or variations thereof) appears four times in the final version of the opinion, whereas it did not appear at all in the draft circulated for public consultation.
The use of this terminology signals a degree of conceptual rapprochement with international privacy discourse, while stopping short of importing the GDPR framework into Israeli law.
Within the confines of section 18 defences, the PPA uses “legitimate interest” to explain that “anyone who violates a person's privacy without his consent and wishes to rely for this purpose on [a defence], must meet the requirement of proportionality… This includes being able to point to the legitimate reasons and interests that justify, in his view, his breach of the privacy of the data subject…”
While Israeli law does not formally require organizations to conduct Data Protection Impact Assessments (DPIAs) or Legitimate Interest Assessments (LIAs) (nor does the PPA’s opinion introduce such a requirement), the opinion’s analytical structure strongly suggests that DPIA‑ or LIA‑type assessments can play an important practical role in demonstrating compliance, particularly when relying on statutory defences rather than consent.
Comparison with the GDPR framework
For GDPR‑oriented organizations, the key takeaway from the PPA’s opinion is not convergence, but structural divergence combined with selective conceptual borrowing.
Israeli law has not adopted a multi‑basis lawful processing framework comparable to Article 6 of the GDPR. At the same time, the PPA’s increasing use of the terminology “legitimate interest” within the context of statutory defences and proportionality reflects a growing willingness to engage with global privacy concepts, without importing them wholesale into Israeli law.
Practical implications for international organizations
Organisations operating in Israel, or processing data relating to individuals in Israel, should
Given the PPA’s expanded enforcement powers, the Authority’s interpretation - as articulated in this opinion - is likely to shape supervisory practice in the coming years.
Conclusion
The PPA’s February 2026 opinion does not transform Israel into a GDPR‑style jurisdiction. Instead, it clarifies how a distinctly consent‑based legal system should function in modern digital environments.
Author: