GDPR, Cookies, and Consent: What Israeli Website Owners Need to Know in 2026

The privacy landscape for Israeli website owners has shifted dramatically. Between Israel’s own Amendment 13 to the Protection of Privacy Law, the European GDPR, and Google’s Consent Mode v2 requirements, it’s no longer enough to slap a generic cookies banner on your site and call it a day. This article breaks down what’s actually required, what’s coming, and practical steps for WordPress site owners to get compliant.

The Israeli Privacy Law: Amendment 13 and the Cookie Question

Israel’s Protection of Privacy Law (PPL) has been in place since 1981, but Amendment 13—which took effect on August 14, 2025—represents the most significant overhaul in the law’s history. It aligns Israel’s data protection framework more closely with the GDPR by introducing stricter consent requirements, mandatory Data Protection Officers (DPOs) for qualifying organizations, enhanced enforcement powers for the Privacy Protection Authority (PPA), and expanded definitions of sensitive data.

Here’s the thing that confuses many Israeli site owners: Amendment 13 does not explicitly address cookies. As noted in the ICLG Data Protection guide for Israel, there is no explicit reference to cookies in Israel’s primary privacy law. The PPA has only addressed cookie consent in limited contexts—specifically in recommendations regarding payment and financial applications—where it advised using an opt-in model for non-essential cookies. To date, the PPA has not taken any enforcement action in relation to cookies.

However, in February 2026, the PPA published its final position statement on consent, adopting a stricter interpretation that closely mirrors the GDPR approach. Under this position, data subjects must provide active, free, and informed consent. The PPA explicitly prohibits “dark patterns”—interface design or wording techniques that mislead users or cause them to consent against their will. The ability to rely on “tacit consent” is now significantly limited.

As a Mondaq review of 2025 privacy developments observes, many Israeli companies have already interpreted Amendment 13 as requiring cookie pop-ups, even though the amendment does not specifically address cookies. Because Israeli case law on this issue remains limited, courts and the regulator are expected to look to European guidance when interpreting these requirements.

Bottom line: While a full EU-style cookie banner isn’t technically mandated yet by Israeli law alone, the direction is clear. The PPA is pushing toward GDPR-equivalent consent standards, and if you’re collecting any personal data through cookies, you should be obtaining proper consent now rather than waiting for enforcement to catch up.

Israeli Startups Serving European and American Users: No Shortcuts

If your startup—or any Israeli business—serves users in Europe or the United States, the question isn’t whether Israeli law requires cookies consent. The question is whether the GDPR, ePrivacy Directive, CCPA, and the growing patchwork of US state privacy laws require it. And the answer is yes.

The GDPR applies to any organization that processes personal data of individuals in the European Economic Area (EEA), regardless of where the organization is based. If your SaaS product, mobile app, or e-commerce site has even a small percentage of European users, you are in scope. The same logic applies under CCPA and the now 19+ US state privacy laws active as of early 2026.

Amendment 13 reinforces this from the Israeli side as well. As IAPP notes, under specific 2023 regulations enacted to maintain Israel’s European Commission adequacy status, personal data transferred to Israel from the EEA is subject to additional obligations. Controllers must ensure data accuracy, limit retention, and provide deletion mechanisms for EU-origin data. The PPA now has substantial powers to enforce these regulations.

For Israeli startups, the practical implication is straightforward: if you have international users—and in the SaaS and tech world, you almost certainly do—you need full GDPR-compliant consent management. This means a proper cookie consent banner, real opt-in (not pre-checked boxes), granular consent categories, and documented consent records. Treating this as optional risks not only legal liability but also losing Google Ads functionality, as we’ll cover next.

Google Consent Mode v2: The Technical Enforcement Layer

Even if you aren’t convinced by the legal arguments, Google has made the business argument impossible to ignore — at least for anyone running Google Ads. Since March 2024, Google Consent Mode v2 has been mandatory for all advertisers using Google Ads that target users in the EEA and UK. Without proper consent signals, Google blocks your remarketing tags, your audience lists stop populating, and your conversion tracking becomes unreliable. This is hard enforcement, tied directly to the EU’s Digital Markets Act.

What about GA4 without Google Ads? If you’re running GA4 purely for analytics — no Google Ads, no remarketing, no audience sharing with advertising products — Consent Mode v2 is not technically mandatory. GA4 will still collect data. However, there are practical consequences. As Google’s GA4 documentation explains, if your GA4 property is linked to any Google advertising product and you take no action, only users outside the EEA will be included in shared audiences. You also lose GA4’s behavioral modeling — where Google estimates analytics data from users who declined cookies — which only activates with Advanced Consent Mode implemented. Without it, non-consenting users are simply a gap in your data.

The moment Google Ads enters the picture, GCM v2 is non-negotiable.

Consent Mode v2 introduced two new parameters beyond the original version: ad_user_data (controlling whether Google can collect user data for advertising) and ad_personalization (controlling whether that data can be used for personalized ads). These join the existing analytics_storage and ad_storage parameters.

The system works in two modes:

Basic Mode: All Google tags are completely blocked until the user clicks “Accept.” You lose all data from users who decline.
Advanced Mode: Google tags fire in a restricted state before consent, sending anonymous, cookieless pings. Google’s AI models then use this data to estimate conversions from non-consenting users. According to Google’s documentation on conversion modeling, this helps recover lost conversion data and improves bidding strategies.

For the system to work, you need a Google-certified Consent Management Platform (CMP) that correctly communicates all four v2 consent parameters to Google’s tags. It’s tempting to hardcode the consent logic yourself — I’ve tried it too — but as Bounteous documents in their analysis of common Consent Mode mistakes, custom-coded consent states are one of the most costly errors in GCM setups: tags fire twice or not at all, consent updates get lost, and sessions break. Google’s own documentation explicitly recommends using a certified CMP rather than rolling your own. The two most practical options for WordPress site owners are Complianz and Cookiebot, each with distinct strengths and weaknesses.

Complianz + GTM: Step-by-Step Setup Guide

Complianz – GDPR/CCPA Cookie Consent is a WordPress-native privacy suite used on over 1 million sites. It’s a Google-certified CMP and supports Consent Mode v2 natively. For WordPress developers who want full control, local data storage (no external server calls for the banner itself), and deep GTM integration, it’s the strongest option.

Important: Consent Mode v2 support requires Complianz Premium. The free version does not include this feature.

Prerequisites

Before you touch any settings:

Remove ALL manually added Google scripts — from your theme’s header.php, functions.php, custom code snippets plugins, or wherever you’ve pasted Google Analytics, Google Ads, or GTM snippets. Everything will go through Complianz now.
Check your other plugin integrations — if you have Site Kit, MonsterInsights, Google Analytics for WooCommerce, or GTM4WP installed, you’ll need to handle them carefully (see the GTM4WP section below). Go to Complianz → Integrations → Plugins and note which integrations are currently enabled.

Note: If you’re using Google Site Kit (rather than GTM directly), Complianz requires the WP Consent API plugin for compatibility. For a standard Complianz + GTM setup without Site Kit, you don’t need it.

Step 1: Configure Statistics in the Complianz Wizard

Go to Complianz → Wizard → Consent → Statistics and select “Yes, and Google Tag Manager fires this script”.

Click Save and Continue. On the Statistics Configuration page:

Enter your GTM container ID (format: GTM-XXXXXXX)
Select “Yes” when asked “Will you be using our Tag Manager template?”
When asked “Do you want to block all Google Tags before consent?” — select “No”

Selecting “No” here is important. This enables Advanced Mode, which means Google tags will load on page load but operate in a restricted, cookieless state until consent is given. This is what allows Google’s conversion modeling to work — recovering conversion data even from users who decline cookies.

As the Complianz documentation explains: the expected behaviour is that the Google script is loaded before consent has been given, but the cookies are fired only after consent has been given.

Note: If certain options on the Statistics Configuration page appear unavailable or grayed out, this is caused by an integration like Site Kit or MonsterInsights being enabled under Complianz → Integrations. Disable it there first.

Step 2: Install the Complianz Template in Google Tag Manager

Log into your GTM dashboard and open your website’s container:

Go to Tags → New → Tag Configuration
Click “Discover more tag types in the community template gallery”
Search for “Complianz” and click “Add to workspace”
The Default Consent State settings will appear pre-configured for Consent Mode v2. Don’t change these defaults — they’re set correctly out of the box.
Under Triggering, assign the “Consent Initialization – All Pages” trigger. This ensures the consent state is initialized on every page before any other tags fire.

The result: a Complianz tag with the “Consent Initialization – All Pages” trigger attached.

Alternatively, you can download the complete Complianz GTM container which includes all triggers and variables pre-configured, and import it directly into your GTM workspace.

Step 3: Configure Your Google Tags

For Google tags (GA4, Google Ads), the setup is straightforward because these tags natively understand Consent Mode signals:

Assign the standard “All Pages” trigger to your Google tags
That’s it — Google tags will automatically adjust their behavior based on the consent signals from Complianz. They load on every page but respect the denied/granted state.

Do not add additional consent checks or custom triggers to Google tags. The Complianz documentation explicitly states they don’t support “additional consent checks” on Google tags, and using them can break the integration.

Step 4: Configure Non-Google Tags (Facebook Pixel, etc.)

Non-Google tags (Facebook Pixel, custom HTML scripts, LinkedIn Insight, etc.) do not natively support Google Consent Mode. For these, you need to use Complianz’s custom event triggers to block them until consent is given:

Consent Category	Custom Event Trigger
Functional (always granted)	`cmplz_event_functional`
Preferences	`cmplz_event_preferences`
Statistics	`cmplz_event_statistics`
Marketing	`cmplz_event_marketing`

So for a Facebook Pixel tag, you’d assign the cmplz_event_marketing trigger. The tag will not fire until the user explicitly accepts marketing cookies. For a Hotjar or similar analytics script, use cmplz_event_statistics.

These triggers are included in the downloadable GTM container from Complianz. You can also create them manually as Custom Event triggers in GTM using the event names above.

For a detailed walkthrough of manual trigger creation, see the Definitive Guide to Tag Manager and Complianz.

Step 5: If You Use GTM4WP

If you have the GTM4WP (Google Tag Manager for WordPress) plugin installed, there’s a conflict to resolve because both Complianz and GTM4WP will try to inject the GTM snippet:

In GTM4WP settings → General, set Container code ON/OFF to Off. Complianz now manages the GTM snippet.
In Complianz → Integrations → Plugins, set the GTM4WP integration to Off. This prevents Complianz from blocking GTM4WP’s scripts, keeping your Google tags in Advanced Mode.

As the Complianz GTM4WP guide notes, you must handle both settings — missing either one results in duplicate GTM implementations or broken consent signals.

Step 6: LiteSpeed Cache Exclusions (Critical for Hostinger Users)

If you’re using LiteSpeed Cache (the default on Hostinger), you must exclude Complianz scripts from JavaScript optimization. Complianz’s caching guide documents this thoroughly. The JavaScript delay feature will break consent tracking if Complianz scripts get deferred.

In LiteSpeed Cache → Page Optimization → Tuning:

JS Excludes — add these entries:

complianz
cmplz
complianz-gdpr-premium/pro/tcf/build/index.js
complianz-gdpr-premium/pro/tcf-stub/build/index.js
complianz-gdpr-premium/cookiebanner/js/complianz.min.js

If you’ve set Load JS Deferred to Deferred or Delayed under JS Settings, add the same entries to JS Deferred/Delayed Excludes as well.

CSS Excludes (under Tuning – CSS tab) — also add:

cmplz
complianz-gdpr-premium/assets/css/*
complianz-gdpr-premium/cookiebanner/css/*

Step 7: Verify Your Setup

Open your site in an incognito window and don’t interact with the cookie banner. Open the Developer Console (F12) and paste this verification script from Complianz.

Before consent, you should see:

analytics_storage: denied
ad_storage: denied
ad_user_data: denied
ad_personalization: denied
functionality_storage: granted
security_storage: granted

Now click Accept All on the banner and run the script again. Everything should switch to granted.

You can also verify using the Google Tag Assistant Chrome extension, which shows consent signals in real-time. Google provides a verification guide for Tag Manager implementations as well.

Cookiebot: Solid GCM v2, Unreliable Cookie Scanner

Cookiebot by Usercentrics is a cloud-based CMP with Google Gold Tier certification for Consent Mode v2. Its integration with Google’s consent signals is robust, and it handles geo-targeting well — showing different banners to visitors from different jurisdictions. For a small site that needs a quick setup, it works.

Where Cookiebot Excels: Google Consent Mode v2

Cookiebot’s Consent Mode v2 implementation is straightforward and reliable. As CyberNews notes in their 2026 review, it works smoothly with Google Consent Mode v2, supports over 40 languages, and automatically adapts banners for different regions. The geo-targeting feature is particularly useful for Israeli sites that serve both local and European traffic — you can show an EU-compliant opt-in banner to European visitors while displaying a simpler notice to Israeli visitors.

Where Cookiebot Falls Short: The Cookie Scanner

Cookiebot’s automatic cookie scanner — which crawls your site monthly to detect cookies and trackers — has well-documented reliability issues:

Missed cookies: The scanner frequently fails to detect all cookies on a site. WordPress.org support threads document cases where cookies visible in browser DevTools don’t appear in Cookiebot’s scan results. As Cookiebot’s own documentation acknowledges, if the scanner can’t identify the source script, unclassified cookies won’t be blocked prior to consent — and the report flags this as a compliance issue.
Consent-dependent cookies go undetected: Cookiebot disclosed in 2025 that their scanner can’t detect cookies from services that require consent signals before setting cookies (like Microsoft Clarity’s updated EU behavior). Since the scanner can’t trigger consent, these cookies simply don’t appear in scan results.
Page count inflation and pricing: Multiple G2 reviews and Trustpilot reviews report that the scanner inflates subpage counts, affecting pricing tiers. Plans automatically upgrade when the detected count exceeds a tier, leading to unexpected charges.
External script performance: As the Style Factory review notes, because Cookiebot runs as an external script loaded from their servers, it can have a measurable impact on site performance, particularly on ad-heavy pages. The scanner also only runs once per month, meaning new plugins or tracking scripts added mid-month won’t be reflected until the next scan.

Practical Recommendation

If you use Cookiebot, don’t rely on its scanner as your sole method of cookie auditing. Manually verify your site’s cookies using browser DevTools or a dedicated audit tool. Where Cookiebot genuinely shines is in its Consent Mode v2 signal handling — use it for that, and manage your cookie inventory independently.

Summary: What Israeli Site Owners Should Do Now

Don’t wait for a specific Israeli cookie law. The PPA’s February 2026 position statement on consent makes clear that the direction is GDPR-aligned. Implementing proper consent management now protects you from both current enforcement and coming regulations.
If you have any international users, treat GDPR compliance as mandatory. Israeli startups serving European or American markets are already in scope. Amendment 13’s data transfer obligations add another layer of accountability.
If you run Google Ads or use Google Analytics, implement Consent Mode v2 immediately. Without it, your remarketing audiences will shrink, your conversion tracking will degrade, and your campaigns will lose effectiveness. Use a Google-certified CMP — don’t try to build consent logic yourself.
For WordPress sites, Complianz Premium with GTM is the recommended setup. It gives you local data storage, a Google-certified CMP, native WordPress integration, and full control over tag firing.
If using Cookiebot, rely on it for consent signals but audit cookies independently. Its GCM v2 integration is solid, but the automatic cookie scanner has documented blind spots.
Watch your caching plugins. JavaScript delay features in LiteSpeed Cache, WP Rocket, and similar tools will break consent signal timing. Always exclude Complianz scripts from optimization.

This article is provided for informational purposes and does not constitute legal advice. Consult with a qualified privacy professional for compliance decisions specific to your organization.