Skip to main content
Back to Guides
Compliance5 min read

Switzerland's Revised FADP: Cookie Consent in 2026

Switzerland isn't in the EU, and its cookie rules follow a different logic: risk-based, opt-out for low-risk cookies, opt-in for advertising and profiling. Here's how the revised FADP and the 2025 FDPIC guidance actually work.

Switzerland sits inside Europe geographically but outside the EU legally, and its cookie rules reflect that. The country runs its own regime under the revised Federal Act on Data Protection (revFADP, also called the nFADP), which entered into force on 1 September 2023. If you treat a Swiss audience exactly like an EU one you'll over- or under-comply in specific ways, so it pays to understand where the Swiss model diverges.

This guide explains how cookies are regulated under the revFADP, what the Swiss data protection authority expects in 2026, and the practical differences from the GDPR. If you've already built for the EU, most of your work carries over; this is about the deltas. For the wider picture beyond Europe, see our emerging-markets guide.

A Different Legal Starting Point Than the EU

The EU's cookie consent requirement comes from Article 5(3) of the ePrivacy Directive, a specific rule that demands prior consent before storing or reading almost anything on a device. Switzerland has no direct equivalent. There's no Swiss ePrivacy statute mandating blanket opt-in for cookies.

Instead, cookies are governed by two overlapping sources: the revFADP, which regulates the processing of personal data generally, and the Telecommunications Act, which historically allowed cookie use on an opt-out basis provided users are informed and can refuse. Because of this, Swiss law is built around a transparency-and-objection logic rather than the EU's strict prior opt-in default. That single structural difference drives everything else.

The FDPIC's Tiered, Risk-Based Model

The regulator is the Federal Data Protection and Information Commissioner (FDPIC). In January 2025 (updated in October 2025) it published cookie guidance that sets out a risk-based, tiered approach rather than a one-size rule:

  • Essential cookies: no consent needed, but they must be disclosed in your privacy policy.
  • Functional and analytics cookies: can generally operate on a simple opt-out basis, with clear information.
  • Advertising, profiling, and cross-site tracking cookies: the FDPIC expects explicit opt-in consent, functionally similar to the GDPR.

The FDPIC has also been clear that consent is only one possible legal basis; in some situations a controller may rely on an overriding private interest instead. But for high-risk tracking, particularly third-party advertising, the practical expectation in 2025 to 2026 has hardened toward genuine opt-in. See the FDPIC for its current guidance.

Fines Target Individuals, Not Companies

The revFADP's penalty design is one of its most distinctive features, and it surprises teams used to the GDPR. Criminal fines of up to CHF 250,000 are imposed on the responsible natural person, typically management or the decision-maker, not on the company as an entity, and only willful violations are punishable.

There's a narrow fallback: the company itself can be fined up to CHF 50,000 where identifying the responsible individual would take disproportionate effort. This is a deliberate contrast with the GDPR's corporate fines of up to 4% of global turnover. It changes the internal risk calculus, personal liability tends to concentrate the minds of the people who sign off on tracking. See this analysis of the revFADP sanctions.

Extraterritorial Reach and the EU Relationship

Like the GDPR, the revFADP reaches foreign organisations whose processing has an effect in Switzerland, so a non-Swiss website targeting Swiss users falls within scope. Controllers based abroad may need to appoint a Swiss representative in defined circumstances.

On data transfers, Switzerland benefits from an EU adequacy recognition, and the Swiss-U.S. Data Privacy Framework has provided a transfer route to certified U.S. companies since 2024, mirroring the EU-U.S. framework. In practice, if your transfer mechanisms already satisfy EU adequacy and the framework, the Swiss dimension is usually straightforward.

FADP vs GDPR: The Deltas That Matter

  • Default posture: the EU defaults to prior opt-in for non-essential cookies; Switzerland allows opt-out for lower-risk categories but expects opt-in for advertising and profiling.
  • Penalties: GDPR fines hit the company; revFADP criminal fines hit the responsible individual (up to CHF 250,000).
  • Trigger for enforcement: revFADP criminal liability generally requires willful conduct, not mere negligence.
  • Language: notices should be available in a relevant national language for your audience (commonly German, French, or Italian).
  • Convergence: despite the different structure, the FDPIC's expectations for high-risk tracking are moving closer to GDPR practice, so the gap is narrowing.

A Practical Approach for Swiss Traffic

You don't need a separate Swiss stack. The most efficient posture in 2026 is:

  1. Start from a GDPR-grade baseline. If your EU cookie compliance is solid, you already exceed the Swiss floor for essential and functional cookies.
  2. Keep opt-in for advertising and profiling. This is where Swiss expectations and EU rules now align, so a single opt-in flow for high-risk trackers covers both.
  3. Localise the notice. Present cookie information in the visitor's Swiss language and disclose essential cookies clearly in the policy.
  4. Honour objection reliably. The opt-out logic Switzerland leans on only works if refusal is easy and actually respected, the same equal-prominence discipline the EU demands.

How CookieBeam Handles Switzerland

CookieBeam's regional consent engine lets one banner apply Swiss-appropriate behaviour, opt-out for functional cookies, opt-in for advertising and profiling, localised text, without maintaining a parallel setup. The underlying consent record stays consistent and exportable, which matters when the person on the hook for a CHF 250,000 fine is an individual, not an abstract company. Verify the current FDPIC guidance and the revFADP text before you finalise, Swiss cookie expectations have been tightening year on year, and this guide reflects the position as of mid-2026.

Switzerland nFADP Cookie Consent 2026: The revised FADP Explained | CookieBeam | CookieBeam