Amendment 13 and Your Website
On August 14, 2025, the rules changed for every website in Israel. Up to 2.3 million NIS in fines for non-compliance. The honest guide for business owners — what your site must show now, and why.
Last week I sat in a Tel Aviv cafe with a client of mine who runs a small hair salon. Her website has a simple booking form. "I got an email from the Privacy Protection Authority," she told me. "They want to know how I store my customers' data, for how long, and what my privacy policy says. They said if I don't respond within 30 days — there's a fine."
She hadn't done anything wrong. She launched her site in 2022, added a privacy policy a lawyer's office gave her, and that was it. The problem: on August 14, 2025, the rules of the game changed. Amendment 13 to the Privacy Protection Law entered into force — and with it came new fines, new obligations, and a regulator actually using its powers.
This article isn't legal advice for your specific situation. But as someone who handles both the technical side and the legal side of building websites — I've been seeing the same picture repeat itself for the past 18 months. Business owners discovering their site doesn't comply with the new law, with no idea what to do about it. So I've put together here, in plain English, what every business owner needs to know — and to do.
First — what exactly is Amendment 13?
The Israeli Privacy Protection Law dates back to 1981. It was written before the internet, and for 40 years it aged much slower than the technology around it. Amendment 13 is the most comprehensive overhaul the law has seen since it was written.
It was passed by the Knesset in August 2024, and entered into force one year later — on August 14, 2025. The Privacy Protection Authority (a government body within the Ministry of Justice) published a professional guide on August 21, 2025, summarizing all the new obligations.
What is it trying to fix? Several things — but broadly, it brings Israeli privacy protection up to a standard close to the European one (GDPR). It's not identical to GDPR, but it's very close.
"Amendment 13 is a significant milestone in adapting Israeli law to today's technological reality and strengthening the right to privacy of Israeli residents."
— Privacy Protection Authority, August 2025
The numbers you need to know
Before going into the explanations — here are the four numbers worth memorizing. They change the entire ROI calculation between "compliant" and "ignore it":
For context: the maximum fine before Amendment 13 was about 25,000 NIS. Now it can reach 2.3 million. That's 92x.
Most fines for small businesses won't be 2.3 million. They'll be at the lower end — around 20,000-80,000 NIS per violation. But that's still far more than before. And still enough to make compliance worthwhile.
5 things that changed for a regular business owner
Without walking through every clause — here are the five that affect your business directly:
- Database registration is mostly gone. This is actually good news — before the amendment, you had to register every database with the government registrar (annoying paperwork). That's now drastically reduced. Only "large databases" (over 1 million data subjects) must notify the authority.
- Mandatory disclosure when collecting information. When someone fills a form on your site — you must tell them exactly: what you're collecting, why, where it'll be stored, and for how long. In plain language, not 15 pages of "terms" that no one reads.
- Right to access, correct, and delete. Every citizen can request to see what you have on them, correct it, or delete it. You must have a mechanism — an email, a form, a button.
- Mandatory Data Protection Officer (DPO). Certain organizations — mainly those handling sensitive data or large databases — must appoint an official accountable for privacy. Small businesses are usually exempt. But if you're in healthcare, finance, or education — probably yes.
- Mandatory breach notification. If you get breached — data leak, hacker, even an employee accidentally emailing an Excel out — you have 72 hours to notify the authority, and in some cases the affected individuals too. No notification = additional fine.
5 things to fix on your website — now
Here's the practical part. A focused checklist — go through it one by one and see where you stand:
- Privacy policy updated for Amendment 13. If your policy was written before August 2025 — it probably isn't enough anymore. It must include: what is collected, how, why, who has access, how long it's stored, and how to request deletion. In clear language, not complicated legalese.
- A cookie banner that actually works. No more banners that say "we use cookies, continuing means consent." That isn't real consent. You must offer real choice: Accept / Reject / Customize. Best practice — explain what each cookie category does.
- A notice next to every form. Anywhere you collect information — contact form, newsletter, signup — you need a short notice near the button: "The information you enter here will be stored in X, used for Y, and won't be shared with third parties." One sentence. No more.
- A "user rights" button or mechanism. Somewhere on the site — typically in the footer or "contact" page — there must be a clear place that says: "Want to see what we have on you? Correction? Deletion? Write to us here." A dedicated email or simple form.
- Backups + security + action logs. Not visible on the site, but mandatory: backups, secure storage (HTTPS, strong passwords, restricted access), and action logs — who logged in, when, what they saw. If there's a breach, these are what protect you.
Questions every business owner asks
"I'm small — does this apply to me?"
Yes. The law doesn't distinguish between small and large businesses for the basic obligations. The difference is only in the maximum fine. But even a 20,000 NIS fine hurts, and enforcement of "missing DPO" or "no privacy policy" reaches very small businesses too. This is not selective.
"I don't sell data — so why should I care?"
Protection isn't only about "selling" data. It's about any collection and storage. If you have a contact form that gathers name and phone — you're subject to the law. If you have a CRM with customer emails — you're subject. Even if you never sell that data to anyone.
"My site is purely informational — no forms at all. Surely it doesn't apply?"
There's still something to check. Google Analytics, Facebook Pixel, and other tracking services — they all collect visitor data. Even without a form. So yes, you're subject to certain obligations (cookie banner, basic privacy policy).
"Isn't this basically the European GDPR?"
Close, but not identical. Amendment 13 draws inspiration from GDPR, but there are differences — fine amounts, definitions, when a DPO is required, database registration. If you have European customers — you need to comply with GDPR too. If your customers are only Israeli — Amendment 13 is enough.
"I use Wix / WordPress with the default plugin. Is that enough?"
No. Default plugins from platforms are a generic solution not tailored to Israeli law specifically. Some are decent starting points — but you need to review, update, and sometimes replace.
How atar builds compliant sites — without making it a drama
Every project I take on since 2025 goes through this checklist:
- A custom privacy policy — not a generic template, but a draft describing exactly what your specific site does.
- A proper cookie banner — with real choices, not just "OK".
- Notices near forms — short, clear, plain language.
- A "your rights" button — accessible from the footer.
- HTTPS, security, backups — built in from the start.
- An accessibility statement tailored to the site (a separate law, but related).
This doesn't add much to development time — maybe 4-6 work hours on an average site. But it ensures you don't get the email my client got. It's far cheaper to do this right from the start than to fix it after a notice arrives.
Timeline — what to do now
The bottom line
Amendment 13 isn't a nightmare. It's a checklist. But a checklist with a 2.3M NIS fine at the end.
If your site was built before August 2025 — there are probably 4-5 things that need updating. It's not complicated, but it is urgent. Most fixes take 1-3 work days with an experienced developer.
In short: don't wait to receive an email from the authority. Check now. Fix now. In three months, if you get audited — it'll cost you ten times more.