Swiss nLPD: What Must Change on Your Website

On September 1, 2023, Switzerland's new Federal Act on Data Protection (nFADP, known as nLPD in Italian or nDSG in German) replaced the old law from 1992. If you operate a website for a Swiss business, this law applies to you, and it changed several things that directly affect how your website handles personal data.

This is not a theoretical concern. The penalties are personal: individuals responsible for violations can be fined up to CHF 250,000. Not the company. The person. That could be the business owner, the managing director, or the person responsible for data protection within the organization.

This article covers what the nLPD means specifically for your website. Not the full scope of the law (which covers all data processing activities), but the website-specific requirements that most Swiss businesses need to address.

What Changed From the Old Law

The 1992 law was written before the internet was a commercial platform. It was outdated and insufficient for how personal data is processed today. The nLPD brings Switzerland's data protection framework closer to the EU's GDPR, though with some notable differences.

Key Changes

• Scope: The law now only protects the data of natural persons (individuals), not legal entities. The old law also protected company data.
• Genetic and biometric data: These are now classified as "sensitive personal data" requiring higher protection standards.
• Privacy by design and by default: These principles are now legally required, not just best practices.
• Data breach notification: You must report data breaches to the FDPIC (Federal Data Protection and Information Commissioner) as quickly as possible. The law does not specify 72 hours like the GDPR, but "as quickly as possible" is the standard.
• Data Protection Impact Assessments: Required when processing activities pose a high risk to the personality or fundamental rights of data subjects.
• Transparency: Extended duty to inform data subjects about data collection and processing. This directly affects your website's privacy policy.
• Profiling: The law now specifically addresses profiling (automated processing to evaluate personal aspects), with stricter rules for "high-risk profiling."
• Criminal penalties: Violations can result in fines of up to CHF 250,000 imposed on the responsible individual. This is different from GDPR, where fines target the organization.

nLPD vs GDPR: Key Differences

Many Swiss businesses assume that if they are GDPR-compliant, they are automatically nLPD-compliant. This is not entirely correct. While the nLPD is heavily influenced by the GDPR, there are important differences:

Aspect	GDPR	nLPD
Penalties target	The organization (up to 4% of global revenue or EUR 20M)	The responsible individual (up to CHF 250,000)
Consent for processing	Consent is one of six legal bases	Processing is permitted unless there is no justification; consent is needed for sensitive data
Data breach notification	72 hours to supervisory authority	"As quickly as possible" to FDPIC
DPO (Data Protection Officer)	Required in many cases	Voluntary (but recommended), called "data protection advisor"
Data protection scope	Natural persons only	Natural persons only (changed from old law which included legal entities)
Records of processing	Required for organizations with 250+ employees	Required for organizations with 250+ employees (exemptions for smaller with lower risk)
Cross-border transfers	Adequacy decisions, SCCs, BCRs	Similar framework; Swiss-specific list of adequate countries

The personal liability aspect is the most significant practical difference. Under the GDPR, a fine is a business cost. Under the nLPD, it is a personal criminal matter.

Website-Specific Requirements

Let us get into what this means for your website, concretely.

Privacy Policy

Your website must have a privacy policy that meets the nLPD's transparency requirements. This is the extended "duty to inform" under Articles 19-21 of the nLPD. Your privacy policy must include:

• Identity and contact details of the data controller (your company, including address and a way to contact you about data protection matters).
• Purpose of processing: Why you collect each type of data. Be specific. "To improve our services" is not sufficient. "To respond to your contact form inquiry" is.
• Categories of data collected: What personal data you collect through the website (names, email addresses, IP addresses, browsing behavior, etc.).
• Recipients or categories of recipients: Who you share data with. This includes every third-party service: Google Analytics, email marketing providers, CRM systems, hosting providers, payment processors.
• Cross-border data transfers: If data is transferred outside Switzerland, you must disclose this, name the countries, and state the safeguards in place (adequacy decision, standard contractual clauses, or consent).
• Retention periods: How long you keep each type of data, or the criteria used to determine the retention period.
• Data subject rights: The rights that individuals have regarding their data (access, rectification, deletion, data portability, objection to processing).
• Automated decision-making: If you use automated decision-making or profiling that affects individuals, you must disclose this and explain the logic involved.

What Most Swiss Privacy Policies Get Wrong

• They are generic templates that do not reflect the actual data processing on the specific website.
• They do not mention specific third-party services by name (they say "analytics providers" instead of "Google Analytics via Google Ireland Limited").
• They do not disclose cross-border transfers (Google Analytics sends data to the US, which must be disclosed).
• They do not specify retention periods (they say "as long as necessary" without further detail).
• They are only available in one language despite the website targeting multiple language regions.

Cookie Consent

The nLPD does not have a specific "cookie law" like the EU's ePrivacy Directive. However, cookies that process personal data fall under the nLPD's transparency and consent requirements. In practice, this means:

• Technically necessary cookies (session cookies, load balancing, shopping cart) can be set without consent, but must be disclosed in the privacy policy.
• Analytics cookies (Google Analytics, Hotjar, etc.) collect personal data (IP addresses, behavior data) and require either consent or anonymization.
• Marketing/advertising cookies (Facebook Pixel, Google Ads remarketing, LinkedIn Insight Tag) require consent because they involve profiling and cross-border data transfer.

The safest approach, and the one recommended by the FDPIC, is to implement a consent management solution similar to what the GDPR requires: inform visitors about cookies, get consent before setting non-essential cookies, and allow visitors to change their preferences.

For more on cookie consent implementation, see our article on common cookie consent legal errors.

Contact Forms

Every contact form on your website collects personal data (at minimum: name and email address). Under the nLPD:

• You must inform users what will happen with their data before they submit the form. A link to the privacy policy near the form is the minimum. A short notice directly on the form is better.
• Data collected through contact forms must be processed only for the stated purpose (responding to the inquiry).
• You must have a clear retention policy: how long do you keep contact form submissions? Delete them when no longer needed.
• If the form data is sent to third-party services (like a CRM or email marketing tool), this must be disclosed.

Analytics

Google Analytics is the most common analytics tool on Swiss websites, and it raises several nLPD issues:

• Cross-border data transfer: Google Analytics sends data to Google's servers, which may be located in the US. This is a cross-border transfer that must be disclosed and for which appropriate safeguards must be in place.
• Personal data processing: IP addresses and user behavior data are personal data under the nLPD. Even with IP anonymization enabled, Google Analytics collects enough data to potentially identify individuals through browser fingerprinting and behavioral patterns.
• Consent requirement: Given the cross-border transfer and profiling aspects, obtaining consent before loading Google Analytics is the safest approach.

Alternatives

Privacy-focused analytics tools like Plausible, Umami, or Fathom offer a compliant alternative. They do not use cookies, do not track individual users, and can be self-hosted in Switzerland. If you use these tools properly configured, you can avoid the consent and cross-border transfer issues entirely.

Newsletter Signup

If your website has a newsletter signup form:

• Use double opt-in (send a confirmation email that the user must click to verify their subscription). This is not strictly required by the nLPD but is considered best practice and provides evidence of consent.
• Clearly state what the user is signing up for and how frequently they will receive emails.
• Disclose which email marketing service you use (Mailchimp, Sendinblue, etc.) and where their servers are located.
• Include an unsubscribe mechanism in every email.

Cross-Border Data Transfers

This is one of the areas where Swiss websites most frequently fall short. Many common web services are operated by US companies, and data transfer to the US requires specific safeguards under the nLPD.

Services That Transfer Data Abroad

• Google Analytics: Data sent to Google servers (US).
• Google Tag Manager: Data sent to Google servers (US).
• Mailchimp: Email marketing data stored on US servers.
• Facebook/Meta Pixel: Visitor data sent to Meta servers (US).
• HubSpot: CRM and marketing data stored on US servers.
• Cloudflare: Website traffic routed through servers worldwide.
• Stripe: Payment processing data sent to US servers.
• YouTube embeds: Visitor data sent to Google/YouTube servers.

What Safeguards Are Required

Under the nLPD, data can be transferred to countries that provide an adequate level of data protection (the Federal Council maintains a list). For countries not on the list (including the US, in many scenarios), you need:

• Standard Contractual Clauses (SCCs) with the data recipient.
• Or explicit consent from the data subject, informed about the risks.
• Or another recognized safeguard mechanism.

In practice, most US services offer SCCs as part of their data processing agreements. You need to ensure these agreements are in place and referenced in your privacy policy.

Data Breach Notification

If your website is breached and personal data is compromised, the nLPD requires you to notify the FDPIC as quickly as possible. You must also notify affected individuals if necessary to protect them.

What Constitutes a Data Breach

A data breach under the nLPD is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. In website terms:

• Your website database is accessed by unauthorized parties (hacking).
• Customer data is accidentally made publicly accessible (misconfiguration).
• Contact form submissions are intercepted (man-in-the-middle attack, lack of HTTPS).
• A third-party service you use is breached and your customers' data is affected.
• Malware on your website collects visitor data (form-jacking, web skimming).

Preparation

You should have a breach notification plan before a breach happens. Know who is responsible for reporting, what information the FDPIC requires, and how you will notify affected individuals. The time to figure this out is not during an active incident.

DPO Requirements

Unlike the GDPR, the nLPD does not require organizations to appoint a Data Protection Officer (DPO). However, organizations can voluntarily appoint a "data protection advisor" (Datenschutzberater). If appointed, this person:

• Acts as a point of contact for data subjects and the FDPIC.
• Provides independent advice on data protection matters.
• Must have the necessary expertise and be given sufficient independence and resources.

For small and medium businesses, appointing a DPO is optional but can be beneficial, especially if you process significant amounts of personal data or operate in a regulated industry.

Penalties: Personal Liability

This is the part that gets people's attention. Under the nLPD, violations are punishable by fines of up to CHF 250,000 imposed on the responsible natural person. Not the company. The individual.

Who Is at Risk

• The business owner or managing director who makes decisions about data processing.
• The person designated as responsible for data protection.
• Anyone who intentionally violates the nLPD's provisions.

What Can Trigger Penalties

• Failure to provide adequate information to data subjects (deficient privacy policy).
• Failure to implement appropriate technical and organizational measures to protect personal data.
• Unauthorized cross-border data transfers without appropriate safeguards.
• Failure to report data breaches to the FDPIC.
• Violation of professional secrecy obligations related to data protection.

Note that penalties require intentional conduct (not negligence, though the FDPIC can issue orders for negligent conduct that must be followed). However, "intentional" in legal terms can include situations where you knew about a problem and did nothing to fix it.

Practical Website Compliance Checklist

Here is a concrete checklist for bringing your website into compliance with the nLPD:

Privacy Policy

1. Have a privacy policy that meets all nLPD requirements (identity, purposes, recipients, cross-border transfers, retention, rights).
2. List every third-party service by name, not generic categories.
3. Disclose all cross-border data transfers with the countries and safeguards.
4. Specify retention periods for each type of data.
5. Make the privacy policy accessible from every page (typically via footer link).
6. Provide the privacy policy in all languages your website supports.

Cookie Consent

1. Implement a cookie consent mechanism that blocks non-essential cookies until consent is given.
2. Categorize cookies into necessary, analytics, and marketing.
3. Allow granular consent (users can accept analytics but reject marketing).
4. Allow users to withdraw consent at any time.
5. Document consent (keep records of when and how consent was given).
6. Test that cookies are actually blocked before consent (many implementations show a banner but load cookies regardless).

Forms and Data Collection

1. Add a privacy notice near every form that collects personal data.
2. Link to the privacy policy from each form.
3. Implement double opt-in for newsletter subscriptions.
4. Define and implement retention periods for form submissions.
5. Ensure form data is transmitted securely (HTTPS).

Third-Party Services

1. Inventory all third-party services that process personal data.
2. Verify that data processing agreements are in place with each one.
3. Check that cross-border transfer safeguards are in place.
4. Consider privacy-focused alternatives where possible (e.g., Plausible instead of Google Analytics).
5. Ensure third-party scripts are blocked until consent is given (where consent is required).

Security

1. HTTPS on all pages (not just the homepage).
2. Strong security headers (CSP, HSTS, X-Frame-Options, etc.).
3. Regular software updates (CMS, plugins, server software).
4. Secure storage of any personal data collected (encryption at rest, access controls).
5. Regular backups with tested restoration procedures.
6. A data breach response plan.

Common Violations on Swiss Websites Right Now

Based on our assessments of Swiss business websites, here are the most common nLPD compliance issues we find:

• Google Analytics loaded without consent: The majority of Swiss websites still load Google Analytics before the user has given consent. The cookie banner shows, but the tracking fires immediately regardless.
• Privacy policies that do not mention cross-border transfers: Even though Google Analytics, Mailchimp, and other common services transfer data to the US.
• No cookie consent mechanism at all: A surprising number of Swiss business websites still have no cookie consent banner, despite processing personal data through tracking scripts.
• Generic privacy policies: Copy-pasted templates that do not reflect the actual data processing activities on the specific website.
• Missing data processing agreements: Businesses using cloud services without having signed the necessary DPAs.
• No retention policies: Contact form submissions stored indefinitely with no defined deletion schedule.
• HTTPS not enforced: Some pages still accessible via HTTP, allowing data interception.

Next Steps

If you are not sure whether your website complies with the nLPD, you probably have work to do. Most Swiss websites we assess have multiple compliance gaps.

At Envestis, we perform website compliance audits that cover both the technical and legal aspects of nLPD compliance. We check your privacy policy, your cookie consent implementation, your third-party services, your data flows, and your security measures. We then provide a prioritized report of what needs to be fixed and practical recommendations for how to fix it.

For a broader perspective on GDPR compliance (which often applies alongside the nLPD for Swiss businesses with EU customers), see our article on GDPR website compliance.

Contact us to schedule a compliance audit. The penalties are personal. The time to act is now.