New Swiss FDPIC guidelines on cookies – it’s no longer possible without banners!

1. Cookies – a legal categorisation

Cookies are small text files that are stored on the user’s device by the operator of a website when they visit it. They are used to store certain information that improves the user experience or enables personalised advertising. The FDPIC’s new guidelines now specify the data protection obligations for companies. Cookies are divided into two groups:

Necessary cookies: These are essential for the operation of a website (e.g. login authentication, shopping basket function)

Non-essential cookies: These include tracking, analysis and marketing cookies that process user data for commercial purposes.

While essential cookies may be used without the user’s separate consent, non-essential cookies are subject to strict requirements – particularly with regard to profiling and tracking.

2. The legal basis for cookies in Switzerland

a) Telecommunications Act (TCA, Art. 45c)

Since 2007, the TCA has contained a regulation regarding the storage of cookies on end devices such as smartphones. The provision protects the integrity of end devices and relates to the technical processes for setting, reading and storing cookies.

Website operators are obliged to inform users about the use of cookies and to offer an opt-out option.

b) Data Protection Act (DSG)

The new Swiss Data Protection Act (DPA), which came into force on 1 September 2023, regulates all aspects of personal data processing using cookies and similar technologies. The FADP focuses on

Transparency; website operators must clearly communicate what data is collected
Proportionality: Personal data may only be processed in a way that is necessary for the intended purpose. Cookies that are limited to the essential functions of the website, such as shopping basket cookies, language selection or logins, are to be considered proportionate, as a website cannot be used for its actual function without them.
Justification obligations: Processing that violates personality rights must be covered by consent or overriding interests.

The distinction between normal profiling (with the option to object) and high-risk profiling (opt-in required) is particularly relevant.

3. When are cookies permitted – and when are they not?

According to Art. 6 para. 6 FADP, the key requirements for valid consent to the use of non-essential cookies or similar technologies are appropriate information about the data processing to which consent is to be given and the voluntary nature of the declaration of consent. In order to obtain consent, for which the FADP requires an explicit declaration or opt-in in Art. 6 para. 7 FADP, data controllers must always require active behaviour from the data subject in order to manifest their explicit consent.

The requirements for consent differ depending on the risk of using cookies:

This means that while functional cookies can be offered with a simple opt-out, explicit consent is required for personalised advertising or complex profiling. In the case of non-essential cookies, a balancing of interests can also be carried out instead of consent, where it is checked whether the data processing carried out using cookies could be justified by overriding private interests.

The FDPIC has also clarified that simply continuing to surf a website does not constitute valid consent. Users must actively consent to data processing – for example by clicking on a button.

4. Profiling and tracking – where are the limits?

The tracking and profiling of user data is a particularly sensitive area. Profiling becomes problematic when user data is processed in such a way that key aspects of personality are analysed or predicted. The FDPIC distinguishes between:

• “Normal” profiling: This includes the recording of user behaviour to personalise content or advertising. An opt-out option is sufficient.
• High-risk profiling: As soon as cookies are used to analyse key personality aspects or enable cross-personal identification, explicit consent (opt-in) is required.

The transfer of data to third parties is particularly problematic if this results in comprehensive consumer or personality profiles. In the case of a web shop with personalised product recommendations, for example, an opt-out is sufficient. If data is passed on to advertising networks for cross-site tracking , an opt-in is required.

When is profiling high-risk?

• Cross-site tracking (linking of user data across different websites)
• Collection of sensitive data (e.g. health or financial data)
• Automated decision-making with legal implications

5. Third-party services & third-party cookies: Who is responsible?

Many website operators use external tools – such as Google Analytics, Facebook Pixel or YouTube plugins. Personal data is often passed on to third parties in the process.

Within the website, the website owner is responsible for the use of cookies because they determine which data is processed via their website and for what purpose. If third-party services, i.e. social plug-ins such as Facebook, Twitter or Instagram, are integrated into the website, a distinction must be made as to whether the website owner uses the third-party services in the sense of order processing or whether third parties use the services embedded on the website to also obtain data for their own purposes.

According to the FDPIC’s guidelines, the third party is responsible for its data processing, as it influences the processing of personal data in its own interest and thus participates in the decision on the purposes and means of this processing. The website owner, in turn, only enables the third party to obtain data by integrating the third-party service on its website. The FDPIC’s guidelines clarify that joint responsibility must be assumed for the process of data collection by the third party via the website.

6. Requirements for cookie banners – what needs to change?

Many websites still use cookie banners that do not comply with the GDPR. The FDPIC’s new guidelines make it clear: dark patterns or manipulative design of consent mechanisms are not permitted.

What a legally compliant cookie banner must contain:

• Clear, understandable information about the purpose of cookies
• Real choice:“Accept all” and“Reject” must be displayed equally
• Detailed control options: Users must be able to actively select individual cookie categories
• Easy revocation option: Users must be able to easily withdraw their consent at any time

What is not permitted:

• Preset consent (pre-ticked boxes) if deselecting an already ticked box is designed to be more complicated than selecting it.
• Misleading design (e.g. large “Accept” buttons, hidden “Reject” options)
• No option to reject (e.g. only “Accept” button without alternative)

7. What companies need to do now

The FDPIC’s new guidelines show: The uncontrolled growth in the use of cookies is over. Website operators must ensure that their cookie management complies with legal requirements – otherwise they may face prohibitions and sanctions.

To-do list for companies:

• Check the use of cookies: Which cookies are necessary? Where is there a need for action?
• Customise consent banner: Ensure DSG-compliant consent and presentation.
• Revise tracking technologies: Carry out risk analysis or data protection impact assessment for profiling.
• Update privacy policy: Provide clear and transparent information.

Companies that act now can not only avoid legal risks, but also build trust with their users. Those who do not comply with the new requirements not only risk data protection violations, but also a loss of reputation in the long term.

Data protection is no longer a “nice-to-have”, but a decisive factor for the future viability of digital business models.

HÄRTING Rechtsanwälte supports you in making your website and your digital business models GDPR-compliant. We help you to minimise legal risks, avoid sanctions and strengthen the trust of your users.

Sources

• FDPIC guidelines on data processing using cookies and similar technologies
• Data Protection Act, DSG