In October 2025, the Federal Data Protection and Information Commissioner (FDPIC) published updated guidelines on the use of cookies and similar tracking technologies. These guidelines clarify the obligations arising from the new Federal Act on Data Protection (nFADP), which came into force on 1 September 2023, and from Article 45c of the Telecommunications Act (TCA). For Swiss businesses β including small and medium-sized enterprises β these guidelines carry immediate and practical consequences.
Why Did the FDPIC Update Its Guidelines?
Since the nFADP entered into force, many Swiss website operators were uncertain about the level of consent required for non-essential cookies. Practices varied widely: some relied on a purely informational banner, while others invoked legitimate interests to justify placing analytics or advertising cookies without explicit user consent.
The FDPIC's new guidelines put an end to this grey area. They adopt a strict interpretation of consent, aligned with best European practices but firmly rooted in Swiss law. The objective: ensure that users remain in control of their personal data, including data collected through tracking technologies.
What Changes in Practice
1. Explicit Consent Required Before Any Non-Essential Cookie
The rule is now unambiguous: no non-essential cookie may be placed before the user has given active, informed consent. This means:
- Checkboxes must be unchecked by default.
- Simply continuing to browse the website (scrolling, clicking an internal link) no longer constitutes valid consent.
- Banners where the reject button is less prominent than the accept button are non-compliant.
2. No Consent by Scrolling or Continued Browsing
This is one of the most significant changes. Many Swiss websites displayed banners stating: "By continuing to browse, you accept cookies." This practice is explicitly invalidated by the new guidelines. Consent must result from a clear and affirmative action by the user.
3. Clear Information About the Purpose
Before giving consent, the user must be able to understand:
- Which cookies are used (name, provider, retention period).
- For what purpose they are placed (audience measurement, advertising personalisation, social media, etc.).
- Who has access to the collected data (including third parties such as Google Analytics or Meta Pixel).
Vague descriptions such as "to improve your experience" or "for statistical purposes" are no longer sufficient. Each cookie category must be described precisely and in language that an ordinary user can understand.
4. Withdrawal of Consent as Easy as Giving It
The nFADP enshrines the right to withdraw consent at any time. The new guidelines specify that this withdrawal must be just as easy as the original consent. In practice:
- A permanently accessible link or button must allow access to cookie settings from any page of the website.
- Withdrawal must take effect immediately, without additional steps.
- Withdrawn preferences must not be reset on each visit.
5. Limited Consent Retention Period
Consent cookies themselves must have a reasonable lifespan. The FDPIC recommends not exceeding 12 months, after which the user must be asked again.
Essential vs. Non-Essential Cookies: The Key Distinction
Not all cookies are subject to the same rules. The guidelines confirm the following classification:
| Cookie Type | Examples | Consent Required? |
|---|---|---|
| Strictly necessary | Session, cart, authentication, CSRF protection | No |
| Functional | Language, region, display preferences | No (if linked to an explicit request) |
| Analytics / statistics | Google Analytics, Matomo (non-anonymised) | Yes |
| Marketing / advertising | Meta Pixel, Google Ads, retargeting | Yes |
| Social media | Share buttons, embedded widgets | Yes |
Swiss Law vs. EU ePrivacy: Key Differences
Switzerland is not a European Union member and is not directly subject to the ePrivacy Directive or the GDPR. However, the FDPIC's new guidelines align closely with these frameworks while retaining a number of Swiss-specific features.
| Criterion | Switzerland (nFADP + TCA Art. 45c) | EU (GDPR + ePrivacy) |
|---|---|---|
| Legal basis for non-essential cookies | Explicit consent | Explicit consent |
| Consent by continued browsing | Prohibited (FDPIC guidelines 2025) | Prohibited (CJEU case law) |
| Supervisory authority | FDPIC (Bern) | Various (e.g. ICO, CNIL, BfDI) |
| Maximum sanctions | CHF 250,000 (criminal provisions nFADP) | Up to 4% of global annual turnover (GDPR) |
| Cookie wall | Not recommended | Generally invalid (EDPB) |
| Recommended max. consent duration | 12 months (FDPIC) | 6β13 months (depending on authority) |
| Records of processing activities | Mandatory (> 250 employees or high-risk processing) | Mandatory (Art. 30 GDPR) |
The essential difference lies in the sanctions regime: Swiss sanctions are criminal in nature and target responsible natural persons, whereas GDPR fines are administrative and can reach far higher amounts for large companies. For Swiss SMEs, reputational risk and FDPIC interventions remain the most tangible forms of pressure.
Impact on Swiss SMEs
The new guidelines apply to every website targeting users in Switzerland, regardless of company size. An online shop in Geneva, a law firm in Zurich, or a sole trader in Lucerne are all affected if their website uses third-party tools such as Google Analytics, Facebook Pixel, or live chat plugins.
The risks of non-compliance are multiple:
- User complaints filed with the FDPIC.
- Official investigations that can lead to binding recommendations.
- Reputational damage, particularly for businesses with privacy-sensitive customer segments (banking, healthcare, legal).
- Invalidation of analytics data collected without valid consent β a significant problem for data-driven marketing decisions.
Practical Steps to Achieve Compliance
Step 1: Audit the Cookies on Your Website
Before taking any action, you need to know exactly which cookies your website places, when, and why. An audit should cover:
- First-party cookies (generated by your own infrastructure).
- Third-party cookies (Google, Meta, LinkedIn, Hotjar, Intercom, etc.).
- Cookies placed before any consent is obtained.
Use your browser's developer tools or automated scanners to build a comprehensive list.
Step 2: Implement a Compliant CMP
A Consent Management Platform (CMP) is now essential for the vast majority of professional websites. It must:
- Display a banner where reject options are as prominent as accept options.
- Enable granular management by cookie category.
- Block the loading of third-party scripts before consent is obtained.
- Log consents (timestamp, banner version, user choice) so they can be demonstrated in the event of an audit.
- Provide a permanently accessible mechanism for withdrawing consent.
Step 3: Update Your Privacy Policy
Your privacy policy must accurately reflect the processing activities carried out through cookies. It must include:
- The list of cookies used and their purposes.
- The legal bases (consent for non-essential, legitimate interests for strictly necessary cookies).
- Data transfers to third countries (e.g. Google Analytics transfers data to the United States).
- The right to withdraw consent and how to exercise it.
Relevant legal references to include: Art. 6 nFADP (lawfulness of processing), Art. 45c TCA (cookies and similar technologies), and the official FDPIC guidelines.
Step 4: Test and Document
Once the CMP is in place, carry out thorough testing:
- Browse your website without accepting cookies: verify that no non-essential cookie is placed.
- Test consent withdrawal: verify that preferences are respected immediately.
- Check compatibility with Google Consent Mode v2 if you use Google Analytics or Google Ads.
- Retain screenshots and consent logs as evidence.
Step 5: Train Your Team
Compliance is not a one-time technical fix. Internal stakeholders β marketing, IT, legal β need to understand:
- Why certain analytics configurations need to change.
- How to interpret consent logs.
- What to do if a user requests information about their data or withdraws consent.
Documenting your cookie compliance process in your internal records of processing activities (Art. 12 nFADP) is also recommended.
Common Misconceptions to Avoid
"We use anonymised analytics β no consent needed." This depends on the tool and configuration. Google Analytics 4 with IP anonymisation alone does not make data truly anonymous under Swiss law. Consent is still recommended unless you can demonstrate that re-identification is genuinely impossible.
"We have a cookie notice β that is enough." A notice that merely informs without offering a real choice is not a valid consent mechanism. The banner must enable users to refuse as easily as they can accept.
"We are too small to be targeted." The FDPIC does not publish a size threshold for enforcement. Complaints can come from any user, and the regulatory cost of an investigation far outweighs the technical effort required to implement a proper CMP.
"Our website is hosted abroad β Swiss law does not apply." What matters is whether your website targets users in Switzerland. If it does, the nFADP and TCA apply regardless of where your servers are located.
Legal References and Official Resources
- Art. 6 nFADP β Lawfulness of processing personal data
- Art. 45c TCA β Data protection in electronic communications
- FDPIC β www.edoeb.admin.ch β Cookie guidelines (October 2025)
- nFADP β Federal Act on Data Protection of 25 September 2020
Compliance with the FDPIC cookie guidelines is not an option reserved for large corporations. It applies to every professional Swiss website that uses audience measurement or digital marketing tools. The good news: with the right tools, the essentials can be addressed in a matter of hours.
Start by knowing where you stand. PrivaScan automatically analyses the cookies on your website, classifies them by category, and tells you which ones require explicit consent under the new FDPIC guidelines. Run the free scan