In January 2025, the Federal Data Protection and Information Commissioner (FDPIC) published the first guide dedicated to the use of cookies and similar technologies. A few months later, the new of October 2025 version introduces substantial amendments and clarifications on several key points: proportionality, advertising profiling, and freedom of consent.
The goal is to clarify when and how personal data may be processed through cookies, especially in areas such as personalized advertising and online tracking systems.
The updated guide emphasizes that consent, where required, must be informed, specific, and genuinely free. This includes, for instance a, careful assessment by website operators of so-called cookie paywalls. These mechanisms require users to choose whether to consent to cookie-based tracking or to pay a predetermined fee (typically a subscription) to access website content. In such cases, users pay to access online services if they refuse consent to cookie tracking.
According to the FDPIC, “the voluntariness of consent to data processing depends, first, on whether the financial contribution is proportionate and, second, on whether it does not undermine the fundamental nature of the right to data protection. With respect to proportionality, website operators must ensure that the price charged is proportionate to the loss of revenue resulting from the refusal to transmit data to third parties.”
Operationally, this entails a prior, careful assessment by website operators to evaluate the proportionality of the economic contribution requested from users who decline cookie-based tracking.
But what happens if a Swiss company offers services or products to individuals in the EU? In this context, website operators must also verify the applicability of non-Swiss regulations, which may impose stricter or looser rules regarding cookie paywalls. The European Data Protection Board (EDPB), in its Opinion 8/2024 (May 2024), clarified that a “pay or consent” model can only be legitimate in narrowly defined circumstances—such as online media financed by advertising—but not for essential or institutional services. Operators must also consider any stricter rules applicable in individual EU Member States.
The updated guide also revisits and expands on the concepts of advertising tracking through “standard profiling” and through “high-risk profiling.”
“Standard profiling” refers to the analysis of user behavior and interests within a single website or service to offer basic personalized advertising.
In this case, the FDPIC considers the level of intrusion into an individual’s personality as moderate, since interests and consumption habits are inferred within predictable limits for the user.
Conversely, “high-risk profiling” occurs when data are collected and combined across multiple sites or platforms, involving in-depth behavioral analyses (cross-site tracking, data sharing, enrichment with third-party data).
Here, the FDPIC deems the level of intrusion into the individual’s personality high, as it enables the creation of complex personal profiles (preferences, movements, relationships, even characteristics considered sensitive).
This distinction must be carefully assessed by website operators to determine whether to implement “opt-out” systems in some cases or require “opt-in” mechanisms in others.
As already prescribed in the January 2025 version of the guide, the FDPIC requires website operators to conduct a data protection impact assessment (in accordance with Article 22 FADP) if personal tracking leads to high-risk profiling of an individual’s personality or fundamental rights under Article 5(g) FADP.
