Israel’s New Privacy Law Redefines Email Data Compliance

Israel’s Privacy Protection Law Amendment No. 13 will take effect on 15 August 2025, introducing sweeping changes for any organisation processing the personal data of Israeli residents, regardless of location. The law, passed in 2024, significantly expands both the scope of regulated data and the penalties for non-compliance.

Key Changes

• Broader definitions: “Personal information” and “sensitive information” now include behavioural and profiling data linked to identifiers such as email addresses.
• Mandatory compliance officers: Entities managing large databases must appoint both a Privacy Protection Officer and a Data Security Officer.
• Enhanced data subject rights: Stricter requirements for responding to access, correction, and deletion requests.
• Breach notification: New obligations to report incidents to the Privacy Protection Authority (PPA).
• Fines: Up to 5% of annual turnover or ILS 8 per affected data subject, whichever is higher.

Impact on the Email Industry
For senders, ESPs, and marketing automation platforms, the inclusion of email addresses combined with engagement metrics (e.g., opens, clicks, segmentation data) as potentially sensitive information raises the compliance bar. Tracking, profiling, and cross-border transfers involving Israeli residents will face heightened scrutiny. Operational risk increases sharply for any provider without formal compliance governance.

Recommended Actions for Email Stakeholders

1. Update legal frameworks: Revise privacy notices, consent flows, and processing agreements to align with new definitions.
2. Appoint officers: Ensure designated roles and documented processes for privacy and security.
3. Limit profiling: Reduce the collection and processing of sensitive metrics where not essential.
4. Audit data flows: Verify that outbound transfers meet Israeli contractual and legal requirements.

This amendment places Israel’s regime closer to the EU’s GDPR in scope and enforcement power. Email platforms and senders engaging with Israeli audiences should treat August 2025 as a hard compliance deadline.