In Switzerland, the new Data Protection Act (DSG) has been in effect since September 25th, 2020. It brings many innovations with it. Here is a short excerpt of what is important for websites.
Does a website have to have a consent layer/cookie banner?
Cookies are defined in Swiss law in Art. 45c lit. b of the Swiss Telecommunications Act (TCA). According to this regulation, website operators in Switzerland must inform website users about the use of cookies and their purpose and inform website users that they can refuse this processing. Art. 45c lit. b FMG does not provide any special formal requirements for the information obligation, which is why, according to the doctrine, the information obligation can usually be fulfilled by attaching a reference to cookies, e.g. in the data protection declaration.
Regardless of this legal situation, the use of a consent layer/cookie banner by website operators in Switzerland is still recommended for the following reasons:
- The Swiss data protection authority, the Federal Data Protection and Information Commissioner (FDPIC), is of the opinion that, at least when obtaining particularly sensitive personal data or personality profiles using cookies, the website users concerned must be explicitly asked in advance when visiting the website whether you consent to this processing. This opinion of the FDPIC is not legally binding; the use of a consent banner/cookie banner could nevertheless minimize any legal risks.
- Swiss websites that are not only aimed at users in Switzerland but also in the EU and which in particular People in the EU who offer goods or services must observe the (stricter) EU standards for the use of cookies anyway.
What minimum information must be given?
As explained above, a cookie layer is not necessary under Swiss law, but advisable. It can be assumed that a brief reference to the use of cookies and a reference to further information in a data protection declaration in the cookie layer/consent banner itself should suffice.
In accordance with the requirements of Art. 45c lit. b FMG the website users (i) inform about the use of cookies and their purpose and (ii) indicate that they may opt-out of the processing in question.
How the obligation to indicate the possibility of refusal can be fulfilled depends on the type and environment of the data processing in question. In the most common case of processing by cookies on a website, it is sufficient to point out to the users on the website that they can adjust the processing of cookies by their web browser by configuring the program accordingly, which should be briefly described in general terms. This also applies to the technology used for data processing; users should be able to roughly understand what is going on. Insofar as the use of cookies is mandatory for the use of an offer or part of an offer (because the offer would otherwise no longer function properly), it should be sufficient to inform the user and to point out that they can only use the website (with the full functionality) if it allows cookies. In this case, you can refuse to use the website at all or with limited functionality.
Is there a need for an opt-in, opt-out or is it purely a duty to provide information?
Art. 45c lit. b FMG generally provides an opt-out solution. However, for the same reasons as in the answer to the first question above, using an opt-in solution such as a cookie banner is still recommended.
