Email Marketing and Newsletters in Switzerland: nFADP Rules and Consent

Email marketing remains one of the most cost-effective channels for Swiss SMEs — and one of the most legally regulated. The revised Federal Act on Data Protection (nFADP, known in German as nDSG and in French as nLPD) and the Federal Act against Unfair Competition (UCA) together create a clear legal framework: running a newsletter list without the right foundations exposes your business to criminal complaints, injunctions, and lasting reputational damage. This guide explains exactly what the law requires, what it recommends, and how to build a compliant email marketing operation from the ground up.

The Swiss Legal Framework: nFADP and UCA

Email marketing in Switzerland is governed by two distinct laws that apply simultaneously.

The nFADP (in force since 1 September 2023, fedlex.admin.ch) governs the processing of personal data. The moment you collect an email address, you are processing personal data within the meaning of Art. 5 nFADP. This triggers all the transparency, purpose limitation, and consent obligations the law imposes.

The UCA (Art. 3 para. 1 lit. o UCA) prohibits spam explicitly. It qualifies as unfair any mass commercial messaging by electronic means sent without the prior consent of the recipient, or without offering them a straightforward way to opt out of future messages. This provision applies independently of the nFADP and can be invoked directly by recipients, competitors, or consumer protection organisations.

The combined effect of these two laws means that opt-in is mandatory for email marketing in Switzerland — it is not simply a best-practice recommendation.

Consent: Opt-in Required, with a B2B Nuance

B2C: prior explicit consent required

For any commercial email sent to private individuals (consumers), you must obtain explicit, prior consent before the first send. That consent must be:

• Freely given: newsletter sign-up cannot be conditional on making a purchase or accessing a service
• Informed: the person must know exactly what they are subscribing to (content type, frequency, sender identity)
• Specific: a blanket acceptance of terms and conditions does not constitute consent to receive marketing emails
• Unambiguous: a pre-ticked box is not sufficient — the person must take an active, affirmative step

B2C: the "soft opt-in" for existing customers

The UCA includes an exception for existing commercial relationships. If someone has purchased a product or service similar to what you intend to promote, and you offered them the opportunity to opt out when you collected their address, you may send them related offers without fresh explicit consent. This is known as the soft opt-in.

Cumulative conditions for the soft opt-in:

1. The person is an existing customer (actual purchase, not merely a prospect)
2. The promoted content is similar to what they bought
3. You offered an opt-out opportunity at the time of data collection
4. Every subsequent email contains an unsubscribe link

In practice, the soft opt-in is riskier than it appears: the conditions are interpreted narrowly, and the burden of proof rests entirely with you.

B2B: more flexibility, but not a free pass

For emails addressed to businesses (corporate email addresses), the framework is slightly more permissive. The UCA tolerates a degree of B2B prospecting provided it is relevant to the recipient's line of business and every message offers an easy way to opt out. However, the nFADP still applies: business email addresses that directly identify a person (firstname.lastname@company.ch) remain personal data.

Double Opt-in: Not Legally Required, but Essential

The nFADP and UCA do not formally mandate double opt-in (sending a confirmation email that the recipient must click before being subscribed). Yet virtually every Swiss compliance expert strongly recommends it, for good reason:

• Proof of consent: double opt-in creates a timestamped, traceable record you can produce in the event of a dispute or regulatory inquiry
• List quality: it eliminates typos, invalid addresses, and fraudulent sign-ups
• Deliverability: a clean list reduces your bounce rate and protects your sender reputation
• Protection against misuse: without double opt-in, anyone can sign up a third party's address without their knowledge

Without double opt-in, your consent is harder to demonstrate. In a UCA complaint or an inquiry from the Federal Data Protection and Information Commissioner (FDPIC), you must show that the sign-up was voluntary and informed.

Mandatory Elements in Every Marketing Email

Every marketing email you send must contain the following elements without exception:

The absence of an unsubscribe link or a clear sender identification constitutes a direct violation of the UCA, regardless of whether consent was properly obtained.

Privacy Policy: What Must Be Included

If you conduct email marketing, your privacy policy must explicitly cover this activity. Under Art. 19 nFADP (duty to inform), you must specify:

• The purpose: sending newsletters and commercial communications
• The legal basis: consent (or legitimate interest for B2B, which must be documented)
• The categories of data: email address, first name, behavioural data (opens, clicks) if tracked
• Third-party recipients: the name of your email platform (Mailchimp, Brevo, etc.)
• Retention period: until unsubscription, and how long you retain logs thereafter
• The right to withdraw consent and how to exercise it

Consent records — who consented, when, via which form, with what wording — must be retained. In a dispute, you must prove consent existed; it is not up to the recipient to prove its absence.

Newsletter Sign-up Forms: Transparency at the Point of Collection

Your newsletter sign-up form is the first legal touchpoint. It must comply with several rules:

Information to provide at sign-up:

• Who is collecting the data (your company name)
• For what purpose (newsletter, promotions, news — be specific)
• At what approximate frequency
• To which tool the data will be transferred (e.g. "Your data will be processed by Brevo SAS, France")
• How to unsubscribe

What you may not do:

• Pre-tick the newsletter subscription box
• Gate downloadable content behind a newsletter sign-up with no alternative
• Collect more data than necessary (data minimisation principle, Art. 6 para. 2 nFADP)

A simple "Privacy Policy" link near the form is not enough — the essential information must be visible without requiring the user to navigate elsewhere.

Third-Party Tools: Mailchimp, Brevo, and Data Transfers Abroad

The vast majority of Swiss SMEs use foreign email marketing tools. These tools involve a transfer of personal data outside Switzerland, triggering specific obligations under the nFADP (Art. 16–17).

US-based providers (Mailchimp, Klaviyo, HubSpot, Constant Contact)

The United States does not appear on the list of countries with an adequate level of data protection recognised by the FDPIC. Transferring your email list to US servers requires appropriate safeguards, typically:

• Swiss or EU Standard Contractual Clauses (SCCs), or
• Binding Corporate Rules (BCRs)

In practice, most of these tools offer a Data Processing Agreement (DPA) that incorporates SCCs. You must sign it and be able to demonstrate that you did. This is not automatic — you must activate the DPA in your account settings or sign it separately.

You must also disclose this transfer in your privacy policy, specifying the provider's name, the destination country, and the legal basis for the transfer.

European providers (Brevo/Sendinblue, Mailjet)

EU/EEA countries benefit from an adequacy decision recognised by the FDPIC. Transferring data to a provider hosted in France or Germany is therefore easier to justify, provided a DPA is in place.

Swiss-Hosted Alternatives

For businesses that want to keep their subscriber lists on Swiss soil, several options are available:

• Infomaniak Newsletter (Geneva) — Swiss hosting, native nDSG/nFADP compliance, transparent pricing
• Self-hosted Mautic on Infomaniak or Exoscale infrastructure — open-source solution, full control
• Proca — Swiss-developed tool, originally designed for civic engagement campaigns

Swiss hosting simplifies compliance (no international transfer to justify) but does not exempt you from your other obligations: consent, mandatory email disclosures, and a compliant privacy policy.

Purchased Email Lists: Almost Always Illegal

Buying email address lists is a practice Swiss law condemns in virtually every scenario. Here is why:

• The people on those lists have not consented to receive your specific communications — whatever consent they may have given was granted to a third party for a different purpose
• The list seller cannot transfer valid consent to you under the nFADP: consent is personal and non-transferable
• Sending to those addresses violates Art. 3 lit. o UCA from the very first message
• You also risk having your email service provider suspend your account and face severe deliverability damage

The argument that "the list comes from a reputable source" holds no legal weight. The only lawful list is one you have built yourself, with explicit consent from every subscriber.

Tracking Pixels and Link Tracking: Consent Applies Here Too

Most email tools enable open tracking (tracking pixel) and click tracking (redirected links) by default. These features constitute processing of personal behavioural data.

Under the nFADP, collecting behavioural data through email marketing requires:

1. Clear disclosure in your privacy policy (what data is collected and for what purpose)
2. Explicit consent if the data is used for profiling within the meaning of Art. 5 lit. f nFADP

In practice, if you use tracking solely for aggregated internal statistics (overall open rate, overall click rate), you may rely on legitimate interest — provided you have documented it and referenced it in your privacy policy. If you use this data for individual profiling or fine-grained behavioural segmentation, explicit consent is required.

Noting in emails that they contain a tracking pixel is not formally required by the nFADP, but it is considered best practice and can preempt complaints.

Summary: B2C vs B2B

Frequently Asked Questions

Can I email former customers without new consent? It depends. The soft opt-in applies if the promoted product is similar to what they purchased and you offered an opt-out at the time of data collection. When in doubt, requesting fresh confirmation is the safest approach.

What should I do when someone unsubscribes? Remove the address from your active list within a reasonable timeframe (10 business days at most). You may retain it on a suppression list to avoid accidentally re-adding it, but you may no longer send that person commercial communications.

My CRM automatically imports contacts from LinkedIn or other sources — is that legal? No, in most cases it is not. The fact that an address is publicly accessible does not constitute consent to receive your newsletters.

Does the nFADP apply if I send from abroad to people in Switzerland? Yes. The nFADP has extraterritorial reach similar to the GDPR: it applies as soon as you process data belonging to people residing in Switzerland, regardless of where your business is located.

Before sending your next newsletter, start by understanding what your website is actually collecting. Scan your site for free with PrivaScan: in minutes, you get a full inventory of active trackers, third-party scripts, and nFADP compliance gaps that could undermine your entire marketing operation.

Run the free scan