FADP

Federal Act on Data Protection (Bundesgesetz über den Datenschutz / Loi fédérale sur la protection des données)

Flag of CH
SwitzerlandOpt-inNational
Back to Regulations Guide

Key Facts

Effective Date
September 1, 2023
Enacted
September 25, 2020
Enforcing Authority
FDPIC (Federal Data Protection and Information Commissioner / EDÖB)
Consent Model
Opt-in
Applies To
Any organization processing personal data of individuals in Switzerland

Overview

Switzerland has no cookie-specific legislation equivalent to the EU ePrivacy Directive. Instead, the FDPIC published cookie guidelines in January 2025 (updated October 2025) under the revised FADP, establishing a distinctive tiered consent model that differs from the EU's blanket opt-in approach.

What This Means for Your Website

  • Essential cookies require no consent but must be disclosed in your privacy policy
  • Functional cookies may use a simple opt-out mechanism
  • Advertising and profiling cookies require explicit opt-in consent
  • Continuing to browse is NOT valid consent
  • Unlike the EU, legitimate interest balancing may justify some non-essential cookies under Swiss law
  • Penalties target individuals (up to CHF 250,000), not companies — an unusual criminal enforcement model

Key Requirements

The FDPIC issues orders but cannot impose fines directly — cantonal criminal enforcement handles penalties. Fines target responsible individuals (up to CHF 250,000) rather than companies (capped at CHF 50,000). The January 2025 cookie guidelines provide the most specific guidance on how Swiss law applies to cookies, with the tiered model reflecting Switzerland's pragmatic regulatory approach.

How ConsentStack Handles This

ConsentStack applies Switzerland's tiered consent model for Swiss visitors: essential cookies load with disclosure, functional cookies offer opt-out, and advertising/profiling cookies require explicit opt-in consent.

Penalties

Criminal fines: up to CHF 250,000 (individuals). Company fines: up to CHF 50,000.

Maximum Fine
CHF 250,000 per violation

Key Requirements

  • Essential cookies: no consent required but must be disclosed in privacy policy
  • Functional cookies: simple opt-out acceptable
  • Advertising and profiling cookies: explicit consent required
  • Continuing to browse is NOT valid consent
  • Legitimate interest balancing may justify some non-essential cookies

Notable Provisions

  • Penalties target individuals, not companies (criminal enforcement model)
  • FDPIC cookie guidelines published January 2025, updated October 2025
  • Legitimate interest can justify some non-essential cookies (unlike EU)
  • No cookie-specific legislation

Other Europe Regulations

GDPREuropean Union + EEA
The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.
PECRUnited Kingdom
PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.
ePrivacy DirectiveEuropean Union + EEA
Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.
FDPAFrance
France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.
UK GDPRUnited Kingdom
The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.
TDDDGGermany
Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Does Switzerland have a cookie law?

Not specifically. Switzerland has no ePrivacy equivalent, but the FDPIC published cookie guidelines in January 2025 under the FADP that establish a tiered consent framework.

Can legitimate interest justify cookies in Switzerland?

Yes, unlike the EU. Swiss law allows legitimate interest balancing to justify some non-essential cookies. However, advertising and profiling cookies still require explicit consent.

What are the cookie penalties in Switzerland?

Penalties target individuals (up to CHF 250,000), not companies. This unusual criminal enforcement model means personal liability for responsible persons.

How does Swiss cookie law differ from GDPR?

Switzerland uses a tiered model (disclosure/opt-out/opt-in by cookie type) rather than blanket opt-in. Legitimate interest is available for some cookies. Penalties target individuals, not organizations.

Stay compliant with FADP

ConsentStack helps you implement Opt-in consent for Switzerland automatically.

Get started free