In May 2018 the EU implemented its groundbreaking data protection laws, the General Data Protection Regulations. These laws gave EU citizens massive protection and rights over how their data can be captured and used. In the buildup to these laws being implemented, Switzerland started the process of updating its data protection legislation to be in line with the European Union’s. The process is now reaching its conclusion with the current forecast to potentially come into effect in 2021.
We do not yet know exactly what the final law will look like and there are aspects that the Swiss authorities are still actively debating. However, based on the proposed law and knowing that the objective is to provide a similar set of provisions as GDPR we can give you a good idea of how it will affect your Online Marketing and Data programs.
Lead Generation and Nurturing
For many businesses the objective of their website is to generate leads with whom they can further communicate and develop a relationship in an effort to sell products or services. Often these leads are generated via a form on the site that a user fills out in order to download a whitepaper or guide. The lead is then added to a database and an email marketing process.
Under the new law, the lead must give their express permission when filling out the form. They must give ‘active’ consent. This means that there must be a checkbox on the form, and it must start out unchecked. They have to ‘actively’ check it before you can market to them. The consent must also be ‘informed’. This means that it must be clearly stated that you want to communicate with them for marketing or promotion purposes, and by checking the box they agree to this.
Similarly, targeted advertising, such as remarketing campaigns, which rely on profiling a specific person so that advertising can be tailored to that person, cannot be done without express consent.
In this case, it is unlikely that the user will need to check a box but rather by agreeing to the setting of cookies for Targeted Advertising. Again, the consent here must be active and it must be informed.
A number of advertisers, like Facebook, Google, and LinkedIn, set cookies that enable them to identify the users of your website across other websites. This will also require express consent. So even if you do not plan on doing remarketing, you will still be required to ask for this consent before adding the Google, LinkedIn, or Facebook tracking pixels.
Under the new law, it is likely that your website will be required to have a cookie banner. This banner will need to provide the user with information about what you are using cookies for. Additionally, the banner should contain a link to a Cookie Preference Centre with the option of opting-in or -out of the setting of different categories of cookies. Depending on what data the cookies contain and what function they have, these categories require a certain level of consent. Under GDPR and likely under DPA:
- Cookies that are vital to making the website work may not require the user’s consent at all.
- Cookies that do not profile users for targeting, but are not vital for the functioning of the website, can be set when the user arrives on the site, but the user must be given the option to opt-out.
- Lastly, as in the case of cookies for Targeted Advertising, the user must give their express consent before the cookie can be set.
Policies and Notices
One of the obligations that all websites have under GDPR is to provide accurate, complete, and easily understandable privacy and cookie policies on their website. These must clearly state what data is collected, how it is collected, where it is stored, what it is used for, with whom it is shared, and who is responsible for it. It is likely that this will also be a requirement for the new Swiss laws.
Data Handling and Storage
With the new laws, the responsibility to secure user data falls on everyone involved in the process, including you as the owner of the website. If the storage facilities you use are compromised, even if it is the fault of your service provider, you will be held responsible.
The user, whose data is collected, has many rights under the new law like, as we already mentioned above, knowing how their data is being collected, used, and stored. They also have the right to access their data from you, the right to have any incorrect data rectified, and they have the ‘right to be forgotten’. This last one means they have the right to insist that you delete all of their personal information.
Punishments for Transgression
The final major point to understand is the penalties that are likely to be imposed on companies that do not comply with the rules. The maximum fine that GDPR has is 20 million Euros, or 4% of global turnover, whichever is higher. Currently, the proposed legislation for the Swiss DPA has much lower punishments of a maximum of 250,000 Swiss Francs. However, there are voices in the parliament who believe this amount should be higher, with some calling for the same amount as GDPR.
Although we do not yet know the full details of what the new Swiss DPA will contain, one of its stated objectives is to match the extent of the EU’s GDPR. This means that it is likely that all the provisions mentioned above will be included. Having helped many companies prepare their web presence for GDPR, we know that this is not a quick process. We advise our customers, and you, to prepare for the new laws as long in advance as possible so that you can ensure you have everything in place to comply with the regulations.