The Consent Principle Under Israeli Privacy Law

19.03.2026

On February 25, 2026, the Israeli Privacy Protection Authority ("PPA") published its final amended opinion clarifying the interpretation and application of the consent principle under the Protection of Privacy Law, 1981 ("PPL"), following public consultation.

The opinion reflects the PPA's interpretation of the principle of consent as it shall be implemented in enforcement of the PPL. The PPA reiterates that consent remains a central principle of Israeli privacy law nothing that the opinion does not cover when consent is required but rather how it should be obtained if and when required.

Under the PPL, a violation of privacy is permissible only by virtue of an individual's informed consent or a legal obligation, which are the only legal bases of processing personal data.

1. Consent must be “informed”. Individuals must receive sufficient information to understand the nature of the processing before agreeing to the processing. In practice, “informed” requires that:

a) Individuals must receive the information reasonably necessary to decide whether to consent, presented in a clear and accessible manner so that they have a real opportunity to understand what types of data are collected, to whom they may be disclosed, whether the provision of the data is mandatory or voluntary, the purposes of processing, and the consequences of refusing to provide the data.

b) Consent may be undermined if the presentation is not reasonably understandable or the documents are not reasonably accessible (long, complex, hard-to-find policies).

c) The validity and scope of consent depend on the circumstances of the processing and on the information disclosed at the time consent is obtained. Consent is not a "blank check." Statements like "amongst others" or "etc." for types of data and purposes can undermine consent.

d) Separate prominent notice is recommended when purposes materially differ from the core transaction or for especially sensitive data that does not meet user expectations.

e) Consent notice should be adapted when the services are intended for special populations, i.e., accessibility needs.


f) Third-party recipients can be mentioned by category (e.g., advertising companies, law enforcement); specific identification (such as company name) is not required. However, broad categories of recipients (i.e., technology companies) may be insufficient.

Compliance with PPL Section 11 notice items is a minimum requirement sufficient for the notification obligation but may be insufficient for “informed” consent, especially in cases of significant power imbalances, sensitive processing, high-impact privacy violations, or novel technologies. In such cases, the additional material information relevant to the individual's decision must be provided.

2. Consent must be given freely. Consent in an unbalanced relationship (i.e., employment, essential services, monopolies) may be "suspicious," shifting the burden to the data controller to demonstrate free choice, for example, by providing reasonable alternatives or avoiding conditioning the provision of services on unnecessary data collection. If a person cannot realistically refuse, it is difficult to view consent as free. Nevertheless, the opinion mentions that consent may still be valid without a practical alternative if the personal data is necessary to provide the service. In the context of employee–employer relations and in the public sector, the consent request should also comply with the proportionality principle. In addition, the PPA warns against the use of manipulative interface designs (“dark patterns”) that may improperly influence users’ decisions regarding consent.

3. Consent may be explicit or implied. While the PPL recognizes both forms, the PPA notes that reliance on implied consent should be approached cautiously, particularly where the processing may significantly affect individuals’ privacy. However, an important statement in the opinion states that use of digital services may be deemed as implied consent (i.e., continued browsing after adequate disclosure). However, case law has narrowed the ability to infer consent from behavior. Silence or lack of objection in themselves do not generally constitute valid consent, unless circumstances show actual intent and the individual has the required awareness. In addition, the PPA outlines that oral consent is hard to prove and should be documented. Similarly, physical gestures (like nodding) may be insufficient. Even if implied consent is allowed, it is preferable to obtain explicit consent for processing sensitive information or in cases of severe harm to privacy.

4. Consent must be limited to the purposes for which it was obtained. The guidance emphasizes the importance of the purpose-limitation principle. Personal data collected on the basis of consent may only be used for the specific purposes for which that consent was obtained. Any additional or materially different use of the personal data requires new consent from the data subject.

5. Consent mechanisms: opt-in and opt-out. Both opt-in and opt-out consent mechanisms are allowed. However, from a practical perspective, the PPA encourages organizations to favor active opt-in mechanisms over passive opt-out models. When processing purposes are not tied to the core transaction, opt-in is recommended, while opt-in is required for profiling and direct mailing services.

6. Withdrawal of Consent. It is recommended that withdrawal of consent be considered favorably even where consent is not legally revocable (particularly where continued processing would severely harm privacy), but it is not necessary when continued processing is justified by legal or regulatory obligations, security needs, or other legitimate interests such as legal defense. Withdrawal does not retroactively make prior processing unlawful and does not necessarily require deletion. Withdrawal can be denied if it is technologically impossible or requires unreasonable resources.

7. Practical Aspects of the Opinion:

a) Continued browsing of a website is sufficient to constitute consent when a privacy policy is posted on a website with a prominent reference to the policy (even if the link to the policy itself is in the footer or elsewhere).

b) The opinion is silent with respect to notification and consent regarding cookies and tracking technologies, but we believe that the rule on continued browsing of a website will also apply in relation to cookies (taking into account all the other provisions of the opinion, i.e., additional purposes, notification regarding transfer to third parties, etc.).

c) If the service is more technologically complex or sensitive data is collected, or the purposes are not within the scope of reasonable expectation, it is recommended that, in addition to the general privacy policy, additional and separate information regarding these matters will be provided.

d) For the first time, the PPA, in the context of examining withdrawal of consent and the protections in section 18 of the PPL, presents the principle of legitimate interest as a possible basis.

e) The opinion applies stricter requirements regarding the processing of sensitive data, also for the first time in Israeli law.

 

Article provided by INPLP members: Dalit Ben-Israel (Naschitz, Brandes & Amir, Israel)

Co-author: Elise Fitoussi

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)l

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.