Note: This page reflects the FDPIC cookie guidelines v1.1 (January 22, 2025; clarifications added October 6, 2025) and the February 3, 2025 publication announcement.
On February 3rd, 2025, the Swiss Federal Data Protection and Information Commissioner (FDPIC) released new guidance on cookie usage in Switzerland. While this is not legally binding, it provides insight into the authority’s intended direction and the future of cookie consent practices in the country.
Legal Foundations
Swiss cookie regulations are primarily governed by two laws:
These laws form the basis for the authority’s stance on cookies and their implementation on websites.
Consent and Legal Bases
The FDPIC clarified that while consent is one legal basis for cookie processing, companies can also rely on overriding private interests in certain situations. This approach differs from the strict consent requirements of the EU’s GDPR.
Cookie Categories
The guidance classifies cookies based on their necessity:
Here’s a breakdown of key points:
Consent vs. Other Legal Bases
The authority clarified that while consent is one legal basis for cookie processing, companies can also rely on overriding private interests in certain situations. This is a significant difference from the strict consent requirement seen in the EU’s GDPR and might affect how CMPs are implemented in Switzerland.
Key Takeaway: Under Swiss law, companies can rely on overriding private interests as a legal basis for certain cookie uses, but non-essential cookies (including functional enhancements and analytics) still require justification along with a clear, immediate opt-out. Express consent is needed in higher-risk scenarios.
Prior Blocking Not Always Required
Functional enhancements and analytics are non-essential unless strictly necessary to provide the requested service. In Switzerland, non-essential cookies require justification via overriding interests with a clear, immediate opt-out, or express consent in higher-risk scenarios (e.g., high-risk profiling, sensitive data, unexpected uses).
Before users can see information and exercise opt-out via a control, use must be limited to necessary cookies only. Non-essential cookies (including analytics) should not run until the control is available; where consent is required, implement a two-click pattern and block until users opt in.
Key Takeaway: Do not run non-essential cookies until a privacy control is available for the user. Where consent is required, block until the user opts in. Assess each cookie category and apply the appropriate legal basis.
If you rely on research or statistics to justify analytics, anonymize data as soon as the purpose permits (usually immediately). If you use external tools, make sure they act exclusively as processors and do not reuse data for their own purposes.
Opt-Out and Withdrawal Mechanism
The guidance clearly states that companies must provide users with an easy way to withdraw consent or opt out. Under Swiss law, the opt-out principle is fundamental, meaning that prior opt-in does not override the right to opt out. This distinguishes Swiss regulations from those in the EU and ensures ongoing compliance with privacy requirements.
Key Takeaway: Ensure that your CMP offers an intuitive, accessible mechanism for users to withdraw consent, opt out or adjust cookie preferences at any time.
Dark Patterns Prohibited
The Swiss authority follows EU guidelines by prohibiting dark patterns, which are manipulative designs that trick users into consenting to data processing. CMPs must be designed with transparency and simplicity, avoiding confusing or coercive tactics.
Key Takeaway: When designing your CMP, avoid using misleading language or designs that might pressure users into accepting cookies.
When express consent (opt-in) is required
Express consent (opt-in) is required when non-essential cookies are used in high-risk profiling, for sensitive data, or in unexpected contexts (e.g., political, union, or religious content). Federal bodies must obtain consent even for “normal” profiling.
Embedded third-party services
When embedding third-party services (e.g., social plugins or videos), the third party collects data for its own purposes. The website operator and third party can be jointly responsible for this collection. Provide prominent information, consider a two-click activation, and obtain consent if the use is qualified or high-intrusion.
CMP UI Considerations
The guidance does not delve deeply into the specifics of CMP user interface design but highlights that any solution must align with these principles. Companies have some flexibility in how they implement CMPs, but they must ensure compliance with the general principles of transparency, simplicity, and user control.
What Should Companies Do Next?
While the Swiss authority’s guidance provides more flexibility in CMP implementation, it’s crucial to remember that the guidance is not binding. With the guidelines now available, it’s the right time for companies to consider implementing a CMP.
To align with the FDPIC’s guidance, companies should:
Companies retain autonomy in their approach to cookie consent management and should stay informed of evolving regulations to ensure compliance and maintain user trust.