Cookie Banner 2025 What Swiss Website Operators Need To Know

15.07.2025
|
Reading time: 7 min.
Cookie Banner 2025 What Swiss Website Operators Need To Know

Management Summary

Switzerland is tightening the requirements for cookie banners: New guidelines from the Federal Data Protection and Information Commissioner (FDPIC) have been in place since January 2025. Website operators in Switzerland must first obtain explicit consent from users for non-essential cookies (e.g. for tracking or advertising). The FDPIC guidelines clearly define what a legally compliant cookie banner looks like: It must provide users with understandable information, offer equivalent options (“Accept all” and “Reject all”), allow granular settings and enable consent to be revoked at any time. Dark patterns – i.e. manipulative designs that force users to agree – are expressly prohibited. Anyone who integrates third-party services such as analytics or social media plugins must include these services in consent management and obtain consent.

New data protection guidelines in Switzerland: What do they mean for your cookie banners? Find out which new rules will apply from 2025 and how to design cookie banners that are legally compliant and user-friendly.

Why are there new guidelines on the cookie banner?

Background: On September 1, 2023, the revised Data Protection Act (DSG) came into force in Switzerland.

This new law is based on European standards in many respects and strengthens the rights of users. In order to eliminate ambiguities in implementation, the FDPIC published guidelines in January 2025 that specify the data protection requirements when using cookies.

To date, the legal situation in Switzerland has not been as clear as in the EU: the Telecommunications Act (FMG, Art. 45c) has stipulated since 2007 that website visitors must be informed about cookies and an opportunity to object (opt-out) must be offered.

But whether an active opt-in (i.e. an explicit click on “Accept all” or something similar) is necessary has long been controversial. Many Swiss websites therefore dispensed with comprehensive cookie banners or only offered a message to click away.

With the new FDPIC guidelines, the regulations have now been tightened and adapted to those of the EU. Companies and website operators must now ensure that their consent management meets current requirements, otherwise they will face warnings or penalties.

What exactly do the new FDPIC guidelines regulate?

Clear rules: Which cookies require consent?

The guidelines initially distinguish between necessary and non-essential cookies.Necessary cookiesare essential for the operation of the website (e.g. login sessions, shopping cart, security functions). They may be placed without prior consent.Non-essential cookiesinclude all other cookies, in particular analysis, tracking and marketing cookies, that evaluate usage behavior for commercial purposes.
Strict requirements apply here.

According to the FDPIC, non-essential cookies may only be set if there is a valid legal basis. Specifically, the guidelines state:

“Non-essential cookies may only be set if:

  • the person concerned has previously given their consent after informed consent and voluntary consent (opt-in),
  • or after careful consideration of interests, there is an overriding legitimate interest and the data subject is granted a clear and easily understandable right to object (opt-out) at any time.”

In other words: All personal data processing using cookies requires either the express consent of the user or a very well-founded reliance on legitimate interests.

Simply continuing to scroll or use the site is no longer enough – the FDPIC makes it clear that simply continuing to surf does not constitute valid consent. Users must agree through a conscious action (e.g. clicking “Accept”) for consent to be effective.

Profiling and tracking: Be particularly careful if the risk is high

Not all cookies are the same: the guidelines also differentiate tracking according to the risk of profiling. FDPIC distinguishes between “normal” Profiling and high-risk profiling.Normal profiling:Processes user data, e.g. B. to personalize content or advertising. An opt-out offer is sufficient here – the user must be able to object if they do not want to.
Example: An online shop remembers products and recommends similar items – as long as no data is passed on to third parties, an objection option (opt-out) is sufficient.High risk profiling:This includes any trackingintervenes intensively in the personality. E.g. cross-site tracking across different websites or the evaluation of sensitive personal data (such as health or financial data) to predict behavioral patterns.

In such cases, the FDPIC absolutely requires express consent (opt-in). This means: Such cookies may not be set without the active consent of the person concerned.

Example: The integration of an advertising tracker that tracks users across numerous websites and creates detailed personality profiles is includedhigh risk– here the visitor must agree in advance, otherwise the cookie remains deactivated.

In addition, with suchHigh riskIf necessary, additional protective measures may be taken during operations, such as a data protection impact assessment in accordance with Art. 22 DSG.

Third-party cookies: shared responsibility

Particularly relevant for marketers: External services such as Google Analytics, Facebook Pixel, YouTube Embeds & Co. often set their own cookies. According to the FDPIC, anyone who integrates such third-party tools on the website shares responsibility for the resulting data processing.

The website operator decides which tools are used and thus enables the third-party provider to obtain data on his site.

In practice, this means that third-party cookies must also be integrated into the cookie banner. For example, if Google Analytics is embedded, no tracking may take place before the user has agreed to the service.

This is what a legally compliant cookie banner looks like

What exactly does a cookie banner have to offer in order for it to comply with the new Swiss requirements?

The FDPIC guidelines clearly state must-haves and make it clear which onesDark Patternsare inadmissible.

A legally compliant cookie banner must:

  • Provide information clearly and understandably– The user must understand at a glance why cookies are used (purpose) and what happens to the data. And in simple language
  • Offer real choices– An equivalent “Accept” and “Reject” button on the same level is mandatory
    • Both options (accept/reject) must be equally eye-catching (same size, format, etc.).
  • Allow granular settings– Users should select individual cookie categories (e.g.Necessary, functional, statistics, marketing)or you can switch services on or off in a targeted manner
    • Nobody should be forced to agree to everything or nothing.
  • Allow revocation at any time– It is not enough to just display the cookie banner when you visit a website. Users must be able to change or withdraw their consent at any time.

According to the FDPIC, the following practices are particularly inadmissible:

  • Pre-ticked boxes– The user must actively agree and not deactivate something first
  • Misleading design– Any design that distorts the choice is prohibited. E.g. a huge green “Accept all” button, while “Reject” is hidden as a simple text link
  • No way to “reject”– There must always be an option to reject the settings.

To illustrate, a positive example from practice:Beispiel Consent Banner Schweiz 2025Example consent banner according to FDPIC guidelines.

What do companies have to do now?

The new requirements are binding. The following to-dos should be addressed immediately to be on the safe side legally:

  • Record cookie inventory:Get an overview of which cookies your website sets. Which of these are technically necessary and which are used e.g. B. Marketing, tracking or convenience? Document the purpose and duration of each cookie.
  • Update cookie banner:Adapt your cookie banners according to the FDPIC guidelines. Make sure it contains all the necessary buttons and information.
  • Implement settings for opt-in/opt-out:Set up a solution that gives users granular control over cookies.
  • Customize tracking scripts:Adjust the use of analytics, advertising and social media scripts so that they only load after approval. This may require technical intervention: e.g. B. Google Analytics can only be triggered via Tag Manager with a consent query.
  • Update privacy policy:Update your privacy policy. List all the cookies and tools used there with their purpose, provider, duration and legal basis. Specify how users can revoke their consent. Transparency is very important and creates trust with website visitors.

Conclusion

The FDPIC guidelines from January 2025 represent a turning point for consent management in Switzerland. The following now applies at the latest: data protection is no longer a “nice-to-have”, but rather a requirement in everyday digital business.

For website operators, this means critically examining existing cookie banners and implementing all FDPIC requirements. A user-friendly, legally compliant cookie banner also creates clarity and trust.

e-dialog office Vienna
No two challenges are the same. Speak with our experts now to find your individual solution.

Any questions? Talk to us.

Get in touch now
Relevant content

More about Analytics

Analytics

Beyond Clicks: How GEO Strengthens Your Digital Identity and Becomes Visible in GA4

Read more
Analytics

How Native App Event Tagging Works in GTM

Read more
Analytics

Recover conversion data with Jentis Synthetic Users

Read more
Analytics

App Tracking with GTM: How it Works Compared to Web Tracking

Read more