Website Privacy Policy — Amendment 13 + GDPR

Q: Is a privacy policy required even on a simple marketing site without registration?

Yes, if you collect any personal data. A contact form? A newsletter signup? A cookie banner? Google Analytics? All these collect data. Most marketing sites use at least one third-party service (Analytics, Facebook Pixel, HubSpot, Calendly) that collects identifying data. Amendment 13 applies to any controller. The only fully exempt site is purely informational with no forms, no tracking, no logs. Such a site does not really exist in 2026.

Q: Who needs to approve the privacy policy?

Mandatory: CEO or Board (depending on the organization). Recommended: DPO (if appointed), legal counsel , Information Security Manager . In a public company — Audit Committee. In a regulated organization (HMO, bank, insurance company) — the dedicated compliance committee. The signature appears formally on an internal approval document, not on the public policy itself. The public policy carries the date of approval and the date of last update.

The website privacy policy is the most public legal interface of your organization with data subjects. Amendment 13 expanded the transparency duty; GDPR adds another layer for European users. Here is what an updated policy looks like in 2026, the mandatory clauses, the common pitfalls, and the difference from cookie policy and internal privacy policy.

What is a website privacy policy vs. internal policy

These are two different documents that are often confused. A website privacy policy (Privacy Notice) is an external document, intended for site visitors and users, explaining what data the organization collects about them, why, how, and for how long. It is the legal interface between the organization and the public. An internal privacy policy (Privacy Policy) is an internal document, intended for employees, describing how the organization handles personal data inside — what employees are allowed and not allowed to do with the data, what the breach procedure is, who the DPO is. Both are required under Amendment 13, but for different audiences and different purposes. Confusing the two — and especially publishing the internal policy on the website — is one of the most common mistakes we see.

Amendment 13 mandatory clauses (who collects, what, why, how long)

Amendment 13, which took effect in 2025, expanded the duty of transparency. A website privacy policy must include at minimum: (1) Identity of the controller — full legal name of the organization, registration number, address, phone, contact email; (2) Types of data collected — by data category (contact details, behavioral data, location data, payment data); (3) Purposes of processing — for each data type, why we collect it; (4) Sources — directly from user, from public sources, from third-party vendors; (5) Recipients — to whom data is transferred (CRM vendors, mailing systems, payment processors, foreign subsidiaries); (6) Retention period — how long we retain, and on what basis; (7) Data subject rights — access, correction, deletion, objection; (8) DPO contact; (9) Last update date.

Additional GDPR-relevant clauses

If you have European users (and almost every Israeli site does) — GDPR applies in addition to Amendment 13. The policy must add: (1) Legal basis for each processing — consent, contract, legal obligation, legitimate interest; (2) Cross-border transfers — to which countries, on what legal basis (SCCs, adequacy decision); (3) Right of complaint — to the supervisory authority in the user’s EU member state; (4) EU representative if applicable; (5) Automated decision-making if relevant — explanation of logic and ability to challenge. For organizations heavily exposed to the European market, this is a critical layer. See the SaaS & startups sector page for additional context.

DPO contact in the policy

Amendment 13 requires that the DPO contact details appear in a place easily accessible to data subjects. Standard practice: a dedicated section in the privacy policy titled "Contacting the Data Protection Officer" with name, email (a dedicated DPO mailbox like dpo@company.com rather than a personal email), and phone. The DPO appointment must be properly documented internally — see DPO appointment letter. The Authority does verify, in random checks, that the email actually works and that there is a real person responding — not an unmonitored mailbox.

Data subject rights — access, correction, deletion

Under Amendment 13 every data subject has the right to: (a) Access — request a copy of all data the organization holds about them, within 30 days; (b) Correction — request correction of inaccurate data; (c) Deletion — under defined conditions (no longer necessary, withdrawal of consent, illegal collection); (d) Objection — to processing for direct mailing or profiling; (e) Portability — under GDPR — receive data in a machine-readable format. The policy must explain the rights clearly and provide a working channel to exercise them. Many sites write "to exercise rights please contact us" without providing a concrete email — and this is a finding.

Informed consent and cookie policy

The website privacy policy and the cookie policy are two separate documents, even if they sometimes appear on the same page. The privacy policy covers data collection in general; the cookie policy covers specifically tracking technologies — cookies, pixels, fingerprinting. In an Israeli site marketing to European users, an explicit consent mechanism is required (cookie banner with granular opt-in) — not just notice. The cookie policy must include a list of all cookies in use, by category (necessary, functional, analytics, marketing), with details of vendor and retention period.

Updating the policy and versioning

A privacy policy is a living document. Every time the organization changes how it processes data — adds a new vendor, launches a new product, changes the retention period — the policy must be updated. Best practice: (1) Last update date at the top of the policy; (2) Versioning — keep an internal log of versions; (3) User notification upon material change — email or login banner; (4) Quarterly review alongside the security procedure. Major changes (new data type, new significant vendor) require explicit re-consent — not just publication.

Common pitfalls I see in clients

The five most common pitfalls: (1) Generic template translated from English that does not match the actual organization — referencing data types not collected, omitting types that are; (2) Buried under another menu — Amendment 13 requires the policy to be easily accessible, meaning a clear footer link on every page; (3) No update for years — last update date 2019, while in 2025 Amendment 13 came into effect and demands new disclosures; (4) Mixing with terms of use — these are two different legal documents and merging them creates legal mess; (5) Inconsistency with the database definition document — see database definition document. Anything in the database definition document that does not appear in the policy is a transparency failure under Amendment 13.

How we help

In DPO as a Service retainer we deliver an Amendment 13 + GDPR compliant privacy policy as part of the initial onboarding package — usually within 3-4 weeks from start, after a brief mapping of databases and vendors. The policy is delivered in Hebrew and English, aligned with the database definition document, and updated quarterly as part of the retainer. For organizations that just want a one-off policy without ongoing service — we offer a 12,000-25,000 ILS project with one-year handoff and update.

Frequent questions about website privacy policy

Can I just copy a privacy policy from a similar website?

Technically yes, legally no — and practically it is dangerous. The privacy policy is a legal declaration about your specific organization, how it collects data and what it does with it. A policy copied from another organization will inevitably contain inaccuracies — vendors you do not work with, data types you do not collect, retention periods that do not match your reality. In an audit or lawsuit, every gap between policy and reality becomes evidence against you. Worse: many sites copy from American templates that do not match Amendment 13. A custom Israeli policy costs 8,000-20,000 ILS — significantly cheaper than the risk.

Is a privacy policy required even on a simple marketing site without registration?

Yes, if you collect any personal data. A contact form? A newsletter signup? A cookie banner? Google Analytics? All these collect data. Most marketing sites use at least one third-party service (Analytics, Facebook Pixel, HubSpot, Calendly) that collects identifying data. Amendment 13 applies to any controller. The only fully exempt site is purely informational with no forms, no tracking, no logs. Such a site does not really exist in 2026.

Do I need a separate Hebrew and English version?

If your site has Hebrew and English versions — yes, two parallel policies. If your site is only Hebrew but you have international users — Hebrew is mandatory, and English is highly recommended. The Israeli Privacy Authority expects the policy in the language the user actually uses. GDPR expects the policy in the language of the EU user. Translation is not enough — sometimes legal concepts do not map directly and the policy must be linguistically adapted. A bilingual policy in both languages, written by a person who understands both legal systems, is the right standard.

Should the privacy policy be on a separate page or part of the terms of use?

Separate page. Always. The privacy policy and the terms of use are two different legal documents, that grew from different laws, and serve different purposes. Privacy policy = Amendment 13 transparency duty. Terms of use = service contract. Merging them creates confusion, weakens consent (you cannot say a user consented to data processing when they signed a 30-page terms-of-use document), and is also less reader-friendly. Industry standard: two separate links in the footer, each leading to a dedicated page.

How long should the privacy policy be?

There is no fixed answer. For a simple marketing site without registration — 4-6 pages are sufficient. For a SaaS with a complete user system — 10-15 pages. For a financial platform or healthcare service — 20-30 pages, because the regulatory requirements multiply. The key principle: everything Amendment 13 requires must appear, and nothing the organization does not really do should appear. Length is a result of complexity, not a goal in itself. A 50-page policy nobody reads is worse than a 6-page focused policy.

What happens if I do not have a privacy policy at all?

Direct breach of Amendment 13 and Privacy Protection Law. In an Authority audit — automatic finding. Heightened risk of class action lawsuit (in Israel — Article 31a of Privacy Protection Law). Heightened risk of GDPR complaints if you have European users (fines up to 4% of global turnover or 20 million euros). And the practical aspect: every serious customer and every serious vendor will ask to see the privacy policy as part of the vendor onboarding process. Lack of a policy = lost business.

Who needs to approve the privacy policy?

Mandatory: CEO or Board (depending on the organization). Recommended: DPO (if appointed), legal counsel, Information Security Manager. In a public company — Audit Committee. In a regulated organization (HMO, bank, insurance company) — the dedicated compliance committee. The signature appears formally on an internal approval document, not on the public policy itself. The public policy carries the date of approval and the date of last update.

Is the privacy policy included in DPO as a Service?

Yes. DPO as a Service includes initial writing of the website privacy policy in Hebrew and English, alignment with the database definition document, and quarterly updates. Also included: drafting the cookie policy, internal privacy policy (for employees), and the employee privacy policy. For an organization just starting out — this is usually one of the first deliverables, within 3-4 weeks of onboarding.

Need a privacy policy that actually fits your organization?

30-minute call, draft within two weeks, signed final within a month.

DPO as a Service details