Skip to content
Article

New Swiss FDPIC guidelines on cookies – it’s no longer possible without banners!

Data protection law Data compliance

Cookies make surfing the web easier, save settings and enable targeted advertising. At the same time, they raise significant data protection issues. In his latest guidelines, the Federal Data Protection and Information Commissioner (FDPIC) has specified the requirements that companies and website operators must observe when using cookies in Switzerland. The main focus is on consent requirements, tracking and the processing principles of the Data Protection Act (DPA). Which cookies are still permitted, when explicit consent is required and what requirements are placed on consent banners – we clarify the most important questions.

  1. Cookies – a legal categorisation

Cookies are small text files that are stored on the user’s device by the operator of a website when they visit it. They are used to store certain information that improves the user experience or enables personalised advertising. The FDPIC’s new guidelines now specify the data protection obligations for companies. Cookies are divided into two groups:

Necessary cookies: These are essential for the operation of a website (e.g. login authentication, shopping basket function)

Non-essential cookies: These include tracking, analysis and marketing cookies that process user data for commercial purposes.

While essential cookies may be used without the user’s separate consent, non-essential cookies are subject to strict requirements – particularly with regard to profiling and tracking.

  1. The legal basis for cookies in Switzerland

a) Telecommunications Act (TCA, Art. 45c)

Since 2007, the TCA has contained a regulation regarding the storage of cookies on end devices such as smartphones. The provision protects the integrity of end devices and relates to the technical processes for setting, reading and storing cookies.

Website operators are obliged to inform users about the use of cookies and to offer an opt-out option.

b) Data Protection Act (DSG)

The new Swiss Data Protection Act (DPA), which came into force on 1 September 2023, regulates all aspects of personal data processing using cookies and similar technologies. The FADP focuses on

Transparency; website operators must clearly communicate what data is collected
Proportionality: Personal data may only be processed in a way that is necessary for the intended purpose. Cookies that are limited to the essential functions of the website, such as shopping basket cookies, language selection or logins, are to be considered proportionate, as a website cannot be used for its actual function without them.
Justification obligations: Processing that violates personality rights must be covered by consent or overriding interests.

The distinction between normal profiling (with the option to object) and high-risk profiling (opt-in required) is particularly relevant.

  1. When are cookies permitted – and when are they not?

According to Art. 6 para. 6 FADP, the key requirements for valid consent to the use of non-essential cookies or similar technologies are appropriate information about the data processing to which consent is to be given and the voluntary nature of the declaration of consent. In order to obtain consent, for which the FADP requires an explicit declaration or opt-in in Art. 6 para. 7 FADP, data controllers must always require active behaviour from the data subject in order to manifest their explicit consent.

The requirements for consent differ depending on the risk of using cookies:

 

This means that while functional cookies can be offered with a simple opt-out, explicit consent is required for personalised advertising or complex profiling. In the case of non-essential cookies, a balancing of interests can also be carried out instead of consent, where it is checked whether the data processing carried out using cookies could be justified by overriding private interests.

The FDPIC has also clarified that simply continuing to surf a website does not constitute valid consent. Users must actively consent to data processing – for example by clicking on a button.

  1. Profiling and tracking – where are the limits?

The tracking and profiling of user data is a particularly sensitive area. Profiling becomes problematic when user data is processed in such a way that key aspects of personality are analysed or predicted. The FDPIC distinguishes between:

  • “Normal” profiling: This includes the recording of user behaviour to personalise content or advertising. An opt-out option is sufficient.
  • High-risk profiling: As soon as cookies are used to analyse key personality aspects or enable cross-personal identification, explicit consent (opt-in) is required.

The transfer of data to third parties is particularly problematic if this results in comprehensive consumer or personality profiles. In the case of a web shop with personalised product recommendations, for example, an opt-out is sufficient. If data is passed on to advertising networks for cross-site tracking , an opt-in is required.

When is profiling high-risk?

  • Cross-site tracking (linking of user data across different websites)
  • Collection of sensitive data (e.g. health or financial data)
  • Automated decision-making with legal implications
  1. Third-party services & third-party cookies: Who is responsible?

Many website operators use external tools – such as Google Analytics, Facebook Pixel or YouTube plugins. Personal data is often passed on to third parties in the process.

Within the website, the website owner is responsible for the use of cookies because they determine which data is processed via their website and for what purpose. If third-party services, i.e. social plug-ins such as Facebook, Twitter or Instagram, are integrated into the website, a distinction must be made as to whether the website owner uses the third-party services in the sense of order processing or whether third parties use the services embedded on the website to also obtain data for their own purposes.

According to the FDPIC’s guidelines, the third party is responsible for its data processing, as it influences the processing of personal data in its own interest and thus participates in the decision on the purposes and means of this processing. The website owner, in turn, only enables the third party to obtain data by integrating the third-party service on its website. The FDPIC’s guidelines clarify that joint responsibility must be assumed for the process of data collection by the third party via the website.

  1. Requirements for cookie banners – what needs to change?

Many websites still use cookie banners that do not comply with the GDPR. The FDPIC’s new guidelines make it clear: dark patterns or manipulative design of consent mechanisms are not permitted.

What a legally compliant cookie banner must contain:

  • Clear, understandable information about the purpose of cookies
  • Real choice:“Accept all” and“Reject” must be displayed equally
  • Detailed control options: Users must be able to actively select individual cookie categories
  • Easy revocation option: Users must be able to easily withdraw their consent at any time

What is not permitted:

  • Preset consent (pre-ticked boxes) if deselecting an already ticked box is designed to be more complicated than selecting it.
  • Misleading design (e.g. large “Accept” buttons, hidden “Reject” options)
  • No option to reject (e.g. only “Accept” button without alternative)
  1. What companies need to do now

The FDPIC’s new guidelines show: The uncontrolled growth in the use of cookies is over. Website operators must ensure that their cookie management complies with legal requirements – otherwise they may face prohibitions and sanctions.

To-do list for companies:

  • Check the use of cookies: Which cookies are necessary? Where is there a need for action?
  • Customise consent banner: Ensure DSG-compliant consent and presentation.
  • Revise tracking technologies: Carry out risk analysis or data protection impact assessment for profiling.
  • Update privacy policy: Provide clear and transparent information.

Companies that act now can not only avoid legal risks, but also build trust with their users. Those who do not comply with the new requirements not only risk data protection violations, but also a loss of reputation in the long term.

Data protection is no longer a “nice-to-have”, but a decisive factor for the future viability of digital business models.

Addendum: Updated version of the cookie guidelines from October 2025

On October 6, 2025, the Federal Data Protection and Information Commissioner (FDPIC) published an updated version of its cookie guidelines. This version (version 1.1) builds on the content of the first version from January 2025, but contains numerous clarifications and additions that explain the requirements for the use of cookies in compliance with data protection regulations in a more practical manner. The aim of this revision is to address frequently asked questions from practice and to eliminate existing uncertainties in dealing with data protection requirements.

Clarification of the consent requirement for personalized advertising

It is now particularly emphasized that explicit consent may be required for the use of third-party cookies to deliver personalized advertising. This applies in particular if the website operator grants third parties access to personal information, often in return for payment, and these third parties are integrated into several websites. In such cases, so-called “high-risk profiling” may occur, which constitutes an intensive intrusion into the privacy of the persons concerned.

Location data as risky information

The guidelines have also been expanded with regard to the collection and use of location data. The FDPIC makes it clear that the systematic analysis of movement data entails considerable risks, for example through the identification of locations during the night or regular locations such as home or work addresses. The possible conclusions that can be drawn from this about sensitive aspects of a person’s personality regularly constitute a high risk in terms of profiling that requires special protection.

Clarifications on consent for cookie paywalls

Another key point in the revised version concerns so-called “cookie paywalls” or pure subscription models. The EDÖB clarifies that consent to the use of non-essential cookies in such cases is only considered voluntary if the payment service offered is not disproportionate and does not effectively undermine the fundamental right to data protection. The financial hurdle must therefore not lead to de facto compulsory consent.

Further important additions and clarifications

The updated version also contains a number of detailed adjustments:

  • Information obligations for data collection by third parties (section 3.2.2): Website operators must not only provide information, but also obtain specific consent.
  • Technical necessity (Section 3.5.2): The definition of technical necessity has been differentiated into functional and security aspects.
  • Non-essential cookies (Section 3.6): These are all cookies that are not technically necessary according to Section 3.5.2. If a cookie is not necessary for the secure operation of the website or for a specific function actively requested by the user, it is considered non-essential.
  • Contractually supporting cookies (Section 3.8.1): Cookies that predict delivery times or display branch distances, for example, are also not necessarily considered technically necessary.
  • Right to object (Section 3.9): Reference to timely design through buttons in the consent banner added.
  • High-risk profiling (Section 3.10.1): Now also possible by combining inaccurate location data with other data sources.
  • Advertising tracking and third-party access (Sections 3.11.1 and 3.11.3): Clarification of when third parties can engage in high-risk profiling by integrating into multiple websites.
  • Design of the declaration of consent (section 3.12.3): It must be clearly recognizable that users can selectively grant or refuse consent.
  • Voluntary nature of consent (section 3.12.4): Additional requirements regarding the legal admissibility of paid alternative offers in the event of refusal of consent.

Conclusion: More clarity, but also more responsibility for website operators

With version 1.1 of the cookie guidelines, the EDÖB is clearly pursuing the goal of bringing practice in line with applicable data protection standards without creating new requirements. The targeted clarifications increase legal certainty for operators of digital offerings, but also highlight the need for careful implementation – particularly with regard to consent, transparency, and risk assessments when using tracking technologies.

Companies that rely on data-driven online advertising or process location data would be well advised to review their cookie banners and privacy information immediately and adjust them if necessary. In practice, cookie paywalls in particular are likely to come under greater scrutiny from regulators in the future.

HÄRTING Rechtsanwälte supports you in making your website and your digital business models GDPR-compliant. We help you to minimise legal risks, avoid sanctions and strengthen the trust of your users.

Sources