08 January 2026

Updated Cookie Guidelines from the FDPIC

  • Articles
  • Legal
  • Data / Technology / IP

The updated Cookie Guidelines from the FDPIC bring clarity but also tighten practice, particularly on tracking, profiling and cookie paywalls. An overview.

  • Dr. Martin Eckert

    Legal Partner

  • Noëlle Glaus

    Legal Associate

  • Philipp Stadler

    Senior Legal Associate

On October 6, 2025, the Federal Data Protection and Information Commissioner (FDPIC) published an updated version of its Cookie Guidelines. The content of this version is largely consistent with the first version, but contains clarifications and additions intended to improve comprehensibility and to clarify practical issues in Switzerland.

The update leads to a partial tightening of the rules and shows in particular that the FDPIC is guided by EU cookie law and the GDPR. Although the guide is not binding, it clarifies the FDPIC’s views, which it will pursue within the scope of its limited powers.

Overview of changes:

  • Section 3.1.2: In connection with singularisation, the FDPIC specifies that the personal reference of data processing always depends on the specific processing concept. When location data is collected, there is usually a high probability of identification, especially if movement profiles are created from it. This applies, among other things, if places of regular residence (e.g. home, workplace, practices, business premises) are recognisable and conclusions about identity can be drawn.
  • Section 3.2.2: When data is collected by third parties, the FDPIC believes that website operators must not only ensure that their information obligations towards the data subjects are fulfilled, but also that sufficiently specific consent is obtained.
  • Section 3.5.2: With regard to the technical necessity of cookies, the FDPIC now differentiates between functional and security aspects. Cookies are functionally necessary if the central functions of a website cannot be provided without them (e.g. shopping basket cookies in online shops, temporary storage of entries, language selection). Cookies are necessary for security reasons if data processing would not meet the minimum data security requirements under art. 8 FADP without them (e.g. load balancing, protection against brute force attacks, distinguishing between human users and bots).
  • Section 3.6: In the updated version, the FDPIC clarifies that non-essential cookies are all cookies that are neither functional nor necessary for security reasons.
  • Section 3.8.1: The FDPIC specifies that cookies that present product recommendations based on shopping basket items, store preferences for later visits or display delivery times or branch distances are not technically necessary. The previous reference to cookies for storing payment methods as not technically necessary has been deleted.
  • Section 3.9: The FDPIC has added a note on the design of the buttons in the consent banner and its embedding on the website. Accordingly, website operators must ensure through appropriate default settings that the use of cookies is limited to the minimum necessary until users have had the actual opportunity to inform themselves about the data processing and exercise their right to object by means of corresponding buttons in the consent banner.
  • Section 3.10.1: In addition, the FDPIC clarifies that geolocation data collected using cookies or similar technologies – depending on the duration of data collection – can result in high-risk profiling if the data collected, alone or in combination with other data or data sources, leads to precise movement profiles that allow conclusions to be drawn about essential aspects of personality.
  • Sections 3.11.1 and 3.11.3: With regard to personalised advertising, the FDPIC emphasises that third parties who obtain access to personal data from the controller via third-party cookies or similar technologies in return for payment and who are embedded on several websites may engage in high-risk profiling, for which consent is required. In addition, the FDPIC points out that although consent management platforms (CMPs) are technically standardised, the profiles created with them are sold to various parties. This means that data can also be used for purposes other than targeted advertising, which makes risk assessment in this area more difficult.
  • Section 3.12.3: The FDPIC specifies that declarations of consent must clearly allow users to accept or reject different purposes individually if the declaration of consent relates to several different data processing operations and purposes or if different purposes are combined. The same applies to consent with regard to embedded third parties.
  • Section 3.12.4: In connection with voluntary consent, the updated guidelines now address so-called “cookie paywalls”. Here, users are given the choice of consenting to all cookies and similar technologies or – if they refuse to give their consent – paying a fixed price for using the website content (so-called “pure subscription models”). Consent is only considered voluntary if the financial contribution required is proportionate and does not undermine the fundamental right to data protection. The price must be proportionate to the potential loss of revenue resulting from the refusal to disclose personal data.

Summary of the most important points:

  • High-risk profiling with location data: The FDPIC emphasises the considerable risks associated with the systematic collection and evaluation of location data. Movement profiles can allow conclusions to be drawn about places of residence or work and thus about real identity and other sensitive aspects of personality. Profiling based on such data is regularly considered high-risk profiling, for which consent must be obtained.
  • Consent for personalised advertising: Express consent may be required for personalised advertising, especially when using third-party cookies or similar technologies. This is especially the case when third-party cookies or comparable technologies are used that allow website operators to grant third parties – in some cases for payment – access to personal data, and these technologies are integrated across multiple websites. This can result in high-risk profiling and therefore a particularly significant intrusion into the privacy of the individuals concerned, making consent necessary.
  • Consent for cookie paywalls: Consent to non-essential cookies for cookie paywalls is only considered voluntary if the alternative payment model is proportionate and does not effectively undermine data protection requirements. Excessive prices can effectively lead to forced consent, which would be inadmissible.

Conclusion:

The updated version of the Cookie Guidelines provides additional clarity, but at the same time increases the requirements for website operators. The FDPIC aims to bring practice in line with established data protection standards – particularly the GDPR – without introducing new material requirements. The additions increase legal certainty but also highlight the need for careful implementation of consent, transparency and risk assessments, especially when using tracking technologies.

Companies that use data-driven advertising or process location data should review and adapt their cookie banners and privacy notices as soon as possible.



Click here to learn more about our expertise:
Back