Clycyo
Privacy & GDPR5 min read

Swiss nFADP (revDSG) and Web Analytics

Switzerland’s revised data protection law and what it means for analytics: transparency duties, transfers, and pragmatic setup.

Switzerland's revised data protection law — nFADP in English, revDSG/nLPD locally, in force since September 2023 — modernized Swiss privacy to GDPR's neighborhood while keeping a distinctly Swiss temperament: principles over prescriptions, transparency over consent theater. For web analytics on Swiss sites (or sites serving Swiss users), the practical rules are friendlier than GDPR's — with two sharp edges.

Where Swiss law is more relaxed

  • No general consent requirement for processing: unlike GDPR's lawful-basis architecture, Swiss law permits processing personal data without consent if principles (transparency, proportionality, purpose limitation) are respected and no personality violation occurs. Routine analytics rarely requires a consent banner under Swiss law alone.
  • No ePrivacy-style cookie rule with teeth: Switzerland's telecom law asks for information about cookies and a pointer to refusal options (browser settings suffice) — far short of the EU's prior-consent regime.

The two sharp edges

  1. Transparency is mandatory and personal: the duty to inform covers what you collect, why, and crucially every country where data lands. An analytics vendor processing in the US puts the US in your privacy notice and triggers the transfer analysis — the Swiss-flavored cousin of Schrems II logic, with the Swiss-US Data Privacy Framework as the current (and similarly contestable) bridge.
  2. Criminal liability lands on people: the Swiss novelty that concentrates minds — intentional violations of information and transfer duties carry fines against responsible individuals, not just companies. Sloppy privacy notices stopped being a corporate rounding error.

The pragmatic Swiss setup

EU-resident, cookieless analytics solves the whole chapter at once: no US transfer to disclose or paper over (residency logic), no identifiers to make processing personality-relevant (the rotating-hash architecture), and a privacy-notice paragraph that is short because the facts are short. Swiss sites serving EU visitors inherit GDPR duties anyway under its extraterritorial reach — one GDPR-clean architecture covers both regimes without per-jurisdiction gymnastics.