The Structure of the revFADP in 2026

The revFADP replaced Switzerland's 1992 data protection regime with a framework that closely tracks the GDPR in most operational respects while preserving a handful of distinctly Swiss positions. The revised Ordinance on Data Protection (rev-OPDP) and the Ordinance on Data Protection Certifications, both in force alongside the revFADP, fill in the operational detail.

What the Revision Changed

The revision introduced: mandatory breach notification to the FDPIC, a record-of-processing requirement for most controllers, data protection impact assessments for high-risk processing, a genuinely extraterritorial scope similar to the GDPR's Article 3(2), strengthened data subject rights, and a criminal-liability backstop applicable to individuals rather than only the controlling organization. The definition of personal data, the bases for lawful processing, and the structure of data subject rights are all closely aligned with the GDPR, which materially simplifies Swiss compliance for publishers already running a GDPR programme — but does not eliminate it.

Who Is Regulated

The revFADP applies to data processing in Switzerland and to processing outside Switzerland that affects individuals in Switzerland. Foreign publishers serving Swiss traffic through localized sites, a .ch domain, German-French-Italian-Romansh content tuned to Swiss audiences, or programmatic inventory bought against Swiss IPs are typically in scope, and the FDPIC has confirmed the extraterritorial reading in its 2025 guidance updates.

Administrative Fines and the Criminal Backstop

The revFADP's most-discussed departure from the GDPR is that its sanction architecture is primarily criminal rather than administrative. Individual fines — typically on the responsible natural persons such as directors, data protection officers, or compliance leads — can reach up to CHF 250,000 per violation for intentional infractions, with parallel criminal liability for the most serious conduct. The headline cap is lower than the GDPR's four-percent-of-turnover ceiling in absolute terms, but the direction of liability — at the named individual rather than only the organization — changes the risk calculus in practice. Several publishers have restructured internal sign-off workflows in 2025 specifically to distribute the exposure.

What Counts as Personal Data Under the revFADP

The revFADP's personal data definition closely tracks the GDPR. Personal data is information relating to an identified or identifiable person, and the FDPIC has consistently treated cookies, advertising identifiers, IP addresses, device fingerprints, and behavioral profiles as personal data when they can be tied to an individual directly or by combination with other information.

Particularly Sensitive Personal Data

The revFADP designates a category called particularly sensitive personal data that is somewhat broader than the GDPR's special categories. It includes: data on religious, philosophical, political, or trade union views and activities, health data, data on the intimate sphere or racial or ethnic origin, genetic and biometric data uniquely identifying a person, data on administrative and criminal proceedings or sanctions, and data on social assistance measures. Processing particularly sensitive personal data triggers elevated consent and transparency requirements.

Why This Matters for Cookies

A cookie storing a routine advertising identifier is ordinary personal data. A cookie that feeds an audience segment touching the particularly sensitive list — health interests, political leanings, religious affiliation — is particularly sensitive personal data processing and requires explicit consent, separate from the general advertising consent flow. Swiss-language audience targeting that overlaps this list should be audited specifically against the boundary, which is drawn slightly differently from the GDPR's special-category line.

Cookie Consent Under the revFADP in 2026

The revFADP permits several lawful bases for processing, and unlike the ePrivacy Directive as applied in EU member states, Swiss law does not impose a statutory consent-only baseline for non-essential cookies. In practice, however, the FDPIC's 2024 and 2025 guidance and the most recent enforcement decisions have converged on a position that is very close to the EU baseline for cookies tied to advertising, analytics, and cross-context profiling.

The FDPIC's Operational Position

The FDPIC's published position is that non-essential cookies — including advertising, retargeting, cross-site analytics, and personalization — require a prior, informed, freely given, and specific consent captured before the cookie fires. Strictly necessary cookies and cookies supporting a service the user has explicitly requested may be set on the legitimate-interest basis or on the contract-performance basis without a prior consent prompt, but the burden of classifying a cookie as strictly necessary sits with the controller and has been challenged in several 2025 complaints.

The Elements of Valid Consent

Consent under the revFADP must be:

• Freely given — without coercion, bundling with essential service provision, or a cookie wall that conditions core content access on a non-essential-cookie accept
• Informed — the data subject understands what data is processed, by whom, for what purpose, and with which recipients
• Specific — tied to clearly identified processing purposes rather than an umbrella consent
• Unambiguous — expressed through a clear affirmative act, not inferred from scrolling, continued browsing, or inactivity
• Explicit in cases involving particularly sensitive personal data, with separate consent for the sensitive processing

What a Compliant CMP Looks Like for Swiss Traffic

A CMP configured for Switzerland in 2026 should present:

• A banner served in the user's language — German, French, Italian, or Romansh — before any non-essential cookie fires, with language selection matching the .ch site localization rather than defaulting to English
• Equal visual prominence for Accept, Reject, and Settings actions — the FDPIC's 2025 guidance explicitly criticizes banner designs where Reject is visually de-emphasized relative to Accept
• Granular toggles per purpose: analytics, advertising, personalization, cross-border transfer, and any particularly sensitive category
• A separate consent flow for any processing of particularly sensitive personal data, gated behind its own action rather than bundled into the general consent
• A persistent, easily-found mechanism to withdraw consent after the initial choice, at parity of friction with giving consent
• A full Swiss-language privacy notice disclosing controller identity, processors, purposes, recipients, retention periods, transfer mechanisms, and the data subject rights pathway

Consent Records

Controllers must maintain evidence of consent — who consented, when, to which specific purposes, and through which interface. Inadequate consent records featured in several FDPIC investigative letters in 2025, and timestamped exportable logs retained for the applicable statute-of-limitations period are the baseline expectation.

Cross-Border Transfers After the 2024 Adequacy Realignment

Cross-border data transfers are the revFADP area where the Swiss position most clearly departs from, and slightly lags, the EU position. The 2024 realignment following the EU's adoption of the EU-US Data Privacy Framework produced a parallel Swiss-US Data Privacy Framework, but its scope and conditions are not identical.

The Recognized Transfer Mechanisms

The revFADP and rev-OPDP recognize several pathways:

• Adequacy decisions by the Swiss Federal Council for countries assessed as providing adequate protection — the current list includes the EEA, the United Kingdom, and a handful of other jurisdictions
• The Swiss-US Data Privacy Framework for transfers to US organizations self-certified under the framework, which replaced the Swiss-US Privacy Shield after 2024
• Standard contractual clauses recognized by the FDPIC, including the EU SCCs with a Swiss addendum that the FDPIC published
• Binding corporate rules approved by the FDPIC
• Specific exemptions including explicit consent with adequate disclosure, contract necessity, vital interest, and substantial public interest

The Swiss-US DPF in Practice

The Swiss-US DPF covers transfers to US organizations that have self-certified and maintained their certification. Publishers should verify each US ad-tech or analytics vendor's active certification status on the DPF list rather than relying on a one-time check, because lapsed certifications do not retroactively invalidate prior transfers but do require immediate remediation for ongoing flows. Where a vendor is not DPF-certified, the EU SCCs with the FDPIC's Swiss addendum remain the working alternative.

The Practical 2026 Approach

For most publishers, the working approach is to map each cross-border data flow from Swiss traffic to its destination country and mechanism, execute the appropriate SCCs-with-Swiss-addendum where DPF certification does not cover the vendor, document the mechanism in the Swiss-language privacy notice, and supplement with consent-based authorization only where the structured mechanisms do not cleanly fit the processing.

Data Subject Rights Under the revFADP

The revFADP grants a set of rights closely tracking the GDPR, with a few Swiss-specific contours:

• Right of access to personal data held by the controller, with a free first access per year and a cost-recovery ceiling for subsequent or large-scope requests
• Right of rectification of inaccurate or incomplete data
• Right of erasure
• Right to restrict processing
• Right to data portability for data processed by automated means on consent or contract
• Right to object to processing
• Right to withdraw consent
• Right not to be subject to automated individual decision-making producing legal or similarly significant effects, with a safeguard for manual review
• Right to lodge a complaint with the FDPIC or to bring civil proceedings

Response Timelines

Controllers must respond to data subject requests within 30 days under the general framework, extendable by a reasoned notification in complex cases. Operational readiness for this window — with Swiss-language tooling and runbooks across German, French, and Italian — is a common gap for foreign publishers that have tuned their programme to a single European language.

Penalties and Enforcement Posture in 2026

The FDPIC's enforcement activity escalated meaningfully through 2024 and 2025, and 2026 is continuing the trajectory rather than plateauing.

The Fine Structure

Fines are primarily criminal in nature and directed at named individuals — directors, DPOs, compliance leads — with a cap of CHF 250,000 per intentional violation. The most commonly cited categories in 2025 enforcement were: insufficient information to data subjects, breach of due care in cross-border transfers, failure to fulfil the duty to notify data breaches to the FDPIC within the required window, and non-compliance with FDPIC decisions or orders.

The Criminal Liability Backstop

Unlike the GDPR, the revFADP's criminal-liability route is against the natural person responsible rather than only the legal entity, which has prompted substantial internal restructuring of sign-off workflows in 2025. The practical effect is that compliance attestations and audit trails matter not only for the organization's exposure but also for the individual's exposure — and DPOs in particular have adjusted documentation practice to reflect this.

Enforcement Themes

The FDPIC's 2025 and early-2026 actions cluster around: cookie banners that de-emphasize the Reject action or use pre-ticked boxes, privacy notices not available in the user's Swiss national language, cross-border transfers to US vendors that are not DPF-certified and lack an alternative mechanism, failure to respond to data subject requests within the 30-day window, and delayed or missing breach notifications. Foreign publishers have been cited in all five categories, with the banner-design and cross-border-transfer categories leading the docket.

Audit Checklist for Swiss Traffic in 2026

• CMP banner is served in the user's Swiss national language (DE, FR, IT, or RM) with Accept, Reject, and Settings at equal visual prominence
• Consent purposes are granular and separate particularly sensitive processing behind its own consent flow
• Privacy notice is available in each relevant Swiss language with full disclosures of controller, processors, purposes, retention, rights, and FDPIC complaint pathway
• Each cross-border flow from Swiss traffic is mapped to its destination and mechanism — adequacy, Swiss-US DPF certification, FDPIC-Swiss-addendum SCCs, BCRs, or a documented exemption
• US vendor DPF-certification status is re-verified on the published list rather than taken once and forgotten
• Consent logs are timestamped, exportable, and retained for the applicable statute-of-limitations period
• Data subject request workflow can respond within 30 days end-to-end, in German, French, and Italian
• Breach notification runbook is tuned to the revFADP's timelines and integrated with the internal incident-response process
• Sign-off workflows reflect the criminal-liability-at-individual architecture, with named approvers and documentation trail
• Particularly-sensitive-category audience segments are gated behind explicit, separately-captured consent
• Cookie classification has been reviewed with a critical eye toward which cookies actually qualify as strictly necessary under the FDPIC's guidance

The 2026 Outlook

Switzerland's data protection regime has matured from a respected-but-quiet older statute into a working instrument with the operational specificity, the enforcement capacity, and the criminal-liability architecture to shape compliance priorities on its own rather than merely ride on the EU programme. The 2024 adequacy realignment closed the most consequential structural gap around US transfers, and the FDPIC's escalating 2025 enforcement posture is consistent with a regulator scaling up in a sustained way rather than running a one-off campaign. For publishers already running a GDPR-grade consent stack, the gap to revFADP compliance is narrower than the gap for any other non-EU jurisdiction — but it is real, and it lives in the specifics: Swiss-language banners and notices, DPF-versus-SCC mapping for each US vendor, the particularly sensitive category's slightly different line, the 30-day response cadence across three or four languages, and the criminal-liability architecture that makes individual sign-off documentation a first-class compliance artefact rather than a nice-to-have. The gap can be closed in weeks if prioritized, and Switzerland's publisher CPMs make the prioritization economically straightforward. The publishers who quietly treated Switzerland as a GDPR passthrough through 2024 are finding 2026 meaningfully more demanding, and the trend is clear.