A properly configured cookie banner is the exception, not the rule. According to a study published in March 2025 covering the 10,000 most-visited websites across 31 countries, only 15% of consent interfaces are minimally compliant — mainly because the refusal option has no real effect: you click refuse, but you’re still being tracked. At biskoui, changing that is exactly what we’re here for.
In November 2025, France’s data protection authority (CNIL) fined the publisher of Vanity Fair France €750,000 for failures related to its cookie banner. The nature of these violations is instructive: they are exactly the mistakes found on many Swiss websites, and ones that the FADP and TCA equally prohibit.
The Vanity Fair France case: what happened
CNIL decision SAN-2025-010 (17 March 2026) is based on multiple checks carried out between July 2023 and February 2025 on vanityfair.fr. It identifies four distinct violations.
1. Cookies set before any consent
As soon as a user landed on the site, advertising cookies — including Google’s NID cookie, used for ad personalisation — were deposited on their device before they had interacted with the banner at all. Consent must precede any deposit. It didn’t.
2. Misleading information about cookie categories
Certain features of the IAB Europe’s Transparency and Consent Framework (TCF) — including cross-device data matching — were presented as “always active”, implying they were strictly necessary for the site to function. They were not. Users could not make an informed choice.
3. Refusal with no real effect
Users who chose “refuse all” found that advertising and video analytics cookies continued to be set during their browsing session. A “refuse” button that refuses nothing is not consent management — it’s deception.
4. Withdrawal of consent ignored
Even after users withdrew consent, cookies already on their device continued to be read by the site. The CNIL is clear: the obligation to respect withdrawal applies not only to setting new trackers, but also to reading those already stored — including first-party cookies.
What Swiss law requires
Several legal bases in Switzerland regulate the use of cookies and impose concrete obligations on website operators.
The FADP and its general principles
The Federal Act on Data Protection (FADP) establishes three principles applicable to cookie-based processing:
- Lawfulness and good faith (Art. 6 FADP): a mechanism that simulates a choice without respecting its effects violates the good faith principle.
- Duty to inform (Art. 19 FADP): users must be informed transparently about the purposes of data processing.
- Consent (Art. 31 FADP): where required, consent must be freely given, specific and informed — which presupposes that refusal produces real effects.
Article 45c TCA
Article 45c(b) of the Telecommunications Act (TCA) explicitly provides that users must be informed about the processing of data via telecommunications — including cookies — as well as its purpose, and must have the ability to object.
The FDPIC Cookie Guide (January 2025)
The Federal Data Protection and Information Commissioner (FDPIC) has published an updated version of its Guide on cookie processing. It emphasises three points:
- The need for transparent information on processing purposes (section 3.3.1)
- The distinction between strictly necessary and non-necessary cookies, which cannot be justified on the same legal grounds (sections 3.5.2 and 3.6)
- The concrete modalities for withdrawing consent, including the effective deletion of trackers already deposited (sections 3.9 and 3.12.7)
Compliance is assessed based on actual behaviour, not the mere presence of a banner. A mechanism that formally allows users to refuse consent while continuing to read trackers on their device is not defensible under the good faith principle of the FADP.
The 4 mistakes to avoid on your Swiss website
| Mistake | Risk |
|---|---|
| Loading third-party scripts before consent | Unlawful processing from the very first visit |
| Presenting non-necessary cookies as mandatory | Violation of the duty to inform (Art. 19 FADP) |
| Not stopping processing after “refuse” | Fictitious consent, contrary to Art. 6 FADP |
| Not ceasing processing after withdrawal | Unlawful continuation of data processing |
Why a properly configured CMP makes all the difference
Most of these violations are not the result of bad intentions: they stem from faulty technical implementation. A Google Analytics tag that isn’t properly conditioned, a video script loaded without a consent check, a first-party cookie not deleted upon withdrawal — these are common errors, invisible to the naked eye, but very real in the logs.
A properly configured CMP (Consent Management Platform) addresses these problems at the source:
- No processing before consent: no third-party scripts execute until the user has made their choice.
- Refusal respected: conditioned processing does not start in the absence of consent.
- Withdrawal enforced: changing preferences immediately stops the relevant processing.
- Structured information: each purpose is presented clearly, without conflating it with necessary functionality.
This is precisely what biskoui offers: a 100% Swiss CMP, hosted on an ISO 27001-certified cloud, designed to meet the requirements of the FADP, the TCA, and the FDPIC Guide.