Are cookies and tracking technologies regulated by consent requirements?
Part 10 of our series on data protection law in Switzerland
In this part of our series, we explore whether cookies and tracking technologies are regulated by consent requirements under Swiss law and if yes, how they must be implemented.
General duty of information
The use of cookies and similar technologies in Switzerland is regulated by the Telecommunications Act (TCA), as well as by the Federal Act on Data Protection (FADP), where the processing of personal data is involved. Pursuant to Art. 45(c) TCA, the use of cookies and similar technologies is allowed, provided that the users have been informed about the related data processing and its purpose and about the possibility of refusing such processing, i.e. deactivating cookies and similar technologies.
Whether the data collected and processed via cookies or similar technologies in considered personal data depends on the identifiability of the person the data relates to (cf. part 2 of our series). If the person is identifiable, the collected data is considered personal data and the requirements of the FADP must be complied with.
Consent and opt-out requirements
As private controllers do not need a legal basis for processing personal data under the FADP (cf. part 4 of our series), provided that the processing has a lawful purpose, is proportionate and carried out in good faith according to the principles set out in Art. 6 and 8 FADP, the use of cookies and similar technologies does not, as a general rule, require consent. However, in his recently published guidelines on data processing by means of cookies and similar technologies1, the Federal Data Protection and Information Commissioner (FDPIC) states that any use of non-essential cookies, i.e. cookies that are not technically necessary for the website to function correctly, violates the principle of proportionality in Art. 6(2) FADP and therefore needs a legal justification, i.e. an overriding legitimate interest or consent. The FDPIC therefore recommends obtaining consent for any use of non-essential cookies that is not generally expected by users and/or that leads to profiling, such as web analysis, personalised advertisement, etc. Explicit consent is, according to the FDPIC's guidelines, required whenever sensitive personal data is processed or in the case of high-risk profiling, e.g. cross-site tracking.
The right to opt out at any time from the use of cookies and similar technologies other than strictly necessary cookies is anchored both in the TCA and the FADP and must therefore be given to users at any time, whether personal data is involved or not.
Preview of Part 11
In part 11 of our series, we will examine the regulations and limitations on cross-border data transfers under the FADP.
Footnote
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
