Cookie Banner Obligation in Switzerland: What Really Applies in 2026

The question comes up in every consulting session: "Do I even need a cookie banner?" And depending on who I'm talking to, I hear three completely different answers. The web agency says "of course, everyone has one." The lawyer says "it depends." The CEO says "I want this as unobtrusive as possible." Everyone is right somewhere — but the sober legal reality is more concrete than it appears at first glance.

The legal situation in Switzerland — short and clear

The revised Data Protection Act doesn't mention cookies by name. It speaks of processing personal data and that this processing must be transparent. Cookies are technically small text files stored in the browser. When a cookie contains a unique ID and behaviour can therefore be traced back, that's processing of personal data — covered by the FADP.

The second relevant source is Art. 45c of the Telecommunications Act (TCA). It obliges website operators to inform users about processing via cookies and to give them the option to refuse. In practice, the TCA has little bite — there have hardly been any criminal proceedings on this basis so far.

The third and currently most important source is the FDPIC recommendation from February 2024. It clearly states how the FDPIC understands a correct cookie information: layered approach with first information level, precise cookie listing on second level, equivalent buttons for accept and reject.

When is a banner mandatory?

The simple rule of thumb: if your website sets cookies that are not necessary for function, you need a consent banner.

Specifically:

• Necessary cookies (session, cart, login, CSRF): no banner needed, but a mention in the privacy policy.
• Functional cookies (language preference, theme, saved filters): information recommended, consent recommended but not mandatory.
• Statistics cookies (Google Analytics, Matomo, Plausible): consent recommended — Plausible can technically work without cookies.
• Marketing cookies (Meta Pixel, Google Ads, Hotjar): consent mandatory.

In practice: anyone with even a single marketing or statistics cookie needs a clean consent banner. Websites without tracking — for example a pure business card without analytics — get by without a banner but should still have a privacy policy.

The GDPR topic many SMEs overlook

A common misconception: "We're a Swiss company, so only the FADP applies to us." True, as long as you specifically target the Swiss market. But as soon as you actively address EU customers — for instance through product shipping to Germany, German-language ads in Austria or a newsletter with French subscribers — the GDPR kicks in for those visitors.

What does this mean concretely? The GDPR banner sets stricter standards than the FADP. In particular:

• Consent must be opt-in (not pre-checked active)
• "Reject" must be equally accessible
• Consent must be documented (consent log)
• Consent must be revocable (as easily as it was given)

Anyone who wants to cover both worlds builds the banner to GDPR standard. That's also the FDPIC's recommendation — meeting stricter requirements automatically satisfies milder ones.

The FDPIC recommendation in detail

The 2024 recommendation is surprisingly practical. It proposes a "layered approach":

First level — the banner itself. It must show:

• What types of cookies are used
• Who the recipients are (including third parties)
• How consent can be granted or refused
• A link to detailed information

Second level — the cookie detail page. It must list:

• Each individual cookie with name, provider, purpose, retention period
• Option to choose categorically or individually
• References to third-party privacy policies

In practice, levels 1 and 2 often merge in a modal logic: banner at the bottom, click on "Settings" opens the detailed view. That's acceptable as long as access to the detailed view is intuitive.

Three practical examples from Swiss daily life

Example 1 — Local restaurant website. Static page, embedded Google Maps, nothing else. Maps sets a cookie. Recommendation: banner with information and option to disable Maps. In practice, you load Maps only after consent — until then a static map or placeholder is shown.

Example 2 — Web agency with HubSpot CRM. HubSpot tracking, Google Analytics, Meta Pixel. A professional cookie banner is indispensable here — without consent, none of these tools may load.

Example 3 — Swiss online shop with DACH shipping. GDPR comes into play. Banner must be GDPR-compliant, marketing cookies may only be loaded after explicit opt-in. Consent log is mandatory — for access requests it must be verifiable when the customer agreed to which processing.

Consequences in case of violation

The FDPIC began checking websites more proactively in 2025. In case of violation, an informal recommendation for adjustment is issued first. Anyone who ignores or partially corrects risks a formal recommendation that can be made public. In repeated cases, criminal charges threaten — with the consequence that the natural person responsible for the violation can be held liable for up to CHF 250,000.

Reputationally, the damage is often greater than the financial sanction. A public FDPIC recommendation against an SME remains readable on the web — and customers increasingly pay attention to data protection hygiene.

Bottom line for 2026

The cookie banner obligation in Switzerland is not binary "yes or no." It depends on which cookies and tracking tools are actually used. But as soon as anything beyond session functionality runs, a clean consent banner with layered approach is mandatory — not a matter of style.

Anyone wanting to solve this pragmatically has two options: have your own banner built (expensive, maintenance-intensive) or use a finished solution like Aiara that works FADP- and GDPR-compliant out of the box. Aiara automatically detects which cookies your website sets and adapts the banner including detail page accordingly.