FADP-Compliant Newsletters: Getting Double Opt-in Right in Switzerland
Is double opt-in mandatory in Switzerland? Not explicitly — but if you can't prove consent, you have a problem in a dispute. What Art. 3 UCA really requires, when the existing-customer exception applies, and how to set up newsletter sign-up properly.

"We got the addresses at the trade fair — let's just add them to the mailing list." This sentence comes up surprisingly often at Swiss SMEs. And it is the most direct route to a spam complaint, because without consent, mass advertising by email is unfair competition in Switzerland — and, upon complaint, even a criminal offence.
At the same time, the opposite circulates as received wisdom: "Double opt-in is mandatory." That is not accurate either. What the law actually requires, where the existing-customer exception applies, and why double opt-in is still the only sensible approach — a practical guide.
Which law governs newsletter sending in Switzerland?
The central rule for newsletters is not found in data protection law but in the Federal Act against Unfair Competition (UCA). Art. 3 para. 1 let. o UCA declares mass advertising by email, text message or other telecommunication channels unfair if three conditions are not met:
- Prior consent of the recipients,
- correct sender information — no disguised or forged sender,
- reference to a hassle-free and free-of-charge opt-out option in every message.
All three conditions must be met simultaneously. A newsletter with consent but without an unsubscribe link is just as unfair as one without consent. Violations are punishable upon complaint under Art. 23 UCA — with imprisonment of up to three years or a monetary penalty.
In parallel, the Federal Act on Data Protection (FADP) applies: email addresses are personal data, and the duty to inform under Art. 19 FADP requires you to inform about the processing. In concrete terms: your privacy policy needs a newsletter section — which sending tool you use, where the data flows, and how long it is stored.
When does the existing-customer exception apply?
Consent is not required in every case — the UCA contains an explicit exception for existing customers. Anyone who receives contact details when selling their own goods or services may send advertising to these customers without consent, provided four conditions are met:
- The contact details come from an actual purchase, not from a mere enquiry or a trade fair conversation.
- You pointed out the opt-out option already at the time of collection — for example with a sentence in the checkout process.
- The advertising concerns only your own similar goods or services. If you sold printer cartridges, you may advertise printer accessories — but not a partner's insurance products.
- Every message still contains the free-of-charge unsubscribe option.
The exception is narrower than it sounds. Business cards from a trade fair, webinar attendee lists, contact form enquiries — none of these are purchases and none fall under it. When in doubt: obtain consent. It is the more robust path, and towards recipients abroad it is the only viable basis anyway.
Is double opt-in mandatory in Switzerland?
No — Swiss law contains no explicit double opt-in obligation. The UCA requires consent but does not prescribe a specific procedure for how it must be obtained. Anyone claiming the law prescribes the confirmation procedure is being imprecise. This honesty is part of serious advice.
But — and this "but" is decisive: anyone relying on consent must be able to prove it in a dispute. And this is exactly where the simple sign-up procedure (single opt-in) fails. If someone enters a third party's email address in your form, the owner ends up on the list without any action of their own — and you have no evidence whatsoever that the consent came from them. A record in your database only proves that somebody typed in the address.
The double opt-in procedure closes this gap: after sign-up, the address receives a confirmation email, and only the click on the confirmation link activates the subscription. The documented click proves that the actual mailbox owner agreed. That is why double opt-in is best practice in Switzerland for securing evidence — not a legal obligation, but the only way to document consent in a way that holds up.
Add to that the view across the border: in Germany, case law has made double opt-in the de facto standard. Anyone sending into the DACH region — and which Swiss mailing list does not — cannot avoid the procedure anyway.
What applies to newsletter recipients in the EU?
As soon as you deliberately target people in the EU with your newsletter, the General Data Protection Regulation (GDPR) comes into play — even for a Swiss company without an EU establishment. For newsletter sending, this concretely means:
- Consent must be freely given, informed and unambiguous (Art. 4 (11), Art. 6 (1) (a) GDPR).
- Art. 7 (1) GDPR makes the burden of proof explicit: the controller must be able to demonstrate that the data subject has consented. What is best practice in Switzerland is a spelled-out obligation here.
- The prohibition of bundling (Art. 7 (4) GDPR) forbids making a contractual service conditional on consent that is not necessary for it.
- Withdrawal must be as easy as giving consent (Art. 7 (3) GDPR).
In practice, a two-tier mailing list with different rules for Swiss and EU addresses is not worth it. Work to the stricter GDPR standard from the start — then both legal systems are covered. We have summarised what else the regulation means for Swiss companies in our guide to the GDPR for Swiss companies.
How do you implement double opt-in properly?
A legally sound double opt-in consists of four building blocks: sign-up form, confirmation email, consent log and unsubscribe link.
1. The sign-up form. No pre-ticked checkboxes — consent that is already ticked is no consent. No bundling: anyone downloading a whitepaper must not automatically end up on the newsletter list; the newsletter checkbox remains optional and untouched. Say transparently what the sign-up means: which content, roughly what frequency, with a link to the privacy policy. And collect only what is necessary — for a newsletter, the email address suffices; name and company are voluntary fields.
2. The confirmation email. It has exactly one job: to have the sign-up confirmed. A neutral subject line, one sentence of explanation, the confirmation link — no advertising, no offers, no product images. A promotional confirmation email to an address whose consent has not yet been established is itself advertising without consent. Anyone who does not click does not get contacted — not even with a "reminder".
3. The consent log. Document per subscriber: timestamp of the sign-up, timestamp of the confirmation click, the IP addresses of both steps, and the wording of the form in the version valid at the time. The common sending tools log timestamps and IP automatically — the form wording you must version yourself. Only this log turns the procedure into evidence.
4. The unsubscribe link. In every single email, free of charge, without forced login and without follow-up hurdles. Unsubscribing takes effect immediately — "deletion may take up to 14 days" cannot be justified by anything technical in 2026. The unsubscribe link is moreover one of the three basic UCA conditions: if it is missing, sending even to properly consented recipients is unfair.
Checklist: setting up newsletter consent securely
The short version to tick off:
- Sign-up form without pre-ticked checkboxes
- Newsletter consent decoupled from other services (no bundling)
- Transparent information on content and frequency, link to the privacy policy
- Only the email address as a mandatory field
- Confirmation email neutral, without advertising
- Sending only after the confirmation click
- Log: timestamp, IP address, form wording with version
- Unsubscribe link in every email, effective immediately
- Existing-customer exception only for genuine purchases and own similar products
- Newsletter section in the privacy policy (tool, data flow, retention period)
What does the privacy policy have to do with it?
The newsletter must be covered in your privacy policy — the consent in the form does not replace the duty to inform under the FADP. The section names the sending tool used (such as Brevo or Mailchimp), the server location including any cross-border transfer, the purpose, the retention period and the right of withdrawal. How a complete policy is structured is shown in our guide to the privacy policy for Swiss websites.
The underlying idea is the same as with the cookie banner: consent is only worth as much as its proof. At Aiara, this principle is built in — the cookie consents of your website visitors are logged in an audit-proof manner, and the privacy policy generator creates the newsletter section of your privacy policy along with it, matched to the sending tool you specify in the questionnaire. This keeps the documentation consistent: one setup, all consents provable.
Frequently Asked Questions
Is double opt-in legally required in Switzerland?
No, not explicitly. The Unfair Competition Act requires prior consent for mass advertising by email, but does not prescribe a specific procedure. Because the sender must prove in a dispute that consent exists, double opt-in is nevertheless the standard: only the documented confirmation click proves that the sign-up actually came from the owner of the email address.
What are the penalties for sending newsletters without consent?
Sending mass advertising without consent is unfair competition under Art. 3 para. 1 let. o UCA. Upon complaint, it is punishable under Art. 23 UCA — with imprisonment of up to three years or a monetary penalty. Add to that civil claims by those affected and the reputational damage: spam complaints degrade the deliverability of all future mailings.
May I send a newsletter to existing customers without consent?
Yes, under four conditions: you received the contact details when selling your own goods or services, you pointed out the opt-out option at that time, you only advertise your own similar products, and every email contains a hassle-free, free-of-charge unsubscribe option. If one of these conditions is missing, you need consent.
What must I log for newsletter consent?
At minimum: the time of sign-up, the time of the confirmation click, the IP addresses of both steps, and the wording of the sign-up form in the version valid at the time. Only with this information can you prove years later who consented to what and when — which is exactly what the burden of proof demands, and under the General Data Protection Regulation even explicitly.
Does the GDPR apply to my Swiss newsletter?
As soon as you deliberately target recipients in the EU, yes. Then the consent requirements of Art. 6 and 7 GDPR apply: freely given, informed, unambiguous — and with an explicit obligation for the controller to demonstrate consent. Since most Swiss mailing lists also contain EU addresses, in practice it is easiest to work to the stricter GDPR standard from the start.
Ready for clean cookie consent?
Aiara handles cookie banners, privacy policies and legal notices for your website — FADP and GDPR compliant.
Discover AiaraMore articles

July 5, 2026 · 8 min read
Consent Logs: How Long Do I Need to Keep Cookie Consent Records?

July 3, 2026 · 8 min read
Data Processing Agreements (DPA) in Switzerland: When You Need One — With a Checklist

June 30, 2026 · 9 min read