Cookies under scrutiny: what risks for Swiss companies?

1. Context

In a recent decision of the French data protection authority ("CNIL"), an Irish company belonging to the Shein group was imposed an administrative fine of EUR 150 million for breaching the rules applicable to cookies (link). The decision was subject to appeal and may therefore not yet be final. Beyond its exceptional amount, this sanction sends a clear message: cookie management is no longer a matter of mere formal compliance but a significant legal, financial and reputational risk mitigation exercise.  

While this decision is rooted in EU law (namely the GDPR and the ePrivacy Directive), it also raises important questions for Swiss companies, including:

• What rules apply to cookies under Swiss law?
• What are the specific risks in the event of non-compliance?
• Are Swiss companies also exposed to EU rules and sanctions as a result of cookie practices?

2. Cookies under Swiss law: key rules

2.1. Swiss legislation

Unlike the European Union, Switzerland does not have a standalone and detailed legal regime specifically dedicated to cookies. Their use is nevertheless regulated by:

• the Federal Act on Data Protection ("FADP");
• the Ordinance on Data Protection ("DPO");
• the Telecommunications Act ("TCA");

as well as the practice of the Swiss Federal Data Protection and Information Commissioner ("FDPIC").

The starting point is clear: where cookies enable the collection or processing of personal data, the FADP applies. This is in particular the case for tracking, analytics, behavioural advertising or profiling cookies.

2.2. Consent: when is it required?

Under Swiss law, the use of cookies is not systematically subject to prior consent. The assessment depends on: (i) the type of cookie (essential vs. non-essential), (ii) the purpose pursued, and (iii) the intensity of the interference with the data subject's personality rights.

• Essential cookies: cookies that are strictly necessary for the technical operation of a website (e.g. shopping cart functionality, authentication and security) are in principle permissible without consent, based on a prevailing private or public interest.
• Non-essential cookies: by contrast, cookies used for marketing purposes, targeted advertising, behavioural tracking or profiling do impact personality rights. Under Swiss law, such interference may, for example, be justified either by a prevailing private or public interest (following a balancing of interests) or by the valid consent of the data subject.

Where non-essential cookies only marginally impact personality rights and do not entail high-risk profiling, the processing may, depending on the circumstances, be justified on the basis of a prevailing interest. In such cases, users must at least be granted a clear, effective and easily exercisable right to object (opt-out).

However, where the use of non-essential cookies entails extensive tracking, cross-referencing of data, or profiling presenting an increased risk for the data subject, the balancing of interests will generally not suffice. In such cases, the valid consent of the user is required. According to the FDPIC, such consent must be: (i) freely given, (ii) specific, (iii) informed and (iv) expressed through a clear affirmative act (opt-in).

Purely passive or ambiguous mechanisms (such as continued browsing or pre-ticked boxes) may be problematic, in particular where the processing involves in-depth online behavioural tracking.

2.3. Information and transparency obligations

Irrespective of the issue of consent, the FADP imposes enhanced transparency and information obligations.

In particular, users must be informed of:

• the identity and contact details of the data controller;
• the specific purposes of the cookies;
• the categories of personal data collected;
• the recipients or categories of recipients (including third parties) and, if abroad, the jurisdiction(s) of their domicile; and
• the safeguards relied upon for transfers of personal data abroad, as applicable.

In practice, this requires providing clear and easily accessible information on the use of cookies, typically through a specific section in the privacy policy or a separate cookie policy, and ensuring that users are able to understand the processing and exercise their rights.

​​​​​​​​​​​​​​2.4. Consequences of non-compliance

The revised FADP has significantly strengthened the sanctions regime in Switzerland. In the event of an intentional breach of certain obligations (in particular failures to comply with information duties, data security requirements or restrictions on cross-border data transfers), criminal fines of up to CHF 250,000.- may be imposed.

A specific feature of the Swiss system should be emphasised: sanctions are, in principle, imposed on the responsible individuals (such as executives or decision-makers), rather than on the company as such.

Beyond criminal sanctions, non-compliance may also give rise to: (i) enforcement actions by the FDPIC, (ii) reputational damage, (iii) civil litigation and (iv) a loss of users' trust.

Practical takeaways:

• Precisely map the cookies and similar technologies used on the website(s) (purposes, retention periods, third parties involved).
• Assess whether certain cookies go beyond what is strictly necessary and therefore require a justification based on a balancing of interests or explicit consent.
• Determine the appropriate legal mechanism for non-essential cookies:
  • rely on an opt-out (right to object) for non-essential cookies with only limited impact on personality rights, where a balancing of interests may be justified; and
  • implement an opt-in (express consent) for cookies involving extensive tracking or higher-risk profiling.
• Ensure that the choice mechanisms offered to users are effective and understandable.

3. Cookies under the GDPR: risks for Swiss companies?

3.1. Website accessibility from the EU: a false sense of security

Many Swiss companies wrongly assume that the GDPR[1] does not apply to them simply because they are established in Switzerland. However, the GDPR provides for a particularly broad extraterritorial scope.

The mere fact that a Swiss website is accessible from the European Union is not, in itself, sufficient to trigger the application of the GDPR. That said, two key situations warrant close attention (see sections 2.2 and 2.3).

3.2. Offering goods or services to individuals in the EU

The GDPR applies where processing activities are related to the offering of goods or services to individuals located in the EU, even if the company is established outside the EU, e.g. in Switzerland.

Concrete indicators may reveal such an intention, including for example:

• a website available in one or more EU languages;
• the possibility to place orders from the EU;
• payments accepted in EUR;
• offering deliveries to EU Member States; and
• marketing campaigns targeting the EU.

In such circumstances, the stricter EU rules on cookies (including strict prior consent requirements, and granular consent choices) become fully applicable.

3.3. Monitoring the behaviour of users in the EU

Irrespective of any commercial intent, the GDPR also applies where the behaviour of individuals located in the EU is monitored, in particular through: (i) tracking cookies, (ii) advanced analytics tools, (iii) behavioural advertising or (iv) online profiling.

This is precisely where the risks are the highest. A Swiss company that deploys tracking cookies on its website without distinguishing users based on their geographical location may find itself subject to the GDPR without having anticipated it.

3.4. European sanctions: a change of scale

Where the GDPR applies, the sanctions are imposed on companies, and not on individuals, as in Swiss law. The potential financial exposure and overall consequences are considerably higher, including:

• administrative fines of up to EUR 20 million or 4% of the total worldwide annual turnover, whichever is higher;
• compliance and corrective orders;
• publication of enforcement decisions; and
• collective actions and cross-border complaints.

The EUR 150 million fine imposed by the CNIL in the case mentioned at the outset of this Legal Insight demonstrates that EU authorities are no longer hesitant to make full use of their enforcement powers, including against international groups operating from outside the EU.

Practical takeaways:

• Assess whether the website and online activities target, even indirectly, users located in the EU.
• Identify whether cookies or tracking tools enable behavioural monitoring without any geographical distinction.
• Verify whether the cookie banner and consent mechanisms meet EU standards.
• Anticipate the financial and reputational risks associated with the potential application of the GDPR.
• Document the analyses and decisions made in order to be able to justify them in the event of an investigation.

[1]     It should be noted that, unlike the GDPR, the ePrivacy Directive is a directive and must thus be transposed into national law by each Member State. As a result, the territorial scope may vary across jurisdictions and may provide for extraterritorial effects. These aspects, which fall within the scope of national law, are not addressed in the present legal insight.

4. Conclusion

The scale of the sanction imposed by the CNIL confirms that rules governing cookies have now become an enforcement priority for data protection authorities in the EU. For Swiss companies, the issue is not merely theoretical: cross-border exposure may be sufficient to shift from a relatively flexible legal framework to a significantly more stringent regime.

In this context, a targeted review of cookie practices – taking into account both the requirements of Swiss law and the risks arising under the GDPR – is, in our view, necessary. Such a review enables companies to swiftly identify areas of vulnerability, adjust consent and transparency mechanisms and properly document the choices made.

Beyond reducing the risk of sanctions, this approach also helps strengthen a company's credibility vis-à-vis its customers and supervisory authorities.

Please do not hesitate to contact us in case of any questions.

Legal Note: The information contained in this Smart Insight newsletter is of general nature and does not constitute legal advice.