Yes, in principle.
Swiss law requires that the user of the device (on which the cookies will be placed) be informed:
The same rule applies to similar technologies, which store data on a device.
However, consent may be required based on data protection law. Whether consent is required depends on the concrete facts of the case in question (e.g. purpose of processing, scope of data collected, transfers to third parties, etc.)
Not consistently. In a considerable number of cases, the relevant regulation of the European Union (i.e. PECR) is followed. However, in other cases, there is no compliance with the applicable rules.
N/A
Yes, provided that the processing of personal data complies with general data protection principles (transparency, proportionality, data minimization, etc.).
For advertising cookies and social media cookies, we generally recommend obtaining consent.
Implied consent is acceptable in principle. However, processing of sensitive data and high-risk profiling activities require explicit consent. Generally, we recommend against relying on implied consent.
No. While there is no explicit requirement to have a "cookie notice" as such (or to call it "cookie notice"), there are certain minimum information requirements that must be fulfilled (see answer to question 1).
Yes, while we recommend having a cookie banner (and it is best practice/ market standard), there is no explicit requirement.
Yes, in principle.
It is possible that the data subject would argue that the consent was not freely given. However, the associated risk appears to be low (there is currently little to no enforcement in this regard and we do not expect this to change in the foreseeable future).
While enforcement is not excluded in theory, we see very little enforcement actions.
There are no such ongoing (or announced) consultations.
There are no anticipated changes to the statutory rules.
Please note that the Swiss Federal Data Protection and Information Commissioner (which is the Swiss Federal Supervisory Authority in data protection matters) has announced its intention to publish guidance on cookies and data protection aspects (such as privacy by design / by default considerations). It is possible that this guidance may lead to a different assessment regarding some of the points mentioned above. While this guidance does not produce immediate legal effect, it is likely that courts would follow it (and therefore, it is recommended to comply with the guidance). The timing regarding this guidance is not clear.
Concerning changes to the attitude of market participants:
Enforcement actions in the EU often lead to changes in behaviour by large multinational organizations. This in turn has knock-on effects to other market participants. As a result of the revised Swiss Data Protection Act (which entered into force on 1 September 2023) There was a significant increase in awareness for the regulation around cookies and a growing alignment with EU requirements (as best practice).