Cookie banners as a compliance minefield
Cookie banners have long been more than just an annoying click hurdle—they have become a sharp touchstone for data protection compliance, which can quickly put companies in Europe in dangerous liability territory.
We are all familiar with the somewhat annoying process of clicking away cookie options. What has become routine for website visitors represents a considerable amount of work for website operators. And cookies are anything but trivial from a legal perspective, as an expert explains below—especially since the internet quickly moves to an international level.
A minefield beyond the GDPR
According to German data protection lawyer Asmus Eggert, many companies underestimate the fact that cookie violations are often not primarily prosecuted under the GDPR, but under ePrivacy regulations and their national implementations – without a one-stop-shop protective shield. This means that virtually any national supervisory authority can be responsible as soon as users' end devices in its jurisdiction are accessed, regardless of whether there is a local branch. Anyone who lulls themselves into a false sense of security risks parallel proceedings in several EU countries.
Technical non-compliance as the main problem
According to Eggert, the main risk lies in the discrepancy between legal requirements and how the website actually works. Common mistakes include setting unnecessary cookies before effective consent has been given, insufficiently informative consent texts, and technically faulty or only seemingly effective «Reject all» buttons. Added to this are incorrectly configured consent management tools that slip into non-compliance unnoticed after updates, creating the risk of fines overnight.
Responsibility remains with the site operator
Referring to the consent management provider does not help in an emergency, as the website operator always remains legally responsible. In practice, problems rarely result from the tool itself, but rather from faulty implementation, incorrect categorization of cookies, and a lack of regular monitoring. Eggert therefore recommends technical functional tests, documented changes, and clear responsibilities between data protection, IT, and marketing.
Transparency instead of dark patterns
According to Eggert, transparency is not optional, but mandatory: users must be able to clearly see what purposes are being pursued, which third-party providers are involved, and how long data will be stored. What is required are understandable descriptions of purposes, complete lists of third-party providers, equally designed consent and rejection buttons on the first level, and an easy option to revoke consent at any time. Designs that push for consent through hidden rejection options or visually dominant consent buttons can be considered unacceptable dark patterns that call into question the voluntary nature of consent.
High fines and global turnover reference
The risks of sanctions are considerable: in many countries, the ePrivacy fine regimes are linked to the concept of a company as defined in competition law, which means that global group turnover may be relevant. While the German framework for certain cookie violations is formally limited to €300,000, other countries such as France, Spain, and Italy allow significantly higher amounts, up to nine-figure sums or the full GDPR fine range. This can quickly take on existential dimensions, especially for international platforms.
Three sets of measures for greater security
Eggert advises companies to adopt a structured three-pronged approach consisting of technical analysis, content revision, and governance. First, a detailed review should be conducted to determine which cookies, scripts, and tracking technologies are activated when and in which decision-making scenarios, and whether user decisions are consistently respected. This should be followed by clearly worded banner texts, complete lists of third-party providers, an equally placed "reject" button, and a consent architecture that enables genuine freedom of choice—supported by a platform but accompanied by legal and technical controls.
Ongoing governance as a mandatory program
Finally, Eggert calls for a permanent testing and monitoring process to ensure that new tools or relaunches do not inadvertently lead to violations. Those who can demonstrate to supervisory authorities that they have a seriously implemented testing and documentation system are in a much better position in proceedings – those who treat cookie banners as a one-off technical obligation, on the other hand, are sitting on a compliance «ticking time bomb.»
Source: mip Consult
Cookie regulations in Switzerland
Until recently, cookie regulations in Switzerland were not as clear-cut as in the EU. That is why the FDPIC published new guidelines for setting cookies in 2025. These guidelines represent a tightening of regulations and an alignment with the legal situation in the EU.
According to the revised Swiss Data Protection Act (DSG) and Telecommunications Act (FMG), cookies are generally permitted as long as users are informed transparently about their type, purpose, and options for objection, and their personal rights are not violated. Necessary cookies may be used without consent, while stricter requirements apply to non-necessary cookies: depending on the risk, an opt-out or a justification based on legitimate interests may suffice, but in the case of high-risk profiling or the processing of particularly sensitive data, explicit opt-in consent with clear information, voluntariness, and the possibility of revocation is required.
Sanctions are primarily directed at responsible natural persons; fines of up to CHF 250,000 are envisaged, or up to CHF 50,000 in simpler cases where it would be disproportionate to identify the specific person responsible. In addition, the FDPIC may impose supervisory measures such as orders to adjust or refrain from certain tracking and cookie practices.
Sources:
This article originally appeared on m-q.ch - https://www.m-q.ch/de/cookie-banner-als-compliance-minenfeld/
