Cookie Banner Switzerland: What the revDSG Actually Requires

Do I need a cookie banner in Switzerland?

Only if your website uses services that send data to third parties. A purely Swiss site without Google Analytics, Google Ads, or an EU connection needs no consent banner. As soon as you load Google tools or track EU visitors, you need one. Cookieless analytics bypasses the banner entirely, and that is exactly the route I take on my own site.

Today, a cookie banner blinks on almost every Swiss website. Sometimes with two equally large buttons, sometimes with a hidden reject link, sometimes with a whole wall of switches. Many businesses installed the thing because everyone has it, not because they knew what Swiss law actually requires of them. I’ll take this apart calmly here: what applies in Switzerland, what a banner has to do, what is overkill, and when you need none at all.

One clarification up front: I am not a lawyer. What follows is the practical view of a web developer who has been building Swiss SMB sites for years. For a binding legal assessment, tricky cases belong with a professional. Good, layperson-friendly sources are the Federal Data Protection and Information Commissioner (FDPIC) and the Steiger Legal blog. I’ll provide the technical perspective alongside them.

Does the revDSG require a cookie banner like the GDPR?

No. Since 1 September 2023, the revised Swiss Data Protection Act, revDSG for short, has applied in Switzerland. It is the Swiss counterpart to the European GDPR, but deliberately built differently. Many treat it as if it were a copy. That is not the case, and this very difference explains why most banners are oversized.

The GDPR requires active, prior consent for many cookies. Before a non-essential cookie is set, the visitor must have agreed. Hence the banners that block you until you click.

The revDSG works differently. It puts transparency first. You have to disclose which personal data you process and for what purpose. That happens in the privacy policy. A forced click hurdle before an analytics cookie is set is not something the revDSG prescribes in that form.

Decision table: do I need a banner?

The obligation does not attach to your website as such, but to the services you load. Here are the most common cases:

Read the table from top to bottom. As soon as a row with a Yes applies to you, you need a banner. If none applies, you need none. That is how simple the logic is, and it is rarely explained this way.

The expensive myth: who the fine really hits

This is where it often gets told wrong, and the misconception costs nerves. You read about a fine of up to CHF 250,000 and think your company is on the hook. That is not the case.

The revDSG does not punish the company, but the responsible person. In the case of an intentional violation, the fine of up to CHF 250,000 hits the owner or the managing director, and indeed out of their private assets. Only if this person cannot be identified with proportionate effort is the company held liable on a subsidiary basis, and then only up to CHF 50,000.

Two things follow from this. First: it is not a mass-fine machine against companies like under the GDPR. The revDSG takes effect in cases of intentional violations by a responsible person, not for every forgotten checkbox. Second: if it gets serious, a human is liable privately, not an abstract company. That is a reason to work cleanly, but not a reason for panic banners. The serious response is an honest privacy policy, not the biggest wall of switches.

Why almost everyone has a banner anyway

If Swiss law does not force a consent banner, why do you see it everywhere? There are two understandable reasons for that.

First: anyone with visitors from the EU, and that is almost every website, is operating within the scope of the GDPR for those people. Many businesses therefore choose the stricter standard to be on the safe side.

Second, and this is the more honest reason: most sites load Google Analytics, Google Fonts from the Google server, embedded YouTube videos, the Facebook pixel, or a US chat. Each of these services sets cookies and sends data to third parties, often to the US. With a Google market share of around 90 percent in Switzerland, many also use Google Ads, and since March 2024 Google has required Consent Mode v2 for that. Through this interface, Google learns whether the visitor consented. Without valid consent, Google processes the data only in a limited form. So anyone running Google Ads or Analytics needs the banner for Consent Mode, otherwise the measurement runs blind.

That is the decisive thought: the banner is the consequence of your technical decisions, not an obligation that falls from the sky.

What a banner has to do, if you need one

If you use trackers that require consent, the banner has to handle a few things cleanly:

• Rejecting is just as easy as accepting. No hidden fine print, no gray link in the bottom right. Accept and Reject belong on the same level, equally visible.
• Nothing loads before consent. The trackers may only fire once someone has agreed. A banner that is merely decorative while Google Analytics already runs in the background is worthless and wrong.
• Granular where it makes sense. Statistics, marketing, and external media can be released separately. The visitor should be able to allow statistics and reject marketing.
• Withdrawal is possible. The choice made once must be changeable later, via a small link in the footer, for example.

That is the necessary scope. Everything beyond it is usually just noise.

What is overkill

I often see three things that do more harm than good.

The banner that blocks the whole site until you click. It is annoying, drags down your Google ranking, and is not legally necessary. A box at the edge of the screen is enough.

The endless list of forty providers with checkboxes. It comes about when someone installs a standard tool that covers every conceivable service, even though the site uses only three of them. Nobody reads it, and it comes across as unsettling rather than serious.

The banner on a site that has no trackers at all. That is the most absurd case, and it happens more often than you’d think. A pure business card site without analytics, without external fonts, without embedded videos simply needs no banner. A banner then suggests a data collection that is not happening at all.

How do I get by with no cookie banner at all?

There is a way to avoid the banner entirely, and I take it on my own site. I use a self-built, cookieless analytics system. Cookieless analytics means: visitor numbers are measured without a cookie being stored on the device or an IP address being kept permanently. It sends nothing to Google or any other third party. The data stays on my own server. With that, there is nothing for which I’d have to obtain consent. That is why thomasgaechter.ch has no cookie banner, and that is not an oversight, but a deliberate decision.

The same can be achieved for most SMB sites. The typical triggers for a banner are replaceable:

• Embed fonts locally instead of loading them from the Google server. Then no data flows to Google.
• Cookieless analytics instead of Google Analytics. There are good solutions that work without consent, and I build that in as standard.
• Load videos only on click instead of permanently embedded. That prevents YouTube from pulling data the moment the page loads.
• Review maps and chat critically. A smaller company often doesn’t need much of that. Anyone who wants to be found locally is often better off with a well-maintained Google Business Profile than with an embedded map.

If you build a site this way from the start, the banner falls away with no replacement needed. The site loads faster, looks tidier, and you have less to explain.

An honest note: if you actively run Google Ads and rely on conversion measurement, you can hardly avoid Google tools and therefore banners and Consent Mode. Then the banner is part of the business. For most SMBs who simply want to know how many people visit their site, it is not.

What you need in any case

One thing remains mandatory regardless of the banner: an understandable privacy policy. It belongs in the footer and must honestly describe which data you process, for what purpose, who has access, and how people exercise their rights. That is the core of what the revDSG means by transparency. A pretty banner without a clean privacy policy does not meet the law. The policy is the foundation, the banner at most the roof.

My conclusion

The Swiss situation is more relaxed than the banner theater suggests. The revDSG requires transparency, not a click wall. You only need the banner if you use services that send data to third parties, Google above all. And those very services can be avoided on most SMB sites. Anyone who builds cleanly often needs no banner and still has useful visitor numbers. The fine of up to CHF 250,000, finally, is no corporate bogeyman, but hits an individual person privately if it comes to that.

If you’re unsure whether your site needs a banner or whether it is sending out data unnecessarily, I’m happy to take a look. Drop me a short note via the contact form, and I’ll tell you honestly what is necessary and what is not. For the legally binding assessment, I refer you to a professional, the FDPIC, or Steiger Legal.