Since September 2023, Switzerland has been operating under a new legal framework for data protection: the nFADP — or new Federal Act on Data Protection. The text replaces the 1992 law, brings Swiss legislation in line with the realities of the digital age and extends its reach far beyond Swiss borders, i.e. if your company processes the personal data of Swiss residents, then this law applies to you — whether you’re based in Zurich, Berlin or San Francisco.
Less well known than the GDPR, the nFADP is nonetheless a turning point for businesses. It introduces new principles, demands greater transparency, and brings Swiss law into the "Privacy by Design" era. So, in this edition of Compliance Check-Up, we’re heading to Switzerland to break down the logic behind the law and what it means in practice for companies and their consent management platforms (CMPs). And to go further, we delve into some detailed case studies, available at the end of this article.
A Brand-new Swiss Data Law Designed to Keep Pace with the GDPR
Passed in 2020 and in force since 1st September 2023, the new Federal Act on Data Protection (nFADP) replaces a law dating back to 1992 — long before smartphones, behavioural targeting, and the cookie banners we all know. The goal is clear: strengthen the rights of Swiss citizens and establish a data processing framework in line with global standards.
The reform was never just an internal upgrade, however. This overhaul was motivated by a strategic imperative: maintain alignment with the European Union’s GDPR. But why? Because drifting too far from EU standards could have jeopardised Switzerland’s competitiveness in the global digital economy.
If You’re Aiming for the Swiss, the nFADP is Aiming for You
The nFADP doesn’t just apply to companies based in Switzerland. Any organisation — regardless of location — must comply if it offers goods or services to individuals residing in Switzerland.
What if you operate in multiple countries? Then multiple laws may apply at once. A Swiss company processing the data of EU residents, for instance, must comply with both the GDPR and the nFADP. It’s a regulatory juggling act that cookie banners like Axeptio are built to support, offering companies a clear and consistent approach to privacy compliance across multiple jurisdictions — whether it’s the GDPR, the nFADP, Québec’s Law 25 or California’s CCPA.
Back to the Future: What’s Changed From 1992?
One major shift: the nFADP now protects only natural persons. Legal entities, which were previously covered under the 1992 law, are no longer included in its scope. Another key update: the definition of sensitive data has been expanded to include genetic and biometric data.
But if these changes seem a little far removed from what we usually talk about on this blog — consent management platforms and compliance in practice — don’t worry, the core principles are still highly relevant. For the first time, Swiss law now explicitly introduces the concepts of Privacy by Design and Privacy by Default. In other words, privacy protection must be embedded into products and services from day one, and default settings must offer the highest level of data protection without requiring user action.
The nFADP also tightens requirements around transparency. Any collection of personal data — whether sensitive or not — must be clearly and accessibly communicated to the individual beforehand. That means being specific about what data is collected, why, for how long, and who will process it. Enter: the cookie banner.
Keeping a record of processing activities is now mandatory — with an exemption only for SMEs whose data processing presents minimal risk to individuals’ rights. In the event of a data breach, companies are now required to notify the Federal Data Protection and Information Commissioner (FDPIC) — the Swiss data privacy regulatory body — without undue delay.
And What About Consent?
Unlike the European GDPR, the nFADP does not establish prior explicit consent as a general rule for using trackers.
But does that mean that companies can skip asking for active consent when it comes to cookies? Not quite. In reality, things are more nuanced. The need for consent depends on the level of risk to users’ privacy. The nFADP doesn’t impose a strict opt-in model — but it does significantly strengthen information obligations and the right to object (opt-out).
Users must know, before any data is collected, what’s being gathered, why, by whom, and for how long. In the context of marketing tracking, profiling or personalized advertising, this demand for transparency and risk assessment is already prompting many companies to adopt GDPR-like consent models — out of caution, but also for consistency across their various markets.
In short: implementing a cookie banner that respects user choice remains the best strategy to stay compliant, reduce legal risk, and build trust.
Axeptio: Already nFADP-ready
At Axeptio, our cookie management platform was designed to accommodate various international privacy frameworks — including the Swiss nFADP. The interface is clear, customizable, and adaptable to the specific legal context of each country.
Some global brands have already made this strategic choice. In Switzerland, Veepee Suisse rolled out a cookie banner that is fully compliant, aligned with its brand image, and reassuring to Swiss users. You can read their full story here.
Another example: BRP, a multinational company operating across several continents, chose Axeptio to unify its consent strategy, globally. We’ve detailed the project in an exclusive white paper — covering the technical decisions, legal challenges and tangible business benefits of a multi-regulation cookie management platform, available for download using the form on this page.
Handling data from Swiss residents? Good news — our cookie banner can help you stay compliant.
