Iubenda logo
Start generating

Documentation

Table of Contents

Swiss Authority’s New Cookie Guidelines: What You Need to Know

On February 3rd, 2025, the Swiss Federal Data Protection and Information Commissioner (FDPIC) released new guidance on cookie usage in Switzerland. While this is not legally binding, it provides insight into the authority’s intended direction and the future of cookie consent practices in the country. 

Legal Foundations

Swiss cookie regulations are primarily governed by two laws:

  • Telecommunications Act (FMG/TCA): Requires websites to inform users about cookies and offer an opt-out option.
  • Federal Act on Data Protection (DSG/FADP): Effective from September 1, 2023, emphasizing transparency, proportionality, and justification for data processing.
    • These laws form the basis for the authority’s stance on cookies and their implementation on websites.

      Consent and Legal Bases

      The FDPIC clarified that while consent is one legal basis for cookie processing, companies can also rely on overriding private interests in certain situations. This approach differs from the strict consent requirements of the EU’s GDPR.

      Cookie Categories 

      The guidance classifies cookies based on their necessity:

    • Technically Necessary Cookies: Essential for website functionality, such as shopping cart features, user input handling, login authentication, language preferences, load balancing, CAPTCHA, and storing cookie consent preferences. These are generally considered proportionate and do not require explicit consent.
    • Non-Necessary Cookies: Used for tracking, analytics, and marketing purposes. These require justification through overriding interests or explicit consent, especially when involving high-risk profiling or sensitive data processing.
      • Here’s a breakdown of key points:

        Consent vs. Other Legal Bases

        The authority clarified that while consent is one legal basis for cookie processing, companies can also rely on overriding private interests in certain situations. This is a significant difference from the strict consent requirement seen in the EU’s GDPR and might affect how CMPs are implemented in Switzerland.

        Key Takeaway: CMPs may accommodate scenarios where companies rely on private interests rather than consent for specific cookie categories, especially functional cookies and basic analytics, though this is context-dependent.

        Prior Blocking Not Always Required

        The guidance notes that in some cases, prior blocking of cookies may not be necessary, particularly for cookies deemed essential, such as functional or basic analytics cookies. This could offer flexibility in implementation for companies operating in Switzerland.

        Key Takeaway: Companies should assess the type of cookies they use and determine whether prior blocking is needed, keeping in mind that the guidance suggests a more flexible approach than the EU standards. 

        Opt-Out and Withdrawal Mechanism

        The guidance clearly states that companies must provide users with an easy way to withdraw consent or opt out. Under Swiss law, the opt-out principle is fundamental, meaning that prior opt-in does not override the right to opt out. This distinguishes Swiss regulations from those in the EU and ensures ongoing compliance with privacy requirements.

        Key Takeaway: Ensure that your CMP offers an intuitive, accessible mechanism for users to withdraw consent, opt out or adjust cookie preferences at any time.

        Dark Patterns Prohibited

        The Swiss authority follows EU guidelines by prohibiting dark patterns, which are manipulative designs that trick users into consenting to data processing. CMPs must be designed with transparency and simplicity, avoiding confusing or coercive tactics.

        Key Takeaway: When designing your CMP, avoid using misleading language or designs that might pressure users into accepting cookies. 

        CMP UI Considerations

        The guidance does not delve deeply into the specifics of CMP user interface design but highlights that any solution must align with these principles. Companies have some flexibility in how they implement CMPs, but they must ensure compliance with the general principles of transparency, simplicity, and user control.

        What Should Companies Do Next? 

        While the Swiss authority’s guidance provides more flexibility in CMP implementation, it’s crucial to remember that the guidance is not binding. With the guidelines now available, it’s the right time for companies to consider implementing a CMP.

        To align with the FDPIC’s guidance, companies should:

      • Assess Cookie Usage: Determine which cookies are necessary and which require consent or justification.
      • Optimize CMPs: Ensure CMPs accommodate scenarios where overriding private interests are the legal basis and provide clear opt-out options.
      • Avoid Dark Patterns: Design cookie banners that prioritize user choice and transparency.
      • Provide Withdrawal Mechanisms: Allow users to easily withdraw consent, opt out or adjust cookie preferences at any time.
      • Companies retain autonomy in their approach to cookie consent management and should stay informed of evolving regulations to ensure compliance and maintain user trust.