The FDPIC Guide in Practice: What It Really Means for Website Operators

The Federal Data Protection and Information Commissioner (FDPIC) is the central supervisory authority for data protection issues in Switzerland. Its guide on online tracking and cookies has been the most important reference for Swiss website operators since 2019 — even though few have actually read it. Here's an overview of the most important recommendations, complemented by observations on how the FDPIC implements them in practice.

What the guide is — and what it is not

The Guide V1.1 from February 2024 is not a regulation, not a law, not a binding norm. It is an authority statement explaining how the FDPIC interprets the FADP for online tracking. That sounds weak but is practically very effective: anyone investigated is measured against the guide. Anyone deviating must justify.

From a legal perspective: the guide doesn't bind directly, but it forms the "safe practice." In court an argument like "but the FDPIC recommended this" wouldn't be decisive but would be a substantial factor.

The five most important recommendations

1. Layered approach for cookie information

The FDPIC recommends two-stage information: first level as banner with core points, second level with detailed cookie listing. The second level must be intuitively reachable.

In practice: most banners have implemented this, but often poorly — clicking "Settings" opens a list that's barely readable. What the FDPIC wants: readable, categorical listing with clear choice option.

2. Equivalence of accept and reject

"Accept" and "Reject" must be visually and logically equivalent. Specifically: both buttons should be the same size, equally prominent, with similar contrast.

In practice: there are many violations here. The green, glowing "Accept" button next to the grey, semi-transparent "Reject" is a classic dark pattern that the FDPIC explicitly marks as inadmissible.

3. No cookie walls

A cookie wall — i.e. "accept or leave the website" — is not permissible according to the FDPIC's position because consent is then no longer voluntary. There's leeway for models like "pay-per-page" or "consent or subscription," but that's legally tricky.

In practice: cookie walls are rare in Switzerland. Most websites allow rejection without blocking access.

4. Granular choice options

Users must be able to choose not only "accept all" or "reject all" but also categorically — e.g. only statistics, only marketing. Ideally per individual third-party tool.

In practice: granularity is mostly implemented but often with unclear category labelling. "Marketing" means what exactly? Which tools fall in, which out? The detail page must clarify this.

5. Documentation of consent

Every consent must be verifiable. Specifically: consent log that records what, when, with which categories was chosen for each user click.

In practice: the weakest point at many Swiss websites. When a user makes an access request and asks for their consent log, radio silence often follows — because none is kept.

Authority practice since 2024

The FDPIC has noticeably checked more actively in the last 18 months. The typical procedure:

1. Receipt of a complaint or random sample selection by the authority
2. Informal inquiry to the company with request for opinion
3. Recommendation for adjustment with appropriate deadline (typically 30-60 days)
4. On non-implementation: formal recommendation with publication
5. On further non-implementation: complaint to the Federal Administrative Court

In practice, most cases conclude at stage 2 — informal adjustment is enough. Stage 3 becomes public, stage 4 is rare.

What V2 (announced 2026) might bring

The FDPIC has announced a V2 of the guide. Expected focus:

• AI-related tracking — behavioral profiling through ML models
• Server-side tracking — workarounds that set first-party cookies but send data to third parties
• Mobile app tracking — interface between FADP and Apple/Google app tracking policies
• Dark pattern extensions — new categories of misleading UI patterns

Anyone implementing cleanly today is prepared for V2. Anyone using workarounds should brace for new requirements.

Practical checklist before an FDPIC random check

When the FDPIC knocks, you should be able to immediately show the following:

• Cookie banner with equivalent accept/reject buttons
• Detail page with listing of all cookies, categorical and individually selectable
• Consent log with traceable consents
• Privacy policy that matches the actual cookie reality
• Access request process with documented response time
• Cross-border transfers disclosed with mechanism
• Records of processing activities (where required)

Where Aiara implements the guide

Aiara's banner is built by default according to the layered approach. Accept and reject have the same size and prominence. The detail page lists every cookie individually, with provider, purpose and retention period. The consent log runs automatically in the background — on an access request you see at a glance when the user made which choice. That's not magic, that's the application of what the FDPIC recommends as "safe practice."