israeli-privacy-shield

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Israeli Privacy Shield

以色列隐私保护框架

Critical Note

重要提示

This skill provides compliance GUIDANCE. It does not replace legal counsel. Recommend consulting a privacy attorney (orech din specializing in prati'ut) for specific compliance decisions.

本技能提供合规指导，不能替代法律顾问。建议咨询专攻隐私领域的律师（orech din specializing in prati'ut）以做出具体合规决策。

Instructions

操作步骤

Step 1: Assess Security Level

步骤1：评估安全等级

The 2017 regulations define three security levels:

Level	Criteria	Key Requirements
Basic	< 10,000 records, non-sensitive	Access controls, logging, backup
Medium	10,000+ records OR sensitive data	+ Encryption, security officer appointment
High	Government, health, financial, 100K+ records, or authorized access for 100+ people	+ Incident response plan, DPO, plus a security risk assessment and a penetration test at least once every 18 months with documented findings and remediation

Sensitive data includes: Health, genetics, sexual orientation, political views, criminal record.

2017年条例定义了三个安全等级：

等级	判定标准	核心要求
基础级	记录数少于10000条，非敏感数据	访问控制、日志记录、备份
中级	记录数≥10000条或包含敏感数据	+ 加密、任命安全负责人
高级	政府、医疗、金融领域，记录数≥100000条，或授权100人以上访问	+ 事件响应计划、DPO，此外需每18个月至少进行一次安全风险评估和渗透测试，并记录结果及整改措施

敏感数据包括：健康、基因、性取向、政治观点、犯罪记录。

Step 2: Database Registration Check

步骤2：数据库注册检查

Under the Amendment 13 regime, registration with the Privacy Protection Authority (PPA) is required only if:

Database owned or managed by a public body, OR
Database contains data on 10,000+ individuals AND the primary purpose is collecting and disclosing personal data to third parties as a business or for value (data brokers)

The broad pre-Amendment requirement covering any database with sensitive data (and the old "Form 1" five-trigger list) no longer applies.

Notification tier (separate from registration). Even where registration is not required, a controller of a database that holds especially-sensitive data on more than 100,000 individuals must submit a notification to the PPA within 30 days. The notification includes the controller's identity and contact details, the privacy officer's details (if one is required), and the database definition document prepared under the Data Security Regulations.

Registration and notification are handled through the PPA: https://www.gov.il/en/departments/the_privacy_protection_authority

在第13修正案制度下，仅在以下情况需要向隐私保护局（PPA）注册：

数据库由公共机构拥有或管理，OR
数据库包含10000名以上个人的数据，且主要目的是作为业务或获取价值向第三方收集和披露个人数据（数据经纪商）

修正案生效前涵盖任何含敏感数据数据库的宽泛要求（以及旧版"表格1"的五项触发清单）不再适用。

通知层级（与注册分离）：即使无需注册，若数据库持有超过100000名个人的特殊敏感数据，控制方必须在30天内向PPA提交通知。通知内容包括控制方的身份和联系方式、隐私负责人的详细信息（如要求任命），以及根据《数据安全条例》编制的数据库定义文件。

注册和通知通过PPA官网处理：https://www.gov.il/en/departments/the_privacy_protection_authority

Step 3: Consent Requirements

步骤3：同意要求

Israeli law requires consent for:

Collection of personal data
Use beyond the original purpose
Transfer to third parties
Cross-border transfer

Consent must be: Informed, specific, freely given Exceptions: Legal obligation, vital interests, public interest, legitimate interest (limited)

以色列法律要求在以下场景获得同意：

收集个人数据
超出原始目的使用数据
向第三方传输数据
跨境传输数据

同意必须满足：知情、具体、自愿给出例外情况：法律义务、重大利益、公共利益、合法利益（有限制）

Step 4: Cross-Border Transfer Rules

步骤4：跨境传输规则

Personal data transfer outside Israel requires:

Recipient country has adequate protection (EU, UK, few others), OR
Contractual safeguards (similar to GDPR SCCs), OR
Data subject consent (informed and specific), OR
Listed exemptions (necessary for contract, legal proceedings, etc.)

Note: Israel has EU adequacy decision, transfer TO EU is generally straightforward.

个人数据传输到以色列境外需要满足以下任一条件：

接收国具备充分保护水平（欧盟、英国等少数国家/地区），OR
合同保障（类似GDPR的SCC标准合同条款），OR
数据主体的知情且具体的同意，OR
列出的豁免情形（合同必需、法律程序等）

注意：以色列已获得欧盟充分性认定，向欧盟传输数据通常流程简便。

Step 5: Breach Notification

步骤5：数据泄露通知

Amendment 13 introduced a hard deadline (replacing the old "without delay, no specific hours" rule):

Notify the Privacy Protection Authority within 72 hours of discovering a reportable breach. The notification must cover the nature of the breach, the categories and approximate number of affected individuals, the likely consequences, and the measures taken or proposed.
Notify affected individuals "without undue delay" where the breach is likely to result in a high risk to their rights and freedoms. The notice must be in clear, plain Hebrew and explain the nature of the breach, the data affected, the potential consequences, and the protective steps individuals can take.
Reportable breach standard: an incident (unauthorized access, disclosure, loss, alteration, or destruction of personal data) that poses a risk to the rights and freedoms of the affected individuals.
Document: all incidents, response actions, and decisions, regardless of whether they cross the reporting threshold.

第13修正案引入了明确的截止期限（取代旧版"立即通知，无具体时长"规则）：

发现需报告的泄露后72小时内通知隐私保护局（PPA）。通知需涵盖泄露性质、受影响个人的类别和大致数量、可能的后果，以及已采取或拟采取的措施。
若泄露可能对个人权利和自由造成高风险，需"无不当延迟"通知受影响个人。通知需使用清晰易懂的希伯来语，说明泄露性质、受影响的数据、潜在后果，以及个人可采取的保护措施。
需报告的泄露标准：个人数据未经授权访问、披露、丢失、篡改或销毁的事件，且该事件对受影响个人的权利和自由构成风险。
记录留存：无论是否达到报告阈值，所有事件、响应行动和决策都需记录在案。

Step 6: Compliance Checklist

步骤6：合规检查清单

Step 7: Amendment 13 (Effective August 14, 2025)

步骤7：第13修正案（2025年8月14日生效）

Amendment 13 is the most significant reform of Israeli privacy law since 1981. It took effect on August 14, 2025 and expands the Privacy Protection Authority's enforcement powers, broadens the definition of personal data, and introduces new obligations for data brokers and AI systems.

Expanded definition of personal data. Amendment 13 explicitly includes digital identifiers:

IP addresses
Geolocation data
Device identifiers and online identifiers
Biometric and genetic data (already sensitive)

Standard web analytics, session logs, and mobile app telemetry now fall within the scope of the Privacy Protection Law.

Mandatory Privacy Protection Officer (PPO / DPO). Under Amendment 13, the following entities must appoint a Privacy Protection Officer:

Public bodies (government ministries, municipalities, universities, HMOs and similar), except national-security entities
External suppliers and processors acting for those public bodies
Data brokers, with a concrete threshold: a controller whose database holds personal data on more than 10,000 individuals AND whose main purpose is collecting personal data to disclose it to third parties as a business or for value (including direct-mailing services)
Entities that systematically monitor individuals on a large scale, or whose core business includes processing especially-sensitive data on a large scale

The PPO is the contact point with the Privacy Protection Authority and is responsible for monitoring compliance. Note: the PPA announced it would not enforce the appointment obligation until October 31, 2025.

AI governance for automated decision-making. Amendment 13 requires transparency and oversight for AI systems that make decisions affecting individuals (credit scoring, hiring, insurance, fraud detection). Requirements include:

Documentation of the decision logic and data inputs
Ability to explain outcomes to affected individuals
Human oversight for high-impact decisions
Bias and accuracy monitoring

Enforcement powers and fines. Amendment 13 significantly expands the Authority's administrative powers:

Direct supervisory inspections without prior notice
Administrative fines up to approximately NIS 3.2 million for serious violations
Ability to issue binding compliance orders

Entities that were previously under the radar of enforcement now face real financial exposure.

What changed for database registration. Amendment 13 narrowed the registration requirement. Registration with the Authority is now required only for public bodies and databases of 10,000+ individuals whose primary purpose is collecting and disclosing personal data to third parties as a business or for value (data brokers). The broader pre-Amendment requirement for any database with sensitive data no longer applies. Separately, a controller of a database that is not subject to registration but holds especially-sensitive data on more than 100,000 individuals must file a notification with the Authority within 30 days, including the database definition document.

第13修正案是自1981年以来以色列隐私法最重大的改革。它于2025年8月14日生效，扩大了隐私保护局的执法权，拓宽了个人数据的定义，并为数据经纪商和AI系统引入了新义务。

扩大个人数据定义：第13修正案明确将数字标识符纳入范畴：

IP地址
地理位置数据
设备标识符和在线标识符
生物识别和基因数据（已归为敏感数据）

标准网站分析、会话日志和移动应用遥测现在都属于《隐私保护法》的监管范围。

强制任命隐私保护官（PPO / DPO）：根据第13修正案，以下实体必须任命隐私保护官：

公共机构（政府部门、市政当局、大学、健康维护组织等），国家安全实体除外
为上述公共机构服务的外部供应商和处理方
数据经纪商，满足具体阈值：数据库持有10000名以上个人数据，且主要业务目的是收集个人数据并向第三方披露以获取价值（包括直邮服务）
大规模系统性监控个人的实体，或核心业务包括大规模处理特殊敏感数据的实体

PPO是与隐私保护局的联络点，负责监控合规情况。注意：PPA宣布将在2025年10月31日前不强制执行任命义务。

自动化决策的AI治理：第13修正案要求对影响个人的AI系统（信用评分、招聘、保险、欺诈检测等）进行透明度监管。要求包括：

记录决策逻辑和数据输入
能够向受影响个人解释决策结果
高影响决策需人工监管
偏见和准确性监控

执法权与罚款：第13修正案大幅扩大了隐私保护局的行政权力：

无需事先通知即可进行直接监督检查
严重违规行为最高可处以约320万新谢克尔的行政罚款
有权发布具有约束力的合规命令

此前未被执法关注的实体现在面临实际财务风险。

数据库注册的变化：第13修正案缩小了注册要求范围。现在仅公共机构，以及持有10000名以上个人数据且主要业务目的是收集并向第三方披露个人数据以获取价值的数据经纪商，需要向隐私保护局注册。修正案生效前涵盖所有含敏感数据数据库的宽泛要求不再适用。此外，无需注册但持有超过100000名个人特殊敏感数据的控制方，必须在30天内向隐私保护局提交通知，包括数据库定义文件。

GDPR vs Israeli Law Key Differences

GDPR与以色列法律的核心差异

Aspect	Israeli Law (post Amendment 13)	GDPR
Legal basis	Consent primary, limited exceptions	6 legal bases
Privacy officer requirement	Public bodies (and their processors), data brokers (10,000+ records), large-scale sensitive-data processors, and large-scale systematic monitors	Broader requirement
Breach notification	72 hours to the PPA; affected individuals "without undue delay" where high risk	72 hours
Administrative fines	Up to ~NIS 3.2M for serious violations + criminal liability	Up to 4% global revenue
Right to erasure	Limited	Comprehensive (right to be forgotten)
Database registration	Public bodies and data brokers only (10,000+ records)	Not required (replaced by ROPA)
Personal data scope	Includes IP, geolocation, online identifiers (Amendment 13)	Includes online identifiers
AI governance	Required for automated decision-making (Amendment 13)	Article 22 automated decision-making rules
Extra-territorial scope	Limited	Broad

方面	以色列法律（第13修正案后）	GDPR
法律依据	以同意为主要依据，例外情况有限	6种法律依据
隐私官要求	公共机构（及其处理方）、数据经纪商（10000+记录）、大规模敏感数据处理方、大规模系统性监控实体	要求范围更宽泛
泄露通知	72小时内通知PPA；若存在高风险，"无不当延迟"通知受影响个人	72小时内通知监管机构
行政罚款	严重违规最高约320万新谢克尔 + 刑事责任	最高全球营收的4%
删除权	有限制	全面（被遗忘权）
数据库注册	仅公共机构和数据经纪商（10000+记录）要求	无需注册（被ROPA取代）
个人数据范围	包含IP、地理位置、在线标识符（第13修正案新增）	包含在线标识符
AI治理	自动化决策需合规（第13修正案要求）	第22条自动化决策规则
域外适用范围	有限	宽泛

Examples

示例

Example 1: SaaS Startup Compliance

示例1：SaaS初创企业合规

User says: "I'm building a SaaS with Israeli customers, what privacy requirements apply?" Result: Assessment of security level, database registration need, privacy policy requirements, recommended consent mechanisms.

用户提问："我正在为以色列客户开发SaaS，需要遵守哪些隐私要求？" 结果：评估安全等级、数据库注册需求、隐私政策要求、推荐的同意机制。

Example 2: Data Breach Response

示例2：数据泄露响应

User says: "We discovered a data breach affecting Israeli users" Result: Step-by-step breach response: contain, assess, notify authority, notify users if significant harm, document.

用户提问："我们发现了影响以色列用户的数据泄露" 结果：分步泄露响应流程：遏制、评估、通知监管机构、若存在重大损害通知用户、记录留存。

Example 3: Cross-Border Data Transfer

示例3：跨境数据传输

User says: "We need to transfer Israeli customer data to our US servers" Actions:

Assess data types for sensitivity level
Check if destination country has adequate protection
Determine transfer mechanism (adequacy, consent, contractual clauses)
Document compliance steps Result: Transfer compliance checklist with specific steps for US data transfer under Israeli Privacy Protection Law.

用户提问："我们需要将以色列客户数据传输到美国服务器" 操作步骤：

评估数据类型的敏感等级
检查目的地国家是否具备充分保护水平
确定传输机制（充分性认定、同意、合同条款）
记录合规步骤结果：根据以色列《隐私保护法》制定的美国数据传输合规检查清单及具体步骤。

Bundled Resources

配套资源

Scripts

脚本

```
scripts/compliance_checker.py
```
, Runs a full Privacy Protection Law compliance assessment: determines security level (basic/medium/high), checks database registration requirements, and generates a compliance checklist with all applicable controls. Run:
```
python scripts/compliance_checker.py --help
```

```
scripts/compliance_checker.py
```
，运行完整的《隐私保护法》合规评估：确定安全等级（基础/中级/高级）、检查数据库注册要求，并生成包含所有适用控制措施的合规检查清单。运行方式：
```
python scripts/compliance_checker.py --help
```

References

参考资料

```
references/privacy-law-requirements.md
```
, Detailed breakdown of the Privacy Protection Law 1981 and 2017 Security Regulations including database registration process, security level requirements, consent rules, cross-border transfer rules, breach notification procedures, and penalties. Consult when you need specific legal requirements, section numbers, or GDPR comparison details beyond what the instructions cover.
```
references/consent-banner-implementation.md
```
, Copy-pasteable TypeScript/React code for an Amendment 13 + GDPR compliant consent banner: pub-sub store with SSR sentinel, localStorage + companion cookie (12-month TTL,
```
CONSENT_VERSION
```
-bumped re-prompt), cross-tab sync via
```
storage
```
event, server-side cookie check for SSR gating, Sentry pre-init hydration pattern and mid-session Replay attach, essential-event allowlist, dismissal-as-refusal handling. Consult when the user wants to ship the consent UI itself, not just understand the law.

```
references/privacy-law-requirements.md
```
，详细解析1981年《隐私保护法》和2017年安全条例，包括数据库注册流程、安全等级要求、同意规则、跨境传输规则、泄露通知程序和处罚措施。当需要本指南未涵盖的具体法律要求、条款编号或GDPR对比细节时查阅。
```
references/consent-banner-implementation.md
```
，符合第13修正案 + GDPR的同意横幅可复制粘贴TypeScript/React代码：包含SSR标记的发布-订阅存储、localStorage + 配套Cookie（12个月有效期，
```
CONSENT_VERSION
```
更新时重新提示）、通过
```
storage
```
事件实现跨标签同步、用于SSR管控的服务器端Cookie检查、Sentry预初始化 hydration模式和会话中Replay附加、必要事件白名单、关闭即拒绝的处理逻辑。当用户需要实现同意UI而非仅了解法律要求时查阅。

Implementing a Compliant Consent Surface

合规同意界面的实现

The Privacy Protection Law after Amendment 13, GDPR for EU visitors, and the 2017 Security Regulations all require explicit, opt-in, granular consent before collecting personal data beyond what is strictly necessary to deliver the service. The consent surface is where that requirement becomes code. A banner copy-pasted from a generic template almost always fails one of the legal tests below. This section covers the UI patterns that satisfy all three legal frames at once.

第13修正案后的《隐私保护法》、针对欧盟访客的GDPR，以及2017年安全条例均要求在收集超出服务严格必需范围的个人数据前，获得明确的、 opt-in的、 granular的同意。同意界面是将这一要求转化为代码的载体。从通用模板复制的横幅几乎总是无法通过以下法律测试。本节介绍同时满足三大法律框架的UI模式。

State Model

状态模型

Model consent as three layers:

Essential (always on, never toggled): session auth, CSRF, consent cookie itself, bot protection (Turnstile), accessibility preferences, anything required to deliver the requested service. The user has no choice here, by design.
Optional categories (explicit opt-in): analytics, session replay (Clarity / Hotjar / FullStory), error monitoring with user data (Sentry Session Replay), marketing, personalization.
No consent yet (first visit): distinct from "rejected all" and from "accepted all". Treat as null.

The persisted state is a tagged version + category map + timestamp:

interface ConsentState {
  version: number;          // bump to force re-prompt when adding a category
  categories: {
    analytics: boolean;
    session_replay: boolean;
    error_monitoring: boolean;
    // add categories as needed; each gets its own opt-in
  };
  timestamp: string;        // ISO; used for 12-month re-prompt
}

将同意分为三层：

必需项（始终启用，不可切换）：会话认证、CSRF、同意Cookie本身、机器人防护（Turnstile）、无障碍偏好设置，任何提供请求服务所需的内容。用户对此无选择权，为设计既定规则。
可选类别（明确opt-in）：分析、会话重放（Clarity / Hotjar / FullStory）、含用户数据的错误监控（Sentry Session Replay）、营销、个性化。
未作出同意（首次访问）：与"全部拒绝"和"全部接受"区分开，视为null状态。

持久化状态包含标记版本 + 类别映射 + 时间戳：

interface ConsentState {
  version: number;          // 添加新类别时递增版本号以强制重新提示
  categories: {
    analytics: boolean;
    session_replay: boolean;
    error_monitoring: boolean;
    // 根据需求添加类别；每个类别需单独opt-in
  };
  timestamp: string;        // ISO格式；用于12个月后重新提示
}

Persistence

持久化存储

Store the state in both

localStorage

and a companion cookie.

localStorage

is the source of truth for the client; the cookie exists so Server Components can gate SSR work (e.g.

incrementBundleViews

inside

after()

) without a client round-trip. The cookie only needs a single bit (

) because Server Components rarely distinguish individual categories.

// lib/consent/store.ts
export const CONSENT_VERSION = 1;
export const CONSENT_STORAGE_KEY = 'site_consent_v1';
export const CONSENT_COOKIE_NAME = 'site_consent';
export const CONSENT_REPROMPT_MS = 365 * 24 * 60 * 60 * 1000;

function writeCookie(state: ConsentState | null) {
  const maxAge = Math.floor(CONSENT_REPROMPT_MS / 1000);
  const secure = location.protocol === 'https:' ? '; Secure' : '';
  if (!state) {
    document.cookie = `${CONSENT_COOKIE_NAME}=; Path=/; Max-Age=0; SameSite=Lax${secure}`;
    return;
  }
  const value = state.categories.analytics ? '1' : '0';
  document.cookie = `${CONSENT_COOKIE_NAME}=${value}; Path=/; Max-Age=${maxAge}; SameSite=Lax${secure}`;
}

Re-prompt rules.

readStorage()

returns

null

if the stored

version

mismatches

CONSENT_VERSION

or the timestamp is older than 12 months. Bumping

CONSENT_VERSION

when adding a new tracker category forces a fresh prompt, this is how you stay compliant when you add a new analytics vendor.

将状态同时存储在

localStorage

和配套Cookie中。

localStorage

是客户端的数据源；Cookie用于服务端组件管控SSR工作（例如

after()

中的

incrementBundleViews

），无需客户端往返请求。Cookie仅需单个位（

或

），因为服务端组件很少需要区分单个类别。

// lib/consent/store.ts
export const CONSENT_VERSION = 1;
export const CONSENT_STORAGE_KEY = 'site_consent_v1';
export const CONSENT_COOKIE_NAME = 'site_consent';
export const CONSENT_REPROMPT_MS = 365 * 24 * 60 * 60 * 1000;

function writeCookie(state: ConsentState | null) {
  const maxAge = Math.floor(CONSENT_REPROMPT_MS / 1000);
  const secure = location.protocol === 'https:' ? '; Secure' : '';
  if (!state) {
    document.cookie = `${CONSENT_COOKIE_NAME}=; Path=/; Max-Age=0; SameSite=Lax${secure}`;
    return;
  }
  const value = state.categories.analytics ? '1' : '0';
  document.cookie = `${CONSENT_COOKIE_NAME}=${value}; Path=/; Max-Age=${maxAge}; SameSite=Lax${secure}`;
}

重新提示规则：若存储的

version

与

CONSENT_VERSION

不匹配，或时间戳超过12个月，

readStorage()

null

。添加新追踪器类别时递增

CONSENT_VERSION

，可强制用户重新作出同意选择，这是添加新分析供应商时保持合规的方式。

SSR Safety: The SSR_SENTINEL Pattern

SSR安全：SSR_SENTINEL模式

Naive

useSyncExternalStore

with a

null

server snapshot renders the banner in the initial SSR HTML, which means a) the banner is visible for a moment before hydration replaces it, and b) search engines index pages with the consent dialog overlaying the content. The fix is a sentinel object that is identity-compared to distinguish the server/hydration render from "user hasn't decided yet":

export const SSR_SENTINEL: ConsentState = Object.freeze({
  version: -1,
  categories: ALL_CATEGORIES_OFF,
  timestamp: '1970-01-01T00:00:00.000Z',
});

// In the provider:
const rawState = useSyncExternalStore(
  consentStore.subscribe,
  consentStore.getSnapshot,
  consentStore.getServerSnapshot,  // returns SSR_SENTINEL
);
const isHydrated = rawState !== SSR_SENTINEL;
const state = isHydrated ? rawState : null;

const needsPrompt = isHydrated && state === null;

Only when

isHydrated

is true AND

state

null

does the banner render. The sentinel is identity-compared with

!==

, which is why it is frozen and exported as a module constant.

使用

null

服务器快照的原生

useSyncExternalStore

会在初始SSR HTML中渲染横幅，这意味着：a) 在 hydration替换横幅前，横幅会短暂可见；b) 搜索引擎会索引被同意对话框覆盖内容的页面。解决方案是使用一个标记对象，通过身份比较区分服务端/hydration渲染与"用户尚未作出选择"状态：

export const SSR_SENTINEL: ConsentState = Object.freeze({
  version: -1,
  categories: ALL_CATEGORIES_OFF,
  timestamp: '1970-01-01T00:00:00.000Z',
});

// 在Provider中：
const rawState = useSyncExternalStore(
  consentStore.subscribe,
  consentStore.getSnapshot,
  consentStore.getServerSnapshot,  // 返回SSR_SENTINEL
);
const isHydrated = rawState !== SSR_SENTINEL;
const state = isHydrated ? rawState : null;

const needsPrompt = isHydrated && state === null;

仅当

isHydrated

为true且

state

为

null

时，才渲染横幅。标记对象通过

!==

进行身份比较，因此它被冻结并作为模块常量导出。

Cross-Tab Sync

跨标签同步

Users open multiple tabs. If they reject consent in one, the others must respect that immediately. Listen for the

storage

event, which fires across tabs sharing the same origin:

function onStorageEvent(e: StorageEvent) {
  if (e.key === null || e.key === CONSENT_STORAGE_KEY) notify();
}
// Attach in subscribe() when first listener is added, detach when last leaves.

用户会打开多个标签页。若用户在一个标签页中拒绝同意，其他标签页必须立即遵守该选择。监听

storage

事件，该事件会在同源的多个标签页间触发：

function onStorageEvent(e: StorageEvent) {
  if (e.key === null || e.key === CONSENT_STORAGE_KEY) notify();
}
// 当添加第一个监听器时在subscribe()中附加，移除最后一个监听器时分离。

Dismissal-As-Refusal

关闭即拒绝

GDPR Article 4(11) and the EDPB guidance require that dismissing a consent banner counts as refusal. Amendment 13 is aligned. That means:

Escape key = reject all
Close button (X) = reject all
Clicking outside the banner = leave banner visible (do NOT treat as accept)

tsx

// ESC handler inside the banner component
useEffect(() => {
  if (!promptOpen) return;
  function onKey(e: KeyboardEvent) {
    if (e.key === 'Escape') rejectAll();
  }
  window.addEventListener('keydown', onKey);
  return () => window.removeEventListener('keydown', onKey);
}, [promptOpen, rejectAll]);

GDPR第4(11)条和EDPB指南要求关闭同意横幅视为拒绝。第13修正案与此保持一致。这意味着：

ESC键 = 全部拒绝
关闭按钮（X） = 全部拒绝
点击横幅外部 = 保持横幅可见（不可视为接受）

tsx

// 横幅组件中的ESC处理器
useEffect(() => {
  if (!promptOpen) return;
  function onKey(e: KeyboardEvent) {
    if (e.key === 'Escape') rejectAll();
  }
  window.addEventListener('keydown', onKey);
  return () => window.removeEventListener('keydown', onKey);
}, [promptOpen, rejectAll]);

Visual Equal Weight for Reject and Accept

拒绝与接受按钮视觉权重相等

GDPR Recital 42 + multiple DPA enforcement decisions require that Reject and Accept carry equal visual weight. In practice:

Same button style (both primary, or both outline)
Same width
Same position (side by side, not one hidden behind "Customize")
"Customize" is a third action, not a replacement for "Reject"

tsx

<div className="grid grid-cols-3 gap-2">
  <Button size="sm" variant="outline" onClick={rejectAll}>{dict.rejectAll}</Button>
  <Button size="sm" variant="outline" onClick={openPreferences}>{dict.customize}</Button>
  <Button size="sm" onClick={acceptAll}>{dict.acceptAll}</Button>
</div>

GDPR第42条及多个DPA执法决定要求拒绝和接受按钮具有相等的视觉权重。实际操作中需满足：

相同按钮样式（均为主按钮，或均为轮廓按钮）
相同宽度
相同位置（并排显示，而非将一个隐藏在"自定义"按钮后）
"自定义"是第三个操作选项，不能替代"拒绝"

tsx

<div className="grid grid-cols-3 gap-2">
  <Button size="sm" variant="outline" onClick={rejectAll}>{dict.rejectAll}</Button>
  <Button size="sm" variant="outline" onClick={openPreferences}>{dict.customize}</Button>
  <Button size="sm" onClick={acceptAll}>{dict.acceptAll}</Button>
</div>

Gating the Trackers

管控追踪器

The consent state must actually prevent non-consented trackers from running. A banner that does not stop scripts is worse than no banner (it creates a paper trail of false compliance).

tsx

// components/consent/consent-gated-trackers.tsx
export function ConsentGatedTrackers() {
  const { isAllowed } = useConsent();
  return (
    <>
      {isAllowed('analytics') && <Analytics />}
      {isAllowed('analytics') && <SpeedInsights />}
      {isAllowed('session_replay') && <ClarityScript />}
    </>
  );
}

Also gate the client-side

trackEvent

helper, events emitted before consent is granted should be dropped, not queued:

const ESSENTIAL_EVENTS = new Set([
  'consent_banner_shown', 'consent_accepted', 'consent_rejected',
  'consent_customized', 'consent_reopened', 'auth_sign_in',
]);

export function trackEvent(event: string, data?: Record<string, unknown>) {
  if (!ESSENTIAL_EVENTS.has(event) && !window.__consent?.analytics) return;
  // ...send to analytics backend
}

The essential-event allowlist is for legally transactional events (the consent choice itself, auth), not a general escape hatch.

同意状态必须实际阻止未获同意的追踪器运行。若横幅无法阻止脚本运行，比没有横幅更糟（会留下虚假合规的记录）。

tsx

// components/consent/consent-gated-trackers.tsx
export function ConsentGatedTrackers() {
  const { isAllowed } = useConsent();
  return (
    <>
      {isAllowed('analytics') && <Analytics />}
      {isAllowed('analytics') && <SpeedInsights />}
      {isAllowed('session_replay') && <ClarityScript />}
    </>
  );
}

同时管控客户端

trackEvent

辅助函数，在获得同意前触发的事件应被丢弃，而非排队等待：

const ESSENTIAL_EVENTS = new Set([
  'consent_banner_shown', 'consent_accepted', 'consent_rejected',
  'consent_customized', 'consent_reopened', 'auth_sign_in',
]);

export function trackEvent(event: string, data?: Record<string, unknown>) {
  if (!ESSENTIAL_EVENTS.has(event) && !window.__consent?.analytics) return;
  // ...发送至分析后端
}

必要事件白名单适用于法律事务性事件（同意选择本身、认证），而非通用豁免通道。

Sentry Integration: Two Pieces

Sentry集成：两部分实现

Sentry is unusual because

Sentry.init()

runs in

instrumentation-client.ts

before React hydrates, which is before

useConsent()

can tell you what the user wants. Two pieces:

1. Hydrate
window.__consent
from storage BEFORE
Sentry.init()
. Without this, any errors thrown during early hydration are captured even if the user previously rejected consent.

// instrumentation-client.ts
import { hydrateWindowFromStorage } from '@/lib/consent/store';

hydrateWindowFromStorage();  // sets window.__consent from localStorage

Sentry.init({
  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
  integrations: window.__consent?.session_replay ? [Sentry.replayIntegration()] : [],
  beforeSend(event) {
    return window.__consent?.error_monitoring ? event : null;
  },
});

2. Attach Replay mid-session when the user later grants consent. Don't re-run

Sentry.init()

, that breaks the existing client. Use

Sentry.addIntegration()

// lib/consent/sentry-gate.ts
import * as Sentry from '@sentry/nextjs';

export function enableSentryReplay() {
  const client = Sentry.getClient();
  if (!client) return;
  if (client.getIntegrationByName?.('Replay')) return;  // idempotent
  Sentry.addIntegration(Sentry.replayIntegration());
}

The React provider calls

enableSentryReplay()

the first time

state.categories.session_replay

flips to true. Dynamic-import it so the Replay bundle is not shipped to users who rejected it:

useEffect(() => {
  if (state?.categories.session_replay) {
    import('./sentry-gate').then((m) => m.enableSentryReplay());
  }
}, [state?.categories.session_replay]);

Sentry的特殊之处在于

Sentry.init()

在

instrumentation-client.ts

中运行，早于React hydration，此时

useConsent()

还无法告知用户的选择。需分两部分实现：

1. 在
Sentry.init()
前从存储中hydrate
window.__consent
。若不执行此步骤，早期hydration过程中抛出的错误即使用户之前拒绝同意也会被捕获。

// instrumentation-client.ts
import { hydrateWindowFromStorage } from '@/lib/consent/store';

hydrateWindowFromStorage();  // 从localStorage设置window.__consent

Sentry.init({
  dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
  integrations: window.__consent?.session_replay ? [Sentry.replayIntegration()] : [],
  beforeSend(event) {
    return window.__consent?.error_monitoring ? event : null;
  },
});

2. 用户后续同意时在会话中附加Replay。不要重新运行

Sentry.init()

，这会破坏现有客户端。使用

Sentry.addIntegration()

：

// lib/consent/sentry-gate.ts
import * as Sentry from '@sentry/nextjs';

export function enableSentryReplay() {
  const client = Sentry.getClient();
  if (!client) return;
  if (client.getIntegrationByName?.('Replay')) return;  // 幂等操作
  Sentry.addIntegration(Sentry.replayIntegration());
}

React Provider在

state.categories.session_replay

首次变为true时调用

enableSentryReplay()

。动态导入该函数，以便拒绝同意的用户不会加载Replay包：

useEffect(() => {
  if (state?.categories.session_replay) {
    import('./sentry-gate').then((m) => m.enableSentryReplay());
  }
}, [state?.categories.session_replay]);

Server Component Gating

服务端组件管控

Server Components can read the companion cookie directly:

// lib/consent/server.ts
import { cookies } from 'next/headers';
import { CONSENT_COOKIE_NAME } from './store';

export async function isAnalyticsAllowedServerSide(): Promise<boolean> {
  const store = await cookies();
  return store.get(CONSENT_COOKIE_NAME)?.value === '1';
}

Use it to gate

after()

calls that increment analytics counters:

tsx

if (await isAnalyticsAllowedServerSide()) {
  after(() => incrementBundleViews(slug));
}

服务端组件可直接读取配套Cookie：

// lib/consent/server.ts
import { cookies } from 'next/headers';
import { CONSENT_COOKIE_NAME } from './store';

export async function isAnalyticsAllowedServerSide(): Promise<boolean> {
  const store = await cookies();
  return store.get(CONSENT_COOKIE_NAME)?.value === '1';
}

使用该函数管控

after()

中递增分析计数器的调用：

tsx

if (await isAnalyticsAllowedServerSide()) {
  after(() => incrementBundleViews(slug));
}

Audit Trail

审计追踪

Amendment 13 and GDPR require you to demonstrate consent on demand. Emit five analytics events through your existing pipeline:

```
consent_banner_shown
```
(first show only)
```
consent_accepted
```
```
consent_rejected
```
```
consent_customized
```
```
consent_reopened
```
(user re-opens from the footer link)

Store them through the same

analytics_events

pipeline you already have, no new table needed. These are the events the allowlist in

trackEvent

lets through even when consent is denied, precisely so you have the refusal on record.

See

references/consent-banner-implementation.md

for complete copy-pasteable code covering the pub-sub store, the

ConsentProvider

, the banner, the preferences dialog, the tracker gate, and the Sentry hydration hook.

第13修正案和GDPR要求你能够按需证明同意情况。通过现有管道触发五个分析事件：

```
consent_banner_shown
```
（仅首次显示时触发）
```
consent_accepted
```
```
consent_rejected
```
```
consent_customized
```
```
consent_reopened
```
（用户从页脚链接重新打开横幅）

将这些事件存储在你已有的

analytics_events

管道中，无需新建表格。这些事件即使在用户拒绝同意时也会被

trackEvent

中的白名单放行，正是为了记录拒绝情况。

查阅

references/consent-banner-implementation.md

获取完整的可复制代码，包括发布-订阅存储、

ConsentProvider

、横幅、偏好设置对话框、追踪器管控和Sentry hydration钩子。

Consent UI Anti-Patterns

同意UI反模式

Israeli DPA enforcement, GDPR DPAs, and the French CNIL have published repeated guidance on UI patterns that look compliant but are not. Any of these will cost you on enforcement even if the underlying law text is satisfied.

Anti-pattern	Why it fails	Fix
Pre-checked boxes for analytics / marketing	Consent must be explicit opt-in. CJEU Planet49 (C-673/17) is the binding precedent.	Default unchecked; user must actively flip the switch.
"Accept" button styled larger/colored, "Reject" styled as a text link	Fails the equal-weight test.	Same component, same size, same visual prominence.
"Reject" hidden behind a "Customize" or "Learn more" submenu	Forces extra clicks to refuse, not to accept.	Reject + Accept on the first screen, side by side.
"By continuing to use the site, you accept cookies" banners	Implicit consent is invalid under GDPR and Amendment 13.	Banner blocks nothing visually, but trackers do not run until explicit choice.
Cookie wall ("You must accept cookies to read this article")	EDPB guidance treats conditioning service on consent to non-essential cookies as invalid.	Provide full service regardless of the choice; degrade only genuinely analytics-dependent features (e.g. hide a session-replay-powered debug button).
Single "Accept all" with no granular option on the first screen	GDPR Article 7(2) requires granularity for distinct purposes.	Either expose the per-category toggles on the first screen, or ensure "Customize" reaches them in one click.
Re-prompting every session	Consent fatigue, treated by DPAs as a dark pattern.	Re-prompt only on `CONSENT_VERSION` bump or after 12 months.
Burying the "withdraw consent" path	Amendment 13 Article 8C + GDPR Article 7(3) require withdrawal to be as easy as granting.	"Privacy preferences" link in the footer that opens the same dialog.
Storing a consent cookie without an expiry / with multi-year TTL	User has not re-consented; stale consent is no consent.	12-month max. Bump `CONSENT_VERSION` whenever you add a tracker.
Loading the analytics SDK script and calling it with `consent=denied` instead of not loading it	Loading itself is a data transfer (IP, UA, referer).	Gate the `<script>` tag, not just the SDK's internal flag.

The banner you ship is one layer. The other layers, a published privacy policy in Hebrew, a named Privacy Protection Officer where required under Amendment 13, a data subject request handling process, a breach response plan, and the database registration for public bodies and data brokers, all have to exist independently. No consent UI substitutes for those.

以色列DPA执法机构、GDPR监管机构以及法国CNIL已多次发布关于看似合规但实际不符合要求的UI模式指南。即使满足法律文本要求，以下任何模式都会导致执法处罚。

反模式	违规原因	修复方案
分析/营销选项默认勾选	同意必须是明确的opt-in。欧盟法院Planet49案（C-673/17）具有约束力。	默认未勾选；用户需主动切换开关。
"接受"按钮样式更大/有颜色，"拒绝"按钮为文本链接	不符合视觉权重相等要求。	使用相同组件、相同尺寸、相同视觉突出度。
"拒绝"按钮隐藏在"自定义"或"了解更多"子菜单中	拒绝需额外点击，接受则无需。	拒绝+接受按钮在首屏并排显示。
"继续使用本网站即表示您接受Cookie"横幅	GDPR和第13修正案不认可默示同意。	横幅不遮挡内容，但追踪器在获得明确选择前不运行。
Cookie墙（"您必须接受Cookie才能阅读本文"）	EDPB指南认为将服务与非必需Cookie同意挂钩是无效的。	无论用户选择如何都提供完整服务；仅在真正依赖分析的功能上降级（例如隐藏会话重放驱动的调试按钮）。
首屏仅提供"全部接受"按钮，无 granular选项	GDPR第7(2)条要求针对不同目的提供 granular选项。	要么在首屏展示每个类别的切换按钮，要么确保点击"自定义"可一步进入 granular设置。
每次会话都重新提示	导致同意疲劳，被监管机构视为暗黑模式。	仅在 `CONSENT_VERSION` 更新或12个月后重新提示。
"撤回同意"路径隐藏较深	第13修正案第8C条 + GDPR第7(3)条要求撤回同意与授予同意同样简便。	页脚设置"隐私偏好"链接，可打开相同的对话框。
存储无有效期/有效期为多年的同意Cookie	用户未重新作出同意；过期的同意视为无效。	最长有效期12个月。添加新追踪器时递增 `CONSENT_VERSION` 。
加载分析SDK脚本并传入 `consent=denied` 参数，而非不加载脚本	加载脚本本身已发生数据传输（IP、UA、来源）。	管控 `<script>` 标签，而非仅SDK内部标志。

你部署的横幅只是其中一层。其他层面包括：发布希伯来语隐私政策、按第13修正案要求任命指定隐私保护官、数据主体请求处理流程、泄露响应计划，以及公共机构和数据经纪商的数据库注册，这些都必须独立存在。没有任何同意UI可以替代这些要求。

Gotchas

注意事项

Amendment 13 took effect on August 14, 2025 and is live law, not a pending proposal. Agents trained on pre-2025 data may treat Amendment 13 as a future change or miss it entirely. Always assume it applies when advising on Israeli privacy compliance today.
Amendment 13 expands "personal data" to include IP addresses, geolocation, and online identifiers. This pulls standard web analytics and mobile telemetry into scope. Agents may still apply the older narrower definition and underestimate what counts as personal data.
Administrative fines under Amendment 13 can reach approximately NIS 3.2 million for serious violations, on top of the existing criminal liability. Agents may cite only the pre-Amendment "relatively low fines" framing and underestimate real exposure.
Amendment 13 introduced a 72-hour deadline for notifying the Privacy Protection Authority of a reportable breach (measured from discovery), with notification to affected individuals "without undue delay" where the breach poses a high risk to their rights and freedoms. The old "without delay, no specific hours" rule no longer applies. Agents trained on pre-2025 data often still cite the outdated framing.
Israeli Privacy Protection Law predates GDPR (1981 vs 2016) and still has key differences even after Amendment 13: a narrower right to erasure, and database registration still exists (though narrowed to public bodies and data brokers, plus a separate 100,000-record especially-sensitive notification tier). Agents may incorrectly apply GDPR rules to Israeli contexts.
Israel has an EU adequacy decision, meaning data transfers FROM Israel TO the EU are generally straightforward. Agents may incorrectly flag Israel-to-EU transfers as requiring additional safeguards.
The 2017 Security Regulations define three security levels (basic/medium/high) based on record count and data sensitivity. Agents may apply a one-size-fits-all approach instead of the tiered model.
Penalties under Israeli privacy law include criminal liability (up to 5 years imprisonment) in addition to administrative fines. Agents may understate the severity by comparing only to GDPR's monetary penalties.

第13修正案于2025年8月14日生效，属于现行法律，而非待审议提案。基于2025年前数据训练的Agent可能将第13修正案视为未来变化或完全忽略。在提供以色列隐私合规建议时，始终假设该修正案已适用。
第13修正案将"个人数据"范围扩大至IP地址、地理位置和在线标识符。这使得标准网站分析和移动遥测纳入监管范围。Agent可能仍适用旧版较窄的定义，低估个人数据的范畴。
第13修正案下的行政罚款最高可达约320万新谢克尔，此外还需承担现有刑事责任。Agent可能仅引用修正案生效前的"相对较低罚款"表述，低估实际风险。
第13修正案引入了发现需报告的泄露后72小时内通知隐私保护局的截止期限（从发现时起算），若泄露对个人权利和自由构成高风险，需"无不当延迟"通知受影响个人。旧版"立即通知，无具体时长"规则不再适用。基于2025年前数据训练的Agent常引用过时规则。
以色列《隐私保护法》早于GDPR（1981年vs2016年），即使在第13修正案后仍存在核心差异：删除权有限，数据库注册仍存在（尽管范围缩小至公共机构和数据经纪商，外加单独的100000条特殊敏感数据通知层级）。Agent可能错误地将GDPR规则应用于以色列场景。
以色列已获得欧盟充分性认定，这意味着从以色列向欧盟传输数据通常流程简便。Agent可能错误地将以色列至欧盟的传输标记为需要额外保障措施。
2017年安全条例根据记录数量和数据敏感度定义了三个安全等级（基础/中级/高级）。Agent可能采用一刀切的方法，而非分层模型。
以色列隐私法下的处罚除行政罚款外，还包括刑事责任（最高5年监禁）。Agent可能仅与GDPR的货币处罚对比，低估处罚严重性。

Troubleshooting

故障排除

Error: "Unsure about security level"

错误："不确定安全等级"

Cause: Borderline case between basic/medium/high Solution: When in doubt, apply the higher level. The cost difference is small compared to non-compliance risk.

原因：处于基础/中级/高级的边界情况解决方案：如有疑问，适用更高等级。与不合规风险相比，成本差异较小。

Reference Links

参考链接

Source	URL	What to check
Privacy Protection Authority (gov.il)	https://www.gov.il/en/departments/the_privacy_protection_authority	Enforcement, database registration and notification, guidance
Amendment 13 page (gov.il)	https://www.gov.il/he/pages/13_amendment	Overview of the reform and its obligations
Amendment 13 professional guide (gov.il)	https://www.gov.il/he/pages/guide_tikon13_professional	Detailed implementation guidance for controllers and processors
Amendment 13 FAQ (gov.il)	https://www.gov.il/he/pages/tikun13_qa	Common questions on registration, DPO, breach reporting
Protection of Privacy Law, 5741-1981	https://www.gov.il/he/pages/the_privacy_protection_law	Primary statute text

gov.il pages may return HTTP 403 to automated clients; open them in a browser.

来源	URL	查阅内容
隐私保护局（gov.il）	https://www.gov.il/en/departments/the_privacy_protection_authority	执法信息、数据库注册与通知、指南
第13修正案页面（gov.il）	https://www.gov.il/he/pages/13_amendment	改革概述及义务说明
第13修正案专业指南（gov.il）	https://www.gov.il/he/pages/guide_tikon13_professional	针对控制方和处理方的详细实施指南
第13修正案常见问题（gov.il）	https://www.gov.il/he/pages/tikun13_qa	注册、DPO、泄露报告相关常见问题
《隐私保护法》5741-1981	https://www.gov.il/he/pages/the_privacy_protection_law	主要法规文本

gov.il页面可能对自动化客户端返回HTTP 403错误；请在浏览器中打开。