Since Switzerland's revised Federal Act on Data Protection (nFADP) came into force on 1 September 2023, one question has been circulating persistently among Swiss SME owners and privacy practitioners: can Google Analytics still be used legally? The short answer is yes β but only under strict conditions that the vast majority of websites do not meet. This article clarifies the Swiss legal framework, sets out the concrete requirements for compliant use, and presents alternatives that sidestep the problem altogether.
Legal Status of Google Analytics Under the nFADP
Google Analytics is not banned under Swiss law. Unlike some European supervisory authorities β including France's CNIL and Austria's DSB, both of which have issued formal decisions against Google Analytics β the Federal Data Protection and Information Commissioner (FDPIC) has not issued a prohibition order to date.
That said, the FDPIC has made its position clear: data transfers to the United States raise structural, unresolved issues, and any tool involving such transfers must be surrounded by robust safeguards. Google Analytics, which transmits behavioural data to Google's US-based servers, falls squarely into this category.
Google Analytics 4 (GA4), the current version, introduces meaningful privacy improvements over the legacy Universal Analytics (UA):
- IP anonymisation is enabled by default β the full IP address is no longer transmitted to Google
- The data model is based on events rather than sessions, which reduces certain forms of behavioural profiling
- Shorter data retention periods are available (minimum: 2 months)
- Google has introduced Google Consent Mode v2, which allows behavioural modelling without cookies when consent has been refused
These improvements are meaningful, but they do not resolve the core legal issue: the transfer of personal data to the United States and the strict conditions governing it under the nFADP.
The Data Transfer Problem
This is where the primary legal difficulty lies. The nFADP β like the GDPR β places strict requirements on cross-border transfers of personal data to third countries. It requires either that the recipient country offers an adequate level of protection, or that appropriate safeguards are in place.
Since 15 September 2024, Switzerland recognises an adequate level of data protection for US organisations certified under the Swiss-U.S. Data Privacy Framework (DPF). This means that transfers to DPF-certified recipients no longer require additional safeguards. However, the United States does not benefit from a general adequacy decision: transfers to US entities not certified under the DPF remain subject to the standard nFADP requirements.
The FDPIC has highlighted in its published guidance that US surveillance laws β notably the CLOUD Act and the Foreign Intelligence Surveillance Act (FISA) β continue to allow US authorities to access data held by US companies. For DPF-certified recipients, the framework provides remedies and access limitations deemed sufficient by Switzerland.
For transfers to recipients not certified under the DPF, companies must rely on Standard Contractual Clauses (SCCs) β either the EU SCCs adopted by analogy, or the clauses published directly by the FDPIC. Google offers a Data Processing Agreement (DPA) that incorporates SCCs, which may be sufficient for DPF-certified entities. For non-certified recipients, supplementary safeguards beyond SCCs alone remain necessary.
Using GA4 Lawfully in Switzerland: Cumulative Requirements
If you wish to retain Google Analytics while complying with the nFADP, all of the following conditions must be met simultaneously:
1. Prior and explicit consent banner
The Google Analytics script must be blocked on page load and activated only after the user grants explicit consent. This means:
- An "Accept" button and a "Refuse" button of equal visual prominence
- No pre-ticked boxes, no scroll or continued navigation treated as consent
- Consent must be revocable at any time, as easily as it was given
<!-- Script blocked until consent is granted -->
<script type="text/plain" data-category="analytics"
src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXXXXX">
</script>
2. Explicit disclosure in your privacy policy
Your privacy policy must explicitly state:
- That you use Google Analytics 4
- The nature of the data collected (browser identifiers, browsing behaviour, event data)
- The transfer to the United States and the associated safeguards (DPA + SCCs with Google)
- The data retention period configured in GA4
- Users' right to object or withdraw consent
3. Data Processing Agreement with Google
You must have accepted Google's Data Processing Agreement in your Google Analytics account settings. This agreement incorporates SCCs and defines Google's obligations as a data processor.
4. IP anonymisation
This is enabled by default in GA4 and cannot be disabled β a structural improvement over UA. Verify that no custom configuration in your implementation overrides this setting.
5. Minimum data retention period
In your GA4 property settings, configure user data retention to 2 months (the shortest available option). The shorter the retention period, the lower the risk of prolonged profiling.
6. Disable Google Signals and data sharing
In your GA4 property settings:
- Disable Google Signals β they allow Google to associate your data with other Google services
- Disable data sharing with Google for "product improvements" and "benchmarks"
- Disable the remarketing feature
Server-Side Tracking: An Advanced Compliance Approach
Server-side tracking is a technical approach in which analytics events are sent not directly from the visitor's browser to Google, but via an intermediary server that you control.
In practice: instead of the browser sending data to analytics.google.com, your website sends events to your own server (hosted in Switzerland or the EU), which then forwards them to Google β filtering or pseudonymising data in the process.
Compliance benefits:
- The visitor's IP address is never transmitted to Google β your intermediary server sends its own IP
- You can filter out sensitive data before it reaches Google
- You retain control over what is transmitted and when
- The exposure to US surveillance law is significantly reduced β though not entirely eliminated
Limitations: Server-side tracking is a technically demanding solution that requires dedicated infrastructure (e.g. Google Tag Manager server-side container). It does not fully eliminate the data transfer issue, but it substantially narrows its scope.
Compliant Alternatives to GA4
Many Swiss SMEs are asking a practical question: are there analytics solutions that avoid these complications from the outset? Yes β and some are even hosted in Switzerland.
| Solution | Hosting | nFADP transfer risk | Consent required | Features | Price |
|---|---|---|---|---|---|
| Matomo (self-hosted) | Your server (CH) | β None β data stays in Switzerland | No, if configured correctly | Full (funnels, e-commerce, heatmaps) | Free (infrastructure your responsibility) |
| Friendly Analytics | Switzerland (Infomaniak) | β None β data stays in Switzerland | No, cookie-free analytics | Core (page views, sources, session duration) | From CHF 9/month |
| Plausible | EU (Germany/Belgium) | β οΈ Low β EU transfer, no US exposure | No, cookie-free | Lightweight, open-source | From β¬9/month |
| Fathom | Canada/EU | β οΈ Moderate β non-CH, non-EU hosting possible | No, cookie-free | Core, privacy-first | From $15/month |
| Google Analytics 4 | United States | β High β US transfer, DPF + SCCs required | Yes, mandatory | Full-featured, advanced, free | Free |
Matomo (self-hosted)
Matomo is the most feature-complete alternative for teams seeking a functional equivalent to GA4. Hosted on your own servers or with a Swiss provider such as Infomaniak, it transmits no data to third parties. Correctly configured β with IP anonymisation enabled and cross-site tracking disabled β it can be used without a consent banner, which is a significant operational advantage. Its feature set is extensive: conversion funnels, e-commerce tracking, heatmaps, and session recordings.
Friendly Analytics
Friendly Analytics is a Swiss solution hosted by Infomaniak, built specifically for compliance with European and Swiss data protection laws. It does not set cookies and does not collect full IP addresses. For Swiss SMEs, it is arguably the simplest path to compliance: no problematic cross-border transfer, no consent requirement for analytics data.
Plausible
Plausible is a lightweight, open-source solution hosted within the European Union. It uses no cookies and collects no personally identifying data. Its dashboard is intentionally streamlined β well suited to the needs of most SMEs. Plausible is GDPR-compliant and nFADP-compatible without requiring a consent banner. Note, however, that EU hosting still involves a cross-border transfer under the nFADP β lower risk than a US transfer, but not equivalent to keeping data in Switzerland.
Fathom
Fathom is another cookie-free, privacy-first analytics solution. It is known for its straightforward integration and its stated compliance with a wide range of data protection laws, including the GDPR and the nFADP. Fathom processes data in Canada and the EU β not in Switzerland β so a cross-border transfer under the nFADP is involved. For organisations where Swiss data residency is a strict requirement, a Swiss-hosted solution remains preferable.
When Must You Switch Away from Google Analytics?
Certain situations make the use of Google Analytics particularly difficult to justify:
- Your site processes health, financial, or judicial data β combining behavioural data with these sensitive categories substantially amplifies the risks
- Your audience includes minors β consent requirements are even stricter in this context
- A compliant consent banner is not feasible β for example on an intranet, a business application, or a public-sector service
- You operate in a regulated sector β healthcare, financial services, or cantonal/federal public administration
- Your refusal rate is very high β if 60 to 80 % of your visitors decline consent (which is common with a genuinely compliant banner), your analytics data will be too incomplete to be actionable
In all these situations, migrating to a cookie-free analytics solution hosted in Switzerland is the most pragmatic decision β it eliminates cross-border transfer obligations entirely. EU-hosted alternatives reduce risk significantly compared to US-based tools but still involve a transfer under the nFADP. In either case, switching away from GA4 simplifies compliance and, as a bonus, delivers reliable data covering 100 % of your visitors.
Before deciding how to handle your analytics setup, start by understanding exactly which trackers are active on your site today. PrivaScan analyses your website for free, detects all third-party scripts and cookies, and shows you precisely what requires consent under the nFADP.