Switzerland updates data protection guidelines on cookie use

The Swiss Federal Data Protection and Information Commissioner (FDPIC) has published an updated version of its Guidelines on Data Processing Using Cookies and Similar Technologies, clarifying how the Federal Act on Data Protection (FADP) and the Telecommunications Act (TCA) apply to online tracking practices. The revised version, dated 6 October 2025, expands on earlier provisions issued in January 2025 and introduces additional explanations on user consent, third-party responsibility, and the handling of so-called ‘cookie paywalls.’

The guidelines provide a legal framework for how website operators and online service providers in Switzerland may use cookies, pixels, browser fingerprinting, and comparable technologies. It specifies when such technologies involve the processing of personal data and under what circumstances consent or opt-out mechanisms must be implemented.

Legal foundation

The guidelines are grounded in two key laws: Article 45c of the Telecommunications Act, which regulates the storage of cookies on user devices, and the Federal Act on Data Protection, which governs all forms of personal data processing. Together, they require website operators to inform users about tracking technologies, their purposes, and the right to refuse data processing. Violations of Article 45c may lead to fines of up to CHF 5,000.

The FDPIC emphasises that both private controllers and federal authorities must respect the principles of lawfulness, proportionality, transparency, and data minimisation. Processing personal data through cookies without meeting these standards may constitute a breach of an individual’s personality rights under Article 30 FADP.

When cookies count as personal data

The document explains that even identifiers that do not include names – such as advertising IDs or device numbers – can make users identifiable when combined with other data. In cases where it is unclear whether a person could be identified, the FDPIC advises assuming that personal data are being processed and recommends conducting a data protection impact assessment.

Cookies that are technically necessary for a website’s basic functions – such as login sessions, language preferences, or shopping baskets – are considered lawful without consent. Other cookies used for analytics, advertising, or personalisation fall into the category of non-essential cookies and require either a user’s explicit consent or a clear option to refuse them.

Third-party responsibility

The guidelines underline that website operators share responsibility with embedded third parties, such as analytics providers or social media plug-ins, when these services collect data through cookies. Operators must ensure that visitors are informed about the data collection, the purposes of processing, and how to exercise their rights. They cannot assume that liability rests solely with the external service provider.

Consent and user rights

The FDPIC reiterates that valid consent must be informed, specific, voluntary, and capable of being withdrawn. Consent banners should appear before any non-essential cookies are activated, and users should be able to easily revoke their choice at any time. The use of design techniques that pressure users into acceptance—often referred to as ‘dark patterns’ – renders consent invalid.

A new section addresses ‘cookie paywalls,’ where users can either agree to tracking or pay a fee for access. According to the FDPIC, this practice is lawful only if the fee is proportionate and does not undermine the user’s fundamental right to data protection.

Advertising and profiling

The guidelines distinguish between standard advertising profiling and high-risk profiling. Ordinary profiling, such as tailoring ads based on browsing activity on one website, may be permitted with an opt-out option. High-risk profiling—such as cross-site tracking and real-time bidding involving sensitive data—requires explicit consent and prominent notice to users.

Implementation and compliance

The revised version provides additional detail on how privacy notices should be structured and displayed. It recommends a layered information model, where essential information is shown first, with more detailed explanations available through additional links. Cookie banners should be clear, accessible, and proportionate to the level of data intrusion.

By aligning national practice with European data protection standards, the FDPIC aims to ensure consistent interpretation of Switzerland’s data protection law in the context of online tracking. The 2025 update closes interpretive gaps on joint responsibility, consent mechanisms, and the treatment of free services financed through targeted advertising.

The full text of the guidelines (version 1.1, 6 October 2025) is available on the FDPIC website.