Switzerland FDPIC’s Latest Cookie Consent Guidelines(2025)

Cookies aren’t just digital breadcrumbs- they’re essential tools that help businesses understand customers, personalise experiences, and drive growth. Whether it’s reducing cart abandonment, boosting content subscriptions, or improving user onboarding, smart cookie usage pays off.

But if you’re using cookies in Switzerland, there’s an important catch: staying compliant. The Swiss Data Protection Authority, FDPIC, published a 20-page cookie consent guide to clarify how businesses should ensure Swiss cookie compliance and ensure lawful cookie usage under the FADP. Don’t worry—this blog gives you the essentials in under 10 minutes, minus the legal jargon

Cookies are small text files that websites and authorised third parties store on users’ devices. They enable various functionalities, from remembering language preferences to tracking user behaviours. The FDPIC categorises cookies into:

• Session cookies: Temporary cookies are deleted once a user closes their browser.
• Permanent cookies: Stored longer to recognise returning visitors and customise experiences.
• First-party cookies: Set directly by the website you’re visiting.
• Third-party cookies: Set by entities like advertisers or analytics providers, often tracking users across multiple websites.

The FDPIC also identifies similar technologies, such as browser fingerprinting, pixels, and ID graphs, collectively impacting user privacy similarly to cookies.

The Swiss cookie consent rules are rooted in the Federal Act on Data Protection (FADP) and the Telecommunications Act (TCA).

Switzerland’s data privacy law, the FADP, is the foundation of Swiss cookie compliance. While aligned with the GDPR, it includes specific rules for cookie consent in Switzerland, especially under the Telecommunications Act (TCA).

It strengthens the rights of Swiss users, mandates transparency in data handling, and lays the foundation for cookie compliance under Swiss law, including requirements for cookie banner, cookie consent, cookie policy and lawful processing of tracking technologies.

Notably, Article 45c of TCA requires businesses to inform website visitors about cookie usage, purposes, and methods to reject unnecessary cookies.

Website operators hold primary responsibility for cookie usage if the site is hosted in Switzerland or accessed by Swiss users. 

Importantly, if third-party services (like social media buttons or embedded videos) are integrated, operators share joint responsibility with these third parties. 

This means website operators must understand and transparently disclose all third-party data collection practices.

#1 Personal identifiability

The crux of cookie compliance in all countries, including Switzerland, hinges on personal identifiability. If a cookie or similar technology enables identification of a Swiss individual, even indirectly through additional data, it falls under the FADP’s scope.

For instance, storing a cookie to track newsletter subscription preferences for returning visitors transforms simple website analytics into protected personal data when associated with the subscriber’s email address.

#2 Transparency and good faith

Businesses must clearly inform users about their cookie practices.

For this, simply having a privacy policy tucked away on a website isn’t sufficient. A layered approach, where key cookie information is presented upfront and additional detailed information is accessible through deeper links, ensures users can genuinely understand and control their data.

#3 Principle of proportionality

Only cookies necessary for website operation or essential services (like shopping baskets or security measures) can be considered proportionate and used without explicit consent.

Non-essential cookies, especially those facilitating user tracking or personalisation, need a careful balance of interests or explicit consent.

Non-essential cookies are those that go beyond the basic functioning of your website. These include cookies for analytics, advertising, user tracking, and personalisation. Because they often collect personal data or build user profiles, Swiss law places stricter rules around when and how you can use them.

There are two legal pathways to use non-essential cookies under Swiss data protection law:

1. Justify use with an overriding private interest

Sometimes, you can use non-essential cookies without asking for consent if your business has a strong enough reason that legally outweighs the privacy impact on users. This is called an overriding private interest.

But the bar is high. To rely on this, you must show that:

• Your purpose is important and benefits users (e.g. improving website usability).
  
• There’s no less intrusive way to achieve the same goal (e.g. anonymised analytics).
  
• The privacy impact on users is minimal and acceptable.
  

2. Rely on specific legal circumstances

Swiss cookie law outlines specific cases where your private interest might automatically be considered strong enough, but only if you meet strict conditions:

• Cookies for contract fulfilment

Cookies that assist users in completing transactions, such as remembering shopping cart items or delivery addresses, can qualify as an overriding private interest. Though not strictly essential, these cookies support the customer’s intent to purchase and may be permitted without requiring consent.

• Cookies for research or statistics

You may analyse website visitor behaviour for internal improvements, but only if you:

• Anonymise the data as soon as possible.
  
• Make sure third parties can’t link the data to individuals.
  
• Publish or share insights in a way that keeps users anonymous.
  

Example:

You use analytics tools to see which blog posts get the most views. The data is anonymised immediately and only used internally to improve content. This may be allowed under the law if all privacy conditions are met.

3. Always provide an opt-out option

Even if you believe your cookie use is justified by a private interest, you must still offer users the right to opt out (reject button). This is a legal requirement under Article 45c of the Telecommunications Act (TCA).

That means:

• Your cookie banner must clearly explain what’s being collected and why.
  
• Users must be able to refuse cookies easily—no dark patterns, no guilt trips.
  
• Consent withdrawal should be as simple as giving it.
  

Consent is required in certain scenarios, such as high-risk profiling or sensitive data usage. But, many non-essential cookies may still be justified based on overriding private interest, provided users are clearly informed and can opt out.

Example: Collecting precise location through cookies makes it sensitive and requires explicit consent.

If your cookie use involves the following, you must get users’ explicit, informed, opt-in consent—no exceptions.:

• High-risk profiling (like detailed cross-site tracking),
  
• Sensitive personal data, or
  
• Unexpected use (e.g. using tracking cookies on a charity site),
  

In summary, if you’re using non-essential cookies, ask yourself:

• Can I justify this without consent?
  
• Is there a less invasive way?
  
• Have I clearly informed users and offered a choice?
  

Therefore,  if your cookie usage is optional, avoidable, or replaceable by a more privacy-friendly method, then you probably need to get users’ explicit consent.

Providing a clear and easy opt-out option (Reject button) is legally required under Article 45c TCA and does not alone justify cookie use unless the privacy impact is minimal.

But if the privacy risks are significant or unclear, it’s safer, and often required, to obtain explicit user consent instead.

One of the biggest challenges businesses face with cookie compliance is implementing a consent mechanism that users actually understand and trust. 

Many sites still rely on confusing banners or pre-ticked boxes that fail to meet regulatory standards, putting them at risk of non-compliance. You may also see yourself facing these problems when managing consent.

Consent under Swiss law must be informed, specific, and voluntarily given, meaning no dark patterns or pre-checked boxes.

That’s where a Consent Management Platform (CMP) like CookieYes comes in. It simplifies compliance by allowing businesses to:

• Display clear, customisable cookie banners aligned with GDPR, ePrivacy, and FDPIC rules.
• Obtain, manage, and securely store consent records.
• Stores anonymise IP addresses to protect user privacy
• Offer opt-in controls by cookie category.
• Automatically block non-essential cookies until the user consents.

With CookieYes, businesses can stop worrying about cookie compliance and focus on delivering great digital experiences, confident they’re doing it by the book.

Advertising cookies, especially those creating detailed user profiles across multiple websites (high-risk profiling), require explicit opt-in consent.

Example: Extensive cross-site user tracking by advertisers, combining user data from multiple platforms for targeted ads.

This comes with stringent cookie consent requirements:

• Normal profiling: Users must be provided with straightforward, immediate opt-out possibilities.
  
• High-risk profiling: Involves extensive user tracking and data linkage across multiple sites, necessitating explicit opt-in consent due to heightened privacy risks.
  

#1 Classify your cookies

• Categorise cookies; For example, as essential (e.g. login, load balancing, security), functional (e.g. remembering user settings), analytics/marketing (e.g. user tracking, advertising).
  
• Justify the use of non-essential cookies based on user consent
  or an overriding private interest (must be carefully evaluated).

A cookie audit is recommended as the first step to ensure your site complies with the latest FDPIC cookie guidelines and meets all requirements under Swiss data protection law.

#2 Determine if consent is required

• Identify non-essential cookies (e.g. analytics, advertising, profiling).
  
• Confirm whether cookie usage involves personal data or profiling.
  
• Assess whether the cookie involves high-risk profiling or the processing of sensitive data.
  

#3 Display a compliant cookie banner

• Place the banner in a prominent position.
  
• Clearly differentiate between essential and non-essential cookies.
  
• Provide real opt-in choices (no pre-ticked boxes).
  
• Ensure opt-out is just as easy as opt-in (no dark patterns).
  
• Inform users that they can refuse or withdraw consent at any time.
  
• Provide a link to a full cookie policy from the banner.
  

#4 Timing of consent

• Delay activation of non-essential cookies until the user has explicitly opted in.
  
• For embedded third-party services (e.g. social media buttons, YouTube), ensure scripts do not run before consent (Two-click solutions).
  

#5 Information transparency

• Inform users about:
  
  • Who is collecting the data (identity of the controller)
    
  • The purpose of each cookie
    
  • Any third-party data recipients
    
  • Data transfers outside Switzerland (if applicable)
    
• Use layered notices (e.g. summary on banner, full policy on separate page).
  
• Information must be clear, accessible, and written in plain language.
  

#6 Consent logging and privacy

• Log consents with partially masked IP addresses.
  
• Record the following:
  
  • Consent status
    
  • Timestamp
    
  • Cookie categories accepted or declined
    
• Allow users to change or withdraw consent easily at any time.

#7 Cookie policy and settings

• Publish a detailed cookie policy describing all cookie types and purposes.
  
• Provide a cookie settings page where users can review and manage preferences.
  

Practically, compliance translates to clear, timely cookie banners that:

• Inform users precisely about cookie functions.
  
• Allow users to actively accept (opt-in) or reject (opt-out) non-essential cookies.
  
• Provide granular consent options rather than having them accept some general clauses.
  
• Provide simple ways for users to manage or withdraw their consent at any point.
  

A two-click approach for third-party integrations (like social media plug-ins or analytics scripts) is strongly recommended—users are first informed, then actively opt in.