GDPR, Swiss FADP and ePrivacy: the legal framework for consent
Cookie consent is not optional. GDPR requires explicit opt-in consent before setting analytics or advertising cookies. Switzerland's Federal Act on Data Protection (FADP, effective since September 2023) imposes its own requirements on data collection transparency. Non-compliance carries fines of up to EUR 20 million or 4% of annual turnover under GDPR, and personal fines of up to CHF 250,000 under FADP.
The compliance obligation creates a measurement challenge. When 30 to 50% of visitors decline cookies, your GA4 analytics lose a significant share of visitor data. Your Google Ads campaigns miss conversion signals. Every marketing decision based on this incomplete data carries an accuracy penalty.
Under GDPR, analytics and advertising cookies require prior consent. The consent must be freely given, specific, informed and unambiguous. Pre-checked consent boxes are invalid. Cookie walls that deny access to content unless consent is granted violate the regulation. The visitor must be able to refuse cookies as easily as they accept them, and the site must function normally regardless of their choice.
Consent Mode v2: why Google mandates it and how it works
Consent Mode v2 is Google's framework for handling user consent signals. When a visitor grants consent, tracking tags fire normally. When consent is refused, Consent Mode sends anonymised, cookieless pings to Google. These pings enable statistical modelling of the conversions that consent refusal prevents from being measured directly. Google reports that this modelling recovers approximately 50 to 70% of the conversion signal that would otherwise be lost entirely (Google Ads Help, 2024).
Since March 2024, Google mandates Consent Mode v2 for every advertiser targeting users in the European Economic Area. Without this implementation, Google Ads campaigns lose between 30 and 40% of their conversion signals. Remarketing audiences shrink, bidding algorithms have less data to optimise with, and cost per acquisition rises mechanically.
Consent Mode v2 introduces two parameters beyond version 1: ad_user_data (consent to send user data to Google for advertising) and ad_personalization (consent to ad personalisation). These parameters must be transmitted by the CMP (Consent Management Platform) to Google Tag Manager, which relays them to Google tags. A single missing link in this chain invalidates the entire configuration.
Choosing and configuring your CMP: Cookiebot, Axeptio, OneTrust
A CMP (Consent Management Platform) is the tool that displays the cookie consent banner, collects and stores user choices, and communicates those choices to tracking tags via Consent Mode. The choice of CMP depends on three criteria: compatibility with your technical stack, compliance with applicable regulations, and impact on user experience.
Cookiebot (Usercentrics). Danish solution certified by Google for Consent Mode v2. Cookiebot automatically scans your site to detect cookies and third-party scripts, simplifying initial compliance setup. Compatible with GTM, WordPress, Shopify and most CMS platforms. Accessible pricing for SMEs (from EUR 12 per month). The automatic scanner may miss certain dynamically loaded scripts.
Axeptio. French solution with a distinctive UX approach: the cookie banner is designed to be pleasant rather than intrusive. Observed consent rates are typically 10 to 15% higher than standard banners. Axeptio is GDPR-compliant and Consent Mode v2 compatible. Its configuration interface is more intuitive than Cookiebot's. The automatic cookie scan is less thorough, requiring more manual configuration.
OneTrust. Enterprise platform designed for large organisations with multi-jurisdiction needs. OneTrust handles GDPR, CCPA (California), Swiss FADP and other regulations in a unified interface. Cost and configuration complexity reserve it for mid-sized or international companies.
The cross-border angle: French Alps and Switzerland
Businesses based near Geneva that serve Swiss clients or employ cross-border workers face a dual compliance obligation. GDPR applies to any data collected from EU residents. The FADP applies as soon as data from Swiss residents is processed, including from a server located in France.
In the Geneva basin, this situation is daily reality. An e-commerce site based in Annemasse that delivers to Geneva collects data subject to both regimes. A medical practice in Thonon-les-Bains that receives Swiss patients must comply with FADP in addition to GDPR. The CMP must therefore be configured to recognise the visitor's geographic origin and apply the corresponding legal framework.
Server-side tracking provides an additional layer of control in this cross-border context. The intermediate server filters and routes data according to jurisdiction before transmitting it to third-party platforms. Swiss visitor data can be processed with FADP-specific requirements (notification in case of profiling, distinct legal basis) without affecting the processing of European data subject to GDPR.
The consent agent: what it executes autonomously
The consent agent scans source code for undeclared cookies, verifies CMP declarations against active trackers and detects scripts that bypass consent. The human architect defines the compliance framework and validates legal parameters for GDPR and FADP requirements.
This automated audit reproduces in minutes the inspection that a data protection authority performs during a review. Results are presented in a report that lists each non-compliance with its risk level and correction. This preventive approach costs far less than post-sanction remediation.
The second level concerns consent rate optimisation. AI analyses variations in acceptance rate based on banner design, display timing, wording used and page type. Based on this data, we adjust CMP configuration to maximise consent while respecting legal requirements. A consent rate that moves from 55% to 70% represents 15% more advertising signals for GA4 and Google Ads, without any modification to the campaigns themselves.