Cookie banner as a compliance minefield
Cookie banners have long since become more than an annoying click hurdle - they have developed into a sharp touchstone for data protection compliance that can quickly bring companies in Europe into dangerous spheres of liability.
We all know it: the more or less annoying «clicking away» of cookie options. What has become a habit for visitors to websites means a considerable amount of work for the operators of these sites. And legally, cookies are anything but trivial, as an expert explains below - especially because the Internet is quickly becoming an international arena.
A minefield beyond the GDPR
According to German data protection lawyer Asmus Eggert, many companies underestimate the fact that cookie violations are often not primarily prosecuted via the GDPR, but via ePrivacy regulations and their national implementations - without a one-stop-shop protection shield. This means that practically any national supervisory authority can be responsible as soon as users' end devices are accessed in their territory, regardless of a local branch. Anyone who is lulled into a false sense of security risks parallel proceedings in several EU member states.
Technical non-compliance as the main problem
According to Eggert, the main risk lies in the discrepancy between legal requirements and the actual functioning of the website. Common mistakes include setting unnecessary cookies before effective consent is given, insufficiently informed consent texts and technically flawed or only seemingly effective «decline all» buttons. Added to this are incorrectly configured consent management tools that slip unnoticed into non-compliance after updates and thus create a risk of fines overnight.
Responsibility remains with the site operator
Referring to the consent management provider does not help in an emergency, as the website operator always remains legally responsible. In practice, problems rarely result from the tool itself, but from incorrect implementation, incorrect categorization of cookies and a lack of regular monitoring. Eggert therefore recommends technical function checks, documented changes and clear responsibilities between data protection, IT and marketing.
Transparency instead of dark patterns
According to Eggert, transparency is not an optional extra, but a duty: users must be able to clearly see what purposes are being pursued, which third-party providers are involved and how long data is stored. Comprehensible descriptions of the purposes, complete lists of third-party providers, equally designed consent and opt-out buttons at the first level and a simple revocation option at any time are required. Designs that use hidden opt-out options or visually dominating consent buttons to force consent can be inadmissible dark patterns that call into question the voluntary nature of consent.
High fines and global sales reference
The risks of sanctions are considerable: in many countries, the ePrivacy fine regimes are linked to the concept of a company known from competition law, meaning that global group turnover can become relevant. While the German framework for certain cookie violations is formally limited to EUR 300,000, other countries such as France, Spain or Italy allow significantly higher amounts up to nine-figure sums or the full GDPR fine framework. This can quickly take on existential dimensions, especially for international platforms.
Three blocks of measures for greater safety
Eggert advises companies to adopt a structured triad of technical analysis, content revision and governance. First of all, it should be checked in detail which cookies, scripts and tracking technologies are activated when and in which decision scenarios and whether user decisions are consistently respected. This is followed by clearly formulated banner texts, complete lists of third-party providers, an equally placed opt-out button and a consent architecture that enables genuine freedom of choice - supported by a platform, but flanked by legal and technical controls.
Ongoing governance as a mandatory program
Finally, Eggert calls for a permanent testing and monitoring process to ensure that new tools or relaunches do not inadvertently lead to violations. Those who can prove to supervisory authorities that they have a seriously implemented testing and documentation system are in a much better position in the process - those who treat cookie banners as a one-off technical exercise, on the other hand, are sitting on a «ticking compliance time bomb».
Source: mip Consult
Cookie regulations in Switzerland
Until recently, cookie regulation in Switzerland was not as clear as in the EU. For this reason, the FDPIC 2025 has published new guidelines for the setting of cookies. These guidelines represent a tightening of the regulations and an alignment with the legal situation in the EU.
According to the revised Swiss Data Protection Act (DSG) and Telecommunications Act (FMG), cookies are generally permitted as long as users are informed transparently about the type, purpose and objection options and their personal rights are not violated. Necessary cookies may be used without consent, while stricter requirements apply to non-essential cookies: Depending on the risk, an opt-out or a justification based on legitimate interests is sufficient, but in the case of high-risk profiling or the processing of particularly sensitive data, explicit opt-in consent with clear information, voluntariness and revocation options is required.
Sanctions are primarily aimed at the natural persons responsible; fines of up to CHF 250,000 are envisaged, in simpler cases up to CHF 50,000 if the investigation of the specific person responsible would be disproportionate. In addition, the FDPIC may impose supervisory measures such as orders to adapt or refrain from certain tracking and cookie practices.
Sources:
