Switzerland's nFADP, in force since September 1, 2023, modernizes Swiss privacy law and moves it closer to the GDPR. It applies to any organization that processes the personal data of people in Switzerland, wherever that organization is based. Its penalties are the surprise: criminal fines up to CHF 250,000 fall on the responsible individual, not on company revenue.
This guide covers what changed, who must comply, and how those penalties work. It closes with the question most site owners actually ask: whether Swiss law requires a cookie banner at all.
What Is the nFADP (the New Federal Act on Data Protection)?
The nFADP is Switzerland's fully revised Federal Act on Data Protection, in force since September 1, 2023. It modernizes Swiss privacy law and brings it closer to the GDPR, though the two remain distinct in several important ways.
The nFADP, also called the revFADP, new FADP, nDSG, or nLPD, replaced the country's 1992 data protection law. Parliament passed the revision in September 2020 to address modern data practices and align Swiss rules more closely with European standards. The Swiss government's SME portal describes its purpose as protecting the personality and fundamental rights of natural persons whose personal data is processed.
One change stands out immediately: the nFADP covers only the data of natural persons. The old FADP also protected the data of legal entities, such as companies. That protection was removed in the revision. A business's own corporate data no longer falls under Swiss data protection law; only the personal data of the people connected to it does.
The nFADP sits within the wider family of privacy laws worldwide, alongside the GDPR, the CCPA, and similar national frameworks.
When Did the nFADP Take Effect?
The nFADP entered into force on September 1, 2023, together with its implementing Data Protection Ordinance. Parliament adopted the revised act itself on September 25, 2020, after a multi-year revision process.
There was no staggered grace period after the effective date. Every organization in scope had to meet the new obligations from September 1, 2023, onward, with no phased rollout by company size or sector.
Who Does the nFADP Apply To? (Including Companies Outside Switzerland)
The nFADP applies to any private organization or federal body that processes the personal data of natural persons in connection with Switzerland. It reaches organizations wherever they are based, not only those headquartered in Switzerland.
Two scope details matter most for site owners and agencies working outside Switzerland.
- Extraterritorial reach. The nFADP reaches organizations outside Switzerland when their processing affects people in Switzerland or targets Swiss residents. That trigger is narrower than the GDPR's "anyone in the EU or EEA" standard, which does not require the same Swiss-residency connection.
- Natural persons only. The law covers personal data belonging to individuals. It no longer covers the data of legal entities, a protection the pre-2023 FADP included and the revision removed.
A US or EU-based company with Swiss customers, employees, or website visitors falls within the nFADP's reach, even without a Swiss office. Federal bodies are also covered, alongside private organizations.
What Changed Under the nFADP? (Key New Obligations)
The revision added several GDPR-style obligations that the old FADP lacked.
- Privacy by design and privacy by default: organizations must integrate privacy protection into the structure of products and services from the start, not bolt it on afterward.
- A mandatory record of processing activities (RoPA): most organizations must document what personal data they process and why, though the Data Protection Ordinance exempts SMEs whose processing presents limited risk.
- A data protection impact assessment for high-risk processing: organizations must assess and document risk before starting processing likely to result in a high risk to individuals.
- Prompt data-breach notification: the FDPIC must be notified "as soon as possible" after a data security breach, without the GDPR's fixed 72-hour clock.
- An expanded definition of sensitive data: genetic and biometric data now fall under the definition of sensitive personal data, alongside the categories the old law already covered.
- A defined concept of profiling: automated processing that evaluates personal aspects of an individual is now formally addressed in the law.
Two further points shape how the nFADP plays out in practice. A data protection advisor is recommended for private companies, but not mandatory, unlike the GDPR's DPO requirement in some cases. Unlike the GDPR, the nFADP also generally permits lawful data processing without requiring prior consent by default. Consent becomes a requirement only in specific situations the law calls out, not as the baseline rule for every processing activity.
What Are the nFADP's Penalties? (Fines Fall on Individuals)
The nFADP allows criminal fines of up to CHF 250,000. Unlike the GDPR, that fine is imposed primarily on the responsible individual, a natural person, rather than on the company itself.
Switzerland's Federal Data Protection and Information Commissioner states the maximum penalty directly: CHF 250,000. The offenses that trigger it are intentional only. There is no criminal penalty for a negligent data protection breach. Four categories of intentional violation carry criminal exposure:
- Failing to meet obligations to provide access, information, or cooperation
- Breaching the duty of care around data security
- Violating professional confidentiality
- Ignoring an FDPIC order
Company managers are not automatically shielded. A manager can be convicted directly under the nFADP's penal provisions when they are the individual responsible for the violation.
A company-level fine also exists, but only as a fallback, not a default. If the responsible individual cannot reasonably be identified, or identifying them would require disproportionate investigative effort, prosecutors may fine the company instead. That fallback fine caps at CHF 50,000, lower than the CHF 250,000 individual maximum.
Cantonal prosecution authorities, not the FDPIC itself, bring these cases. This structure, fines on people rather than company revenue, is what makes the nFADP look lighter on paper than the GDPR. The personal exposure for the people responsible for compliance is still real.
Does the nFADP Require a Cookie Consent Banner?
Swiss law does not mandate an EU-style prior opt-in cookie banner. Switzerland follows a transparency-plus-opt-out model. The FADP requires you to inform visitors about the cookies and trackers you use and why, and to let them opt out.
It does not require you to block cookies until a visitor actively accepts them. A cookie banner is therefore advisable, not strictly required, under Swiss law alone.
The cookie-consent rule itself does not come from the FADP directly. It sits in Switzerland's telecommunications law, which sets the opt-out framework for cookies and similar technologies. The FADP supplies the broader transparency and data-protection duties that apply once data collection happens. Telecom law governs the cookie mechanic; the FADP governs what you must tell visitors and how you handle what you collect.
Compare that to the EU cookie law, which requires affirmative opt-in consent before non-essential cookies load. Switzerland's baseline is lighter, but two developments below narrow that gap in practice.
What the FDPIC's 2025 Cookie Guidelines Expect
In February 2025, the FDPIC published guidelines on data processing using cookies and similar technologies. A follow-up document dated October 2025 has raised the bar on what counts as adequate practice.
The guidelines derive their requirements from the FADP, the Data Protection Ordinance, and existing Federal Supreme Court case law. They do not create a new legal mandate. The FDPIC describes their purpose as explaining how the regulator will continue its supervisory practice under the current law.
In practice, Swiss site owners should expect closer scrutiny of vague disclosures and manipulative banner designs. The underlying transparency-plus-opt-out framework itself has not changed.
When You Still Need a GDPR-Style Opt-In Banner in Switzerland
Even though Swiss law is lighter on cookies, a Swiss website usually still needs a GDPR-style opt-in banner for EU or EEA visitors.
If you offer goods or services to people in the EU, you fall within GDPR's scope. You must then follow the EU's stricter approach to cookie consent under the GDPR for those visitors. Most Swiss sites with any EU traffic end up showing an opt-in banner, even though Swiss law alone would not require one.
The clean solution most multi-jurisdiction sites land on is region-based consent. That means an opt-in banner for EU visitors and a transparency-plus-opt-out banner for Swiss and US visitors. The right version serves automatically, based on where the visitor is coming from.
How Is the nFADP Different from the GDPR?
The nFADP is often described as "GDPR-lite": closely aligned in spirit but lighter and less formalistic in several places.
| Aspect | nFADP (Switzerland) | GDPR (EU) |
|---|---|---|
| Territorial trigger | Processing that affects people in Switzerland or targets Swiss residents | Processing the data of anyone in the EU or EEA, regardless of where the organization is based |
| Consent for processing | Generally permitted without prior consent, if the processing is lawful | Requires an affirmative legal basis, often consent, before processing |
| Breach notification | To the FDPIC, "as soon as possible" | To the supervisory authority, within 72 hours |
| Maximum fine and who pays | Up to CHF 250,000, primarily on the responsible individual (company fallback capped at CHF 50,000) | Up to 20 million euros or 4% of global annual turnover, on the company |
| Data protection advisor | Recommended, not mandatory, for private companies | A Data Protection Officer is required in specific cases |
The fine structure is the distinction that surprises most readers coming from GDPR. Switzerland targets the person responsible for a violation with a criminal fine. The EU instead targets the company's revenue with an administrative one. See our GDPR explainer for the EU law's full requirements.
What the nFADP Means for Your Website
For a site in scope, the nFADP's obligations translate into a short list of concrete actions.
- Publish a clear privacy policy and cookie disclosure that explains what cookies and trackers you run and why.
- Give visitors an easy way to opt out of non-essential cookies, even though prior consent is not required by default.
- Scan your site so you know exactly what cookies, scripts, and trackers are actually running, rather than assuming.
- Keep records of your processing activities where the RoPA requirement applies.
- Add an opt-in consent banner for EU or EEA visitors if any of your traffic falls within GDPR's scope.
That last point covers a common point of confusion. A cookie-wall that blocks the entire site until a visitor accepts is not what Swiss law requires. It can also create its own compliance and user-experience problems, regardless of which law applies.
The compliant path for most sites is disclosure plus an opt-out mechanism for Swiss and general visitors. Layer an opt-in banner on top, specifically for EU traffic.
If any share of your traffic sits inside GDPR's scope, it's worth going further. The full steps to bring your website into GDPR compliance cover the stricter EU-side requirements this page only summarizes.
How Consently Helps You Handle Cookie Consent for Switzerland
Consently helps you run cookie consent across jurisdictions from one banner. Swiss law expects transparency and opt-out, while the GDPR expects opt-in. Consently's GDPR cookie consent solution uses region-based templates that show EU and EEA visitors an opt-in banner. Swiss and US visitors see an opt-out or dismiss banner instead, so the same site stays appropriate for each visitor automatically.
Consently also scans your site for cookies and trackers on install and updates the banner's categories automatically. You know what is actually running before you write a disclosure about it. Where opt-in applies, Consently can block non-essential cookies, scripts, and iframes until a visitor consents.
Two more features round out the Swiss-plus-EU picture. The cookie-policy and privacy-policy generators produce the disclosure documents the FADP's transparency duty calls for, tailored to your business in a few clicks. Consent logs with export give you a timestamped record of the choices visitors made, useful if you ever need to show your compliance work. Consently lists the nFADP among the regulations its platform supports.
Consently supports explicit, opt-in consent and an opt-out or dismiss model through its region-based templates. It does not detect browser-level Global Privacy Control signals, and a policy generator or banner tool is compliance assistance, not a legal guarantee. Meeting your legal obligations under Swiss or EU law remains your responsibility.
Try Consently free to see the region-based banner, scanner, and consent log running on your own site.
FAQs
What is the nFADP in simple terms?
The nFADP is Switzerland's revised Federal Act on Data Protection, in force since September 1, 2023. It modernizes Swiss privacy law and moves it closer to the GDPR.
When did the nFADP come into force?
The nFADP came into force on September 1, 2023, together with its implementing Data Protection Ordinance. The revised act itself was adopted on September 25, 2020.
Does the nFADP apply to companies outside Switzerland?
Yes. The nFADP reaches organizations based abroad whose processing affects people in Switzerland or targets Swiss residents, regardless of where the organization operates.
Do I need a cookie banner in Switzerland?
Not strictly, under Swiss law alone, which follows a transparency-plus-opt-out model. Most sites still need an opt-in banner if they have EU or EEA visitors. GDPR applies to that traffic regardless of where the site is based.
Is consent required for cookies under Swiss law?
Generally no prior opt-in consent is required; you must inform visitors and let them opt out. The FDPIC's 2025 guidance sharpens expectations around clear disclosure, without changing that underlying model.
What are the penalties under the nFADP?
Criminal fines up to CHF 250,000 apply to intentional breaches of specific duties, imposed primarily on the responsible individual rather than the company. A company-level fallback fine, capped at CHF 50,000, applies only if the individual cannot reasonably be identified.
Is the nFADP the same as the GDPR?
No. It is closely aligned but lighter and less formalistic. It has a narrower territorial trigger, fines that target individuals instead of company revenue, and no general prior-consent requirement for lawful processing.
Does my Swiss website also have to follow the GDPR?
Yes, if you offer goods or services to people in the EU or EEA. GDPR's stricter opt-in cookie rules then apply to those visitors, on top of your Swiss obligations.

