On its website, the FDPIC recently published a new version dated January 22, 2025. FDPIC guidelines on data processing using cookies and similar technologies published. An announcement is still pending.
The guidelines had been awaited for a long time, and drafting them was not easy due to the variety of technologies used for tracking. In terms of content, some of the guidelines are not surprising, but some are very.
The FDPIC essentially demands the following:
Requirement | Validity | Implementation |
---|---|---|
Information | All personal cookies; increased requirements for sensitive processing | Privacy policy with link in the footer |
Right of objection | All non-essential cookies if consent is not required | Right to object, technically exercisable at any time (banner/consent management) |
Consent | Non-necessary cookies that are qualified unexpected | Opt-in, if necessary confirmation of a pre-ticked checkbox; ongoing revocation option (banner/consent management) |
Explicit consent | Cookies that process particularly sensitive personal data or carry out high-risk profiling (federal bodies: any profiling) | Active opt-in (no pre-ticked checkbox); ongoing revocation option (banner/consent management) |
The guidelines are therefore less strict than the approach in Europe, which requires more extensive consent, but read like the closest possible approximation to European cookie law and, above all, the GDPR that is still compatible with the FADP with a little “legal imagination” (to quote the FDPIC). The guideline is not binding, but it shows the FDPIC’s ambition to enforce its own view of correct data protection. In practice, the guidelines will probably only lead to an increase in cookie banners, which are already (too) widespread.
Relevant legal bases
The guidelines are based on the FADP, but also refer to Art. 45c TCA, the only explicit Swiss regulation on cookies.
Art. 45c TCA requires for cookies, i.e. for the processing of data on third-party devices, only a reference to this processing and its purpose and that the user can “refuse” this processing. In practice, this is understood to mean that a relatively general notice is sufficient to indicate the possibility of refusal (e.g. by referring to the setting options in the browser) and that consent is not required.
This relatively liberal regulation raises the question of whether Art. 45c TCA a lex specialis which supersedes the FADP. The FDPIC denies this:
In other words, Art. 45c TCA represents a special statutory, public-law norm for otherwise unnoticed “telecommunication” processes, which as a norm of the special data protection law of the Confederation cumulative to the general data protection law in the DSG must be complied with.
This is hardly wrong. On the one hand, the FADP remains applicable in addition to special statutory provisions, and on the other hand, Art. 45c TCA is probably not a data protection provision (even if this is not clear).
Subject
The guidelines apply in a technology-neutral manner to cookies and other Tracking technologies (e.g. fingerprinting, pixels). Although not explicitly mentioned, it should also be used for Apps apply. Direct references to Programmatic Advertising it does not contain.
Setting the course I: Concept of personal data
The guidelines can only be applied to personal data. In the past, the FDPIC has been extremely strict in this regard – in fact, he has issued a Singularization more often than identification (e.g. in the case of the Clarification of the facts in the case of Ricardo/TX Group as well as with Digitec Galaxus).
Of which he now moves awayand this has significance far beyond the guidelines. However, it is an open question in the doctrine whether singularization can suffice. The guide cites three opinions for this statement: That of David Rosenthalaccording to which singularization is not sufficient; those of Philipp Glasswhich, as far as can be seen, only intends to apply singularization as an indication of personal reference – and that of the Austrian data protection authority.
Rather, it is based on the Logistep judgment still one of the leading judgments on this issue (alongside the judgment of the HGer ZH, HG190107‑O, dated May 4, 2021). Identification therefore presupposes that identification is possible, that a body with access to the data can carry out the identification without too much effort. Expenditure and that it has to manage a Interest to take on this effort.
The FDPIC agrees with this. A cookie or the information associated with it is personal “at the latest” when the operator of the website or an integrated third party can link data to a specific person on the basis of a login or “comparable online identifiers”. This is certainly not to be contradicted. However, the following points are interesting:
- The guide reads as if UID or Ad-IDsi.e. identification numbers associated with a mobile device, are always personal (“a personal reference can exist on the one hand if the processed information itself has an identifying characteristic (e.g. the unique user ID for Android or Ad ID for Apple devices)”). This does not apply because the question is not whether Apple or Google can do anything with this number, but the operator of the website.
- The FDPIC refers to a negative opinion of the Federal Supreme Court in Logistep: If A discloses data to B that is only personal to B, the FADP is not applicable. Applicable to both A and B. Although the Federal Supreme Court said this in Logistep (presumably because only the sender was in Switzerland), it is wrong because it contradicts the relative approach. If the operator of a website discloses data to a third-party provider that is only personal to the latter, the operator is not covered by the FADP.
Setting the course II: Responsibility
In principle, the operator of the website will be the data controller under data protection law (which may raise questions in the group context; the guidelines do not comment on this).
However, the ECJ in Fashion ID decision a shared responsibility is recognized if the operator gives a third party the opportunity, for example via a social plugin, to collect data from visitors to the website (for this procurement processnot the subsequent processing). The FDPIC adopts this case law. He even quotes the ECJ, but without asking whether this case law can and should be adopted at all:
The website owner, in turn, only enables the third party to obtain data by integrating the third-party service on its website (means), even if it has little or no influence on the downstream data processing. It follows that joint or shared responsibility must be assumed for the process of data collection by the third party (as processing within the meaning of Art. 5 lit. d FADP) via the website.
It is one thing to hastily resort to the GDPR when it comes to the question of joint responsibility. The other, however, is the question of what consequences this has. Unlike Art. 26 GDPR, the DPA does not require a contract between the joint controllers. But:
Since the website operator has control over which third-party services are integrated, it cannot assume that its Responsibility ends where the terms of use of third parties apply.
This contradicts the delimitation of the area of joint responsibility, which is limited to the process of third-party procurement or disclosure to the third party and does not include the subsequent processing. But:
[The operator] is responsible for ensuring that the website complies with data protection regulations. It must therefore inform itself about the data processing of the integrated third-party services and ensure that the requirements of the law are complied with. In particular, the website operator must ensure that all information obligations towards the website visitors concerned are fulfilled.
The operator should therefore apparently bear overall responsibility for “the website” and therefore have to require the (usually foreign) third party to also comply with the FADP. There is no basis for this, especially outside the narrow scope of any joint responsibility.
Setting the course III: Proportionality
The guideline essentially contains a data protection check, i.e. it follows the usual check pattern of information – processing principles – justification.
At the Proportionality the FDPIC maintains his frequently expressed opinion that proportionality is not measured by the purpose freely chosen by the controller, but by an abstract purpose and therefore determined by the FDPIC. If processing exceeds the corresponding framework, the FDPIC classifies it as disproportionate.
Accordingly, the use is only Necessary cookies proportionate. The FDPIC lists the following purposes as examples:
- Shopping cart cookie
- Temporary storage of information in an online form
- Login
- Language selection
- Cookie opt-in and cookie opt-out
- Load distribution (“load balancing”)
- Prevention of brute force attacks
- Captchas
- Prevention of website overload
The use of all other cookies, i.e. cookies that are not necessary in this sense, would be disproportionate.
This is wrong, not because this opinion is inconvenient – which it is – but because it contradicts the essence of data protection law. Data protection law and therefore the FDPIC do not determine purposes. The FAC has clearly stated this (in the Helsana ruling, E. 5.4.3):
Moreover, from a systematic point of view, the Data Protection Act does not in principle specify the purposes for which personal data may or may not be processed.
With this stance, the FDPIC is arrogating to itself the powers of the economic police. Dogmatically, this view could only be saved by examining proportionality in the narrower sense, i.e. reasonableness (whereby one would have to ask whether this applies in the private sector). The use of cookies that are not necessary in the sense of the FDPIC would therefore simply have to be unreasonable for it to be considered disproportionate. However, there is nothing about this in the guidelines.
It is correct that the controller is free to determine the purposes of a website itself. If these purposes require the use of additional cookies, this is permissible and proportionate. If such cookies are not wanted, they would have to be prohibited by special legislation.
It is also interesting to note that the operator must
ensure that the use of cookies is limited to the minimum necessary for the intended purpose by means of appropriate buttons with suitable default settings in accordance with Art. 7 para. 3 FADP.
That is not the case. “Privacy by Default” never requires that buttons be provided. Only if the controller designs processing operations as optional variants and also gives the data subject the opportunity to choose from these variants, must he choose the sparing default setting (and only if it is effectively a matter of a choice and not merely the exercise of the right to object, which exists anyway; because the latter always exists – applying privacy by design to cases of objection would ultimately mean requiring consent for all non-mandatory processing operations).
Consequence: Need for justification
Because the FDPIC classifies the use of cookies that are not necessary in his view as disproportionate, this requires justification (Art. 30 FADP). As the law is unlikely to be a justification in the vast majority of cases, the overriding interest and consent come into question (Art. 31 para. 1 FADP).
Option 1: Principle – overriding interests
Whether the aforementioned use is justified by overriding interests is a question of Case-by-case examination. However, the guide must take a more schematic approach to this examination:
Right of objection (Out-Out)
First of all always to grant a right of withdrawal. For the FDPIC, this follows not only from the fact that otherwise no overriding interest could apply – the guidelines are clearly of this opinion – but also from Art. 45c TCA. This right to object must obviously be technically facilitated.
The following comments apply:
- Unlike the GDPR, the FADP does not contain a requirement to simplify the rights of data subjects, including the right to object. There is no legal basis for the general requirement of technical facilitation.
- If the interests in data processing could only prevail under this condition, the legislator could and should have written it into Art. 31 para. 2 FADP.
- The right to object is a statutory right (Art. 30 para. 1 lit. b FADP). However, the law is deemed to be known, as Art. 20 para. 1 lit. b FADP proves. Data subjects are therefore aware of the right to object.
- Art. 45c TCA does not prescribe any technical operationalization of the right to object.
- There is already a technical right of objection: the browser settings. However, they are not comprehensive; browser settings, for example, can do little to prevent fingerprinting (apart from blocking the execution of scripts that cause fingerprinting and auxiliary measures such as deleting cookies, using a VPN, etc.).
The FDPIC could therefore actually only demand a technical implementation of the right to object on the basis of good faith and then only in individual cases.
Cases of overriding interest
When the interests in the use of cookies prevail is, as mentioned, a question of the individual case. However, Art. 31 para. 2 FADP provides for cases that indicate such an overriding interest. The FDPIC addresses two cases here:
- Connection with a contractOne example is the somewhat cryptic case of an online store cookie “serving commodities such as home deliveries based on address data” (?).
- StatisticsHere, the FDPIC reiterates the requirements of Art. 31 para. 2 lit. e FADP (early anonymization, no disclosure of particularly sensitive personal data, no publication of personal data). Examples include statistics on the use of the website.
Variant 2: Consent (exception in three constellations)
Requirement
In three constellations, the interests in the use of non-essential cookies cannot outweigh the interests of the FDPIC, not even with the right to object:
- Unexpected cookiesIf the purpose of the cookie is in a “obvious contrast to the purposes of personal data processing. Main processing” stand. Examples:
- the use of “cookies for the linking and marketing of address and telephone data” (?) “for the website-supported provision of charitable or friendly services or for certain online games”;
- Cookies with commercial purposes on websites with sensitive content of a political, trade union or religious nature. Why an opt-out right on the website of the Green Party, for example, is not sufficient, however, remains an open question, as does the question of whether fundraising by an NGO constitutes a commercial purpose.
- High intervention intensity: If via the cookie personal data requiring special protection edited or a Profiling with high risk and/or corresponding data is passed on. (This also applies if such operations are “expected on the basis of general public opinion”).
Requirements for effective cookie consent
The following requirements for effective consent can be found in the guidelines:
- Expressiveness:
- This is only required for particularly sensitive personal data, for high-risk profiling and – in the case of federal bodies (including health insurance funds or pension funds in the mandatory provisions) – for any profiling with cookies. For example, it is sufficient to tick a clear checkbox.
- If no expressiveness is required, the checkbox may also be ticked (but must then be confirmed, otherwise there is no active action – e.g. by clicking away the corresponding banner).
- Information:
- Information should be provided on what processing is to take place and for what purposes, and possibly also on the risks for the data subjects if they consent (in the case of increased risks). The guidelines do not contain any specifics in this regard.
- If children are among the addressees of the website, the declaration of consent must also be written in simple and (for them) unambiguous language.
- Determination:
- The object of the consent must be sufficiently clear. For example, “marketing purposes” is not clear enough.
- However, it is not clear why the person concerned cannot make much sense of this. In any case, anyone who does not understand such an expression will certainly not consent, which is why a broad formulation does not harm consent, but at most the consent rate.
- Voluntariness: This was lacking in two cases:
- when using “Dark Patterns”, but also with a “Nudging”. The latter goes too far – anyone who sees a green OK button and a gray “Reject” button is rightly annoyed, but this hardly makes consent involuntary (if it did, clicking on it could then no longer be considered a declaration of consent at all, but such a conclusion would probably contradict reality).
- CouplingConsent is also involuntary if it is a condition for access to the website or the service provided through it, if the waiver is unreasonable. This is the case, for example, with a “dominant online retailer”, an “online job portal” or a “social network”. The use of such websites must therefore also be possible without cookies that require consent, i.e. if they are unexpected, use particularly sensitive personal data or lead to high-risk profiling (all other non-essential cookies can be justified by overriding interests, which is why the question does not arise).
- RevocabilityConsent is revocable by law. Nevertheless, the operator must have a “Offer a simple option” to exercise the right of withdrawal. This is also ultimately an import from the GDPR.
Personalized advertising
The guidelines devote a separate chapter to this topic (point 3.11). In substance, however, it amounts to the same as the more general information:
- Normal profiling: Here, at least the right to object must be granted, which means that an overriding interest can be used here (exception: federal bodies).
- Profiling with high riskExplicit consent is required here. High-risk profiling occurs when profiling leads to a personality profile. Indications of this for the FDPIC are the participation of actors in different sectors, the consideration of personal data over a longer period of time and the inclusion of public data and data from third-party providers.
Information requirements
The guideline contains information obligations in various places:
- First level privacy policy:
- First of all, in the case of cookies – even if necessary, but only insofar as personal data is processed – in accordance with Art. 19 et seq. DSG must be informed. This information must be provided “appropriately”. It is therefore not sufficient to place this information on any section of the website. The FDPIC is calling for an easy-to-find Link e.g. in the footer, which also corresponds to practice.
- The privacy policy must always the layered approach The most important information should be provided first, followed by further details if required. Again, there is no basis for an absolute requirement for such a procedure (apart from the fact that a table of contents could suffice).
- And who is the information for? The guidelines are not comprehensible here:
A privacy policy that is drafted according to this approach allows, for example, the persons concerned to obtain all essential information in summarized form at a glance, and Specialists, Investigative journalists and Supervisors with more extensive information requirements to obtain detailed legal and information technology information by calling up a further level”.
Apparently, data protection declarations are not only drawn up for data subjects, but also for the FDPIC and even for Adrienne Fichter and other investigative journalists.
- Second level cookie banner:
- A cookie banner and more precisely a Consent Management Platform (CMP) is only required by the guidelines, but always in the case of non-essential cookies, because here the controller “must Right of objection against the use of non-essential cookies on the website in a prominent place” (the guidelines do not specify whether this is the case for every visit). In addition, the “degree of conspicuousness” must correspond to the “unusual nature of the cookie use in question”.
- Insofar as consent is required (see above), the data subject’s Right of withdrawal be clear, and it must then also be “with particular clarity” and “in a prominent position”, and here on every visit.
- Cookies may at the beginning of the visit unless, of course, they are based on consent.
- If the controller works with a right of objection (opt-out) for certain cookies and with consent (opt-in) for others, the data subject must be able to clearly recognize which applies to which cookies.