Cookie Consent: The Mistakes Making Your Website Illegal

Go to any Swiss business website right now and there is a good chance the cookie banner is implemented wrong. Not just aesthetically wrong, but legally wrong. Pre-checked boxes for analytics cookies. No way to reject non-essential cookies. Google Analytics firing before any consent is given. Google Fonts loading from Google's servers and leaking visitor IP addresses on every page load.

These are not edge cases. They are the norm. And each one can result in fines, complaints to data protection authorities, and legal exposure that most business owners are completely unaware of.

This guide goes through the most common cookie consent mistakes on Swiss websites, explains the legal requirements under both the EU GDPR and the Swiss nLPD, and gives practical solutions for each issue.

Mistake 1: Pre-Checked Consent Boxes

Many cookie banners show a list of cookie categories (necessary, analytics, marketing) with checkboxes. The analytics and marketing boxes are pre-checked, meaning consent is assumed unless the user actively unchecks them.

Why This Is Wrong

The Court of Justice of the European Union (CJEU) ruled in the Planet49 case (2019) that pre-checked consent boxes do not constitute valid consent under GDPR. Consent must be given through a clear affirmative action. A pre-checked box requires the user to take action to withdraw something that was never properly given. That is not consent; it is opt-out, and opt-out is not sufficient under GDPR.

The European Data Protection Board (EDPB) has repeatedly stated that valid consent requires:

• Freely given: The user must have a genuine choice without detriment
• Specific: Consent must be given for each distinct purpose
• Informed: The user must know what they are consenting to
• Unambiguous: Given through a clear affirmative action (clicking "Accept," checking an empty box)

Pre-checked boxes fail the "unambiguous" requirement.

How to Fix It

All non-essential cookie categories must be unchecked by default. The user must actively opt in by checking the box or clicking "Accept All." The "Necessary" category can be pre-checked because these cookies do not require consent (they are essential for the website to function).

Mistake 2: No Reject Button (or Making It Hard to Find)

Many cookie banners have a prominent "Accept All" button but no equally visible way to reject non-essential cookies. Some hide the reject option behind a "Settings" or "Manage Preferences" link that requires additional clicks. Others do not offer a reject option at all.

Why This Is Wrong

Multiple European data protection authorities (France's CNIL, Italy's Garante, Austria's DSB) have ruled that refusing cookies must be as easy as accepting them. If accepting requires one click on a prominent button and rejecting requires navigating through settings, finding a "Reject" option, and then confirming, the consent is not freely given.

The CNIL fined Google 150 million euros and Facebook 60 million euros in 2022 specifically for making it harder to refuse cookies than to accept them.

How to Fix It

Place a "Reject All" or "Only Necessary" button at the same visual prominence level as "Accept All." Same size, same color weight, same position in the visual hierarchy. The user should be able to decline all non-essential cookies with a single click, just as they can accept all with a single click.

Mistake 3: Cookie Wall (No Access Without Consent)

Some websites block access to content entirely until the user accepts cookies. You cannot read the page, navigate the site, or do anything until you click "Accept."

Why This Is Wrong

The EDPB has stated that consent is not freely given when access to a service is conditional on accepting cookies that are not necessary for that service. This is known as a "cookie wall" and is considered non-compliant with GDPR by most data protection authorities.

There are limited exceptions (some authorities allow cookie walls for free services that are funded by advertising, provided a genuine alternative is offered), but for most business websites, blocking access until consent is given is not compliant.

How to Fix It

Allow users to access and use your website regardless of their cookie choice. If they reject non-essential cookies, the site should still be fully functional. Only truly necessary cookies (session cookies, CSRF tokens, load balancers) can be set without consent.

Mistake 4: Tracking Before Consent

This is the most technically common mistake. The cookie banner appears, but Google Analytics, Facebook Pixel, Google Tag Manager, and various tracking scripts have already loaded and started collecting data before the user has interacted with the banner at all.

Why This Is Wrong

Under GDPR, consent must be obtained before processing. Loading Google Analytics means the visitor's IP address, browser information, device characteristics, and browsing behavior are already being sent to Google's servers. The consent banner is cosmetic at this point; the data has already been collected.

Many cookie consent tools (especially free or cheap ones) only manage the display of the banner. They do not actually block scripts from loading before consent. The banner says "We use cookies," but the cookies are already set and the tracking has already begun.

How to Fix It

Implement a consent management platform that actually blocks non-essential scripts until consent is given. This requires technical implementation, not just adding a banner overlay. Scripts should be conditionally loaded: only after the user clicks "Accept" should Google Analytics, Facebook Pixel, and similar scripts execute.

With Google Tag Manager, this means setting up consent mode and configuring triggers that only fire after consent is granted. Every tag that sets non-essential cookies or transmits data to third parties must be gated behind consent.

Mistake 5: Google Analytics Without Consent

Google Analytics is the most widely used analytics tool on the web. It is also one of the most problematic from a privacy perspective.

The Problem

Google Analytics (both Universal Analytics and GA4) sends visitor data to Google's servers in the United States. This data includes IP addresses (even with IP anonymization, the full IP reaches Google's servers briefly before truncation), browser information, browsing patterns, and device data.

Several European data protection authorities have ruled that the use of Google Analytics without proper consent violates GDPR. The Austrian DSB, French CNIL, Italian Garante, and others have all issued decisions against the use of Google Analytics, specifically because of the data transfer to the US.

Even with Google's consent mode (which limits data collection when consent is not given), the connection to Google's servers itself transmits some data (the request includes the visitor's IP address, User-Agent, and the page URL).

How to Fix It

• Option 1: Use Google Analytics with proper consent management. Do not load GA at all until the user explicitly consents. Not even in consent mode. No script, no request to Google's servers.
• Option 2: Use a server-side proxy for Google Analytics that strips personal data before it reaches Google. This adds complexity but allows analytics without direct data transfer to Google.
• Option 3: Switch to a privacy-focused analytics tool that does not set cookies and does not transfer data to third parties (see the section on cookie-free alternatives below).

Mistake 6: Google Fonts Loaded from Google Servers

This one surprises many people. Google Fonts, the free font service used by millions of websites, is a GDPR issue when loaded from Google's CDN (fonts.googleapis.com).

The Problem

When a visitor loads a page that fetches fonts from Google's servers, the visitor's browser makes a request to Google. This request includes the visitor's IP address, the referrer URL (which page they are on), and standard HTTP headers. Google receives this data for every page load, for every visitor.

In January 2022, a German court (Landgericht Munich) ruled that a website loading Google Fonts from Google's CDN without the visitor's consent violated GDPR. The court ordered the website operator to pay damages of 100 euros to the plaintiff. While 100 euros sounds small, the ruling established a legal precedent that triggered a wave of automated complaint letters demanding compensation from thousands of website operators across Germany and Austria.

The principle applies across the EU and, by extension, affects Swiss websites that serve EU visitors or that are subject to GDPR through other means.

How to Fix It

Self-host your Google Fonts. Download the font files from Google Fonts and serve them from your own server. This eliminates the connection to Google's servers and the associated data transfer. The fonts work identically; the only difference is that they come from your domain instead of Google's.

Tools like google-webfonts-helper make this straightforward. Download the font files, add the CSS @font-face declarations to your stylesheet, and remove the Google Fonts <link> tag. As a bonus, self-hosted fonts typically load faster because they do not require a separate DNS lookup and connection to Google's CDN.

Mistake 7: Dark Patterns in Consent Banners

Dark patterns are design choices intended to manipulate users into a specific action. In cookie consent, dark patterns include:

• Color manipulation: The "Accept" button is bright and prominent. The "Reject" or "Settings" link is gray, small, or styled as a text link rather than a button.
• Misleading labels: "Accept All" is a clear button. The alternative is labeled "Learn More" or "Manage Settings" rather than "Reject."
• Emotional language: "Accept cookies for a better experience" vs. "Reject cookies (you may miss out on features)" or similar wording that discourages rejection.
• Repeated prompting: After the user rejects cookies, the banner reappears on every page or after every session, hoping the user will eventually click "Accept" out of fatigue.
• Confusing toggles: Toggle switches where "on" means different things for different categories, or where the visual state is ambiguous.

Why This Is Wrong

The EDPB's guidelines on consent explicitly state that dark patterns undermine the "freely given" condition of valid consent. If the design is intended to steer users toward accepting, the consent is not free.

The CNIL's fines against Google and Facebook specifically cited dark patterns as a reason for non-compliance.

How to Fix It

Design the consent interface with genuine neutrality. Both options should be equally easy to use. No color tricks, no misleading labels, no emotional pressure. The test is simple: would a reasonable person be able to reject cookies as easily as they can accept them? If not, the design needs to change.

Swiss nLPD vs. EU GDPR: Differences for Cookies

Switzerland has its own data protection law, the new Federal Act on Data Protection (nLPD / nDSG), which came into force on September 1, 2023. It is different from the EU GDPR in some respects:

Key Differences

Aspect	EU GDPR	Swiss nLPD
Cookie consent	Required for non-essential cookies (ePrivacy Directive)	No explicit cookie consent requirement in the law itself
Legal basis for processing	Requires explicit consent for cookies under ePrivacy + GDPR	Based on transparency and legitimate interest for most processing
Fines	Up to 4% of annual global turnover or EUR 20 million	Up to CHF 250,000 (against individuals, not companies)
Enforcement	Data protection authorities can investigate and fine proactively	FDPIC has advisory role; criminal prosecution for violations
Scope	Applies to processing of EU residents' data	Applies to processing affecting persons in Switzerland

What This Means in Practice

The Swiss nLPD does not explicitly require cookie consent in the same way the EU ePrivacy Directive does. However:

• If your Swiss website is accessible to EU visitors (which virtually all websites are), you need to comply with GDPR for those visitors.
• The nLPD requires transparency about data processing. You must inform users about what data you collect and why, even if the consent mechanism is different.
• Profiling with high risk requires explicit consent under the nLPD.
• Transferring data to countries without adequate data protection (including the US) requires additional safeguards under both laws.

The practical recommendation: implement GDPR-compliant cookie consent. It satisfies both GDPR (for EU visitors) and nLPD (which has less strict but overlapping requirements). Building two separate consent mechanisms for Swiss and EU visitors is impractical and unnecessary.

For a detailed guide on GDPR compliance for your website, see our article on GDPR website compliance. For Swiss-specific requirements, see our guide on nLPD website compliance.

Fines and Enforcement Actions

Cookie consent violations are being actively enforced across Europe:

• Google (France, 2022): EUR 150 million for making cookie rejection harder than acceptance
• Facebook/Meta (France, 2022): EUR 60 million for the same reason
• Amazon (Luxembourg, 2021): EUR 746 million (related to tracking and consent, though broader than just cookies)
• TikTok (France, 2023): EUR 5 million for cookie consent violations
• Microsoft (France, 2022): EUR 60 million for cookies deposited without consent on bing.com
• Numerous smaller fines: Thousands of euros against individual websites across Germany, Austria, Italy, and Spain for specific cookie consent violations

In Switzerland, the nLPD's enforcement mechanism is different (criminal penalties against responsible individuals rather than company fines), but the direction is the same: regulators are paying attention to cookie compliance.

Cookie-Free Analytics Alternatives

If cookie consent is a compliance headache, one solution is to eliminate the need for consent by using analytics tools that do not set cookies and do not transfer personal data to third parties.

Options

• Plausible Analytics: Open-source, privacy-focused, no cookies, no personal data collection. Hosted in the EU or self-hosted. Does not require cookie consent under GDPR. Provides useful traffic analytics without identifying individual visitors.
• Fathom Analytics: Similar approach to Plausible. Privacy-first, no cookies, GDPR compliant without consent. Simple dashboard with the metrics most businesses actually need.
• Umami: Open-source, self-hosted analytics. No cookies, no tracking of personal data. Free to self-host.
• Matomo (with cookieless mode): Can be configured to run without cookies. When self-hosted and configured for cookieless tracking, no consent is required. Full-featured analytics platform.
• Server-side analytics: Analyze server access logs directly. No client-side tracking, no cookies, no consent required. Limited compared to JavaScript-based analytics but sufficient for basic traffic analysis.

The Trade-Off

Cookie-free analytics tools provide less granular data than Google Analytics. You get page views, traffic sources, and general visitor demographics, but not detailed user journeys, conversion funnels, or cross-device tracking. For most business websites, the simpler data is sufficient. For complex e-commerce sites or SaaS applications that need detailed user behavior analysis, Google Analytics with proper consent management may still be necessary.

The advantage is significant: no cookie banner needed for analytics, no consent management complexity, no GDPR compliance risk from analytics, and faster page loads (no third-party analytics scripts).

How to Implement Proper Cookie Consent

Here is a practical checklist for a compliant cookie consent implementation:

1. Audit all cookies and tracking. List every cookie your site sets, every third-party script that loads, and every external connection your site makes. Tools like Cookiebot or CookieYes can scan your site automatically.
2. Categorize cookies. Necessary (session, security, load balancing), Analytics (Google Analytics, Matomo), Marketing (Facebook Pixel, Google Ads), and Preferences (language, display settings).
3. Block non-essential cookies before consent. Technically implement conditional script loading. No analytics or marketing scripts should fire before consent.
4. Design a compliant banner. Clear language, equally prominent Accept and Reject buttons, no pre-checked boxes, no dark patterns.
5. Provide granular control. Allow users to accept or reject specific categories, not just "all or nothing."
6. Make consent revocable. Provide a way for users to change their consent at any time (typically a "Cookie Settings" link in the footer).
7. Record consent. Keep a log of when and how consent was given, as evidence of compliance.
8. Self-host Google Fonts. Eliminate the Google Fonts CDN connection entirely.
9. Consider cookie-free analytics. Remove the largest source of consent complexity.
10. Test regularly. Cookie consent can break when the site is updated, when new plugins are added, or when consent tool configurations change. Test quarterly.

What to Do Now

Open your website in an incognito/private browser window. Watch what happens:

• Does a cookie consent banner appear immediately?
• Can you reject all non-essential cookies with one click?
• Is the reject option as visible and easy as the accept option?
• Open the browser's developer tools (Network tab). Before interacting with the banner, are requests being made to google-analytics.com, facebook.com, doubleclick.net, or other tracking services?
• Are fonts being loaded from fonts.googleapis.com?
• Check the Application tab in developer tools. Are cookies already set before you interact with the banner?

If any of these checks fail, your cookie consent implementation needs work. The fixes range from simple (self-hosting fonts takes an hour) to moderate (implementing proper consent-gated script loading takes a day or two) to significant (switching analytics platforms requires more planning).

If you want a compliance audit of your website's cookie and tracking implementation, contact our team. We help Swiss businesses implement privacy-compliant websites that meet both GDPR and nLPD requirements without sacrificing the analytics data they need to make business decisions.