Switzerland: FADP (Federal Act on Data Protection) / DPO (Data protection ordinance)

What is FADP regulations and how it works?

Switzerland follows the Federal Act on Data Protection (FADP) to ensure the protection of data privacy. This legislation was initially introduced in 1993 and underwent revision in 2007, which also included the Data Protection Ordinance (DPO).

According to Switzerland's Data Protection Act (FADP), websites that process personal data from users within Switzerland may be required to obtain prior, freely given, and informed consent from those users. This applies to cookies that are not strictly necessary for the basic functioning of the website but process personal data for purposes such as analytics or marketing.

Consent is particularly important in cases involving the processing of sensitive personal data, high-risk profiling by private individuals, or profiling by federal bodies. Additionally, consent may be necessary if data is transferred to a country that does not provide an adequate level of protection.

To be valid, cookie consent must be a genuine choice, meaning that users provide consent without coercion, pressure, or external influence. This implies that users who decline to consent to cookies should not be denied access to certain services or benefits offered by the website. Refusing cookies should not result in any negative consequences, and users should still be able to continue accessing the website.

If you have users located in Switzerland, it is mandatory to comply with the new Swiss FADP. Non-compliant domains may face substantial fines. The good news is that if you are already compliant with the EU's General Data Protection Regulation (GDPR), you are likely to be compliant with the Swiss FADP as well.

If you want to know more about the different regulations you can access our article "Laws and regulations for each region"

What should the cookie banner look like to comply with this regulation?

The information usually found about Switzerland's regulations regarding the cookie banner is contradictory. On some websites, they may recommend a banner with the option to accept or reject cookies, while on others, only a notice without any required action is suggested. However, at illow, we always recommend keeping your website secure. That's why a banner with the following features is our recommended tool in this case:

• Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
  
• Include a Button to Reject Cookies: Although it does not specifically clarify a button as in other cases, we must provide an opt-out option that “takes effect immediately and is consistent.”
• Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
• Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
• Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
• Include a Link to the Cookie Settings: This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. 

Observations: With illow´s GLOBAL banner, your site will be ready to comply with this regulation.