Did you know that the majority of Swiss websites set third-party cookies without properly informing their visitors? Since 1 September 2023, obtaining prior user consent for these cookies is no longer optional under Swiss law β the nLPD makes it a legal obligation. But before you can act, you need to know exactly which cookies are active on your site. This guide explains how to find them and what to do next.
What are Third-Party Cookies?
Third-party cookies are files stored in your visitor's browser by a domain other than your own. When someone visits yoursite.ch, your server can set its own cookies (called first-party cookies). But when your page loads a Google Analytics script, a Meta Pixel, or a Stripe widget, those services set their own cookies β from their own domains β without you hosting them directly.
The distinction matters: third-party cookies are inherently cross-site tracking tools. They allow advertising networks and analytics platforms to recognise the same user across thousands of different websites, building detailed behavioural profiles.
The Most Common Third-Party Cookies
These are the trackers found most frequently on Swiss websites:
| Service | Provider | Primary purpose |
|---|---|---|
| Google Analytics 4 | Audience measurement, user behaviour | |
| Meta Pixel | Meta (Facebook) | Conversion tracking, Instagram/Facebook remarketing |
| Google Ads (gtag) | Conversion attribution, remarketing audiences | |
| Hotjar | Hotjar Ltd | Session recording, heatmaps |
| Microsoft Clarity | Microsoft | Behavioural analytics, session replay |
| Stripe.js | Stripe | Fraud detection during checkout |
Each of these services loads an external JavaScript file that can set one or more cookies β in the case of Google, often several dozen.
Why This Matters Under nLPD
Switzerland's nLPD requires freely given, informed, specific, and unambiguous consent before any non-essential cookie may be set. Third-party tracking and advertising cookies fall squarely into this category.
In practice, that means:
- The tracking script must be blocked on page load and only activated after explicit acceptance
- Users must be able to refuse as easily as they accept β no pre-ticked boxes, no hidden "Reject" button
- The FDPIC can open an inquiry and impose corrective measures for non-compliance
How to Detect Them
1. Browser Developer Tools
In Chrome or Edge, open DevTools (F12) and navigate to Application > Cookies. You will see all cookies set on the current page. Third-party cookies are those whose domain differs from your own.
Limitation: you only see cookies present at the moment the page loaded. Cookies triggered after a scroll or a button click can easily go unnoticed.
2. Browser Extensions
Several extensions allow real-time cookie analysis:
- Cookie-Editor β view and edit cookies on the current page
- Privacy Badger (EFF) β blocks trackers and identifies third-party domains
- uBlock Origin β visualises blocked network requests in the logger
These tools are useful for a quick check but do not capture cookies loaded by conditional or dynamically injected scripts.
3. Automated Scanners
An automated scanner crawls your site as a real visitor would β using a headless browser (Playwright or Puppeteer). It captures every cookie set, including those triggered after user interaction, and classifies them by category. This is by far the most reliable and comprehensive method.
That is exactly what PrivaGuard does: it analyses up to 500 pages of your site, detects active third-party scripts on the network, and produces a detailed nLPD compliance report.
What You Need to Do
Once you have identified your cookies, here are the actions to take:
-
Block third-party scripts on page load β replace your script tags with the PrivaGuard blocking syntax:
<!-- Before --> <script src="https://www.googletagmanager.com/gtag/js"></script> <!-- After (blocked until consent is granted) --> <script type="text/plain" data-category="analytics" src="https://www.googletagmanager.com/gtag/js"></script> -
Categorise every cookie: "necessary", "functional", "analytics", or "marketing"
-
Implement a compliant consent banner β "Accept" and "Reject" must be given equal visual prominence
-
Document all cookies in your privacy policy with their purpose and retention period
-
Maintain a processing register listing third-party providers and their sub-processors
Identify every active third-party cookie on your website in seconds β no sign-up or installation required. PrivaGuard scans your site in depth and delivers a complete nLPD compliance report.