Buying leads inherently involves processing personal data: name, contact details, a description of a need. In Switzerland, this processing is governed by the federal data protection act (nLPD), which came into force in its revised version in September 2023. It isn't designed to prevent lead buying, which remains a perfectly legal commercial practice, but to ensure that the people whose data circulates have given their consent and retain control over how it's used.
This dossier presents the general principles applicable to B2B lead buying in Switzerland. It isn't personalised legal advice: for any question specific to your situation, seeking a legal advisor's opinion remains recommended. The goal here is to give you the reference points needed to have a useful conversation with a provider and assess how seriously they take this issue.
What the nLPD says about an end customer's data
The nLPD governs the processing of any data that can identify a natural person — which includes a name, phone number, e-mail address or postal address, the data typically contained in a lead. The central principle is transparency and purpose limitation: a person must know what their data will be used for at the moment they share it, and that data must only be used for that specific purpose.
Applied to lead buying, this means the customer filling in a request form must be clearly informed that they'll be contacted by one or several professionals in the relevant sector in response to their request. This information must appear visibly at the point of collection, not buried in unreadable terms and conditions or in a separate text you'd have to go looking for.
Consent: what's concretely required
Consent to be contacted must be freely given, specific and informed: the person must understand what they're consenting to, with no pre-checked box or ambiguous wording nudging them into accepting without paying attention. An active checkbox (unchecked by default), paired with clear wording such as "I agree to be contacted by a professional in the sector regarding this request," is a compliant practice widely adopted by serious platforms.
That consent must also be tracked and timestamped by the provider, so its existence can be demonstrated if challenged. A provider unable to prove the origin and timing of consent — or that simply asserts "all data is compliant" without detail — doesn't offer sufficient guarantees for buying leads with peace of mind.
Obligations of the business buying leads
By receiving a customer's contact details through a lead, your business in turn becomes responsible for processing that personal data under the nLPD. Concretely, this involves several obligations: keeping the data only as long as needed to process the request (no indefinite "just in case" retention), not passing it to a third party without a legal basis, and respecting the customer's right to object to further contact if they request it.
It also means checking, at least once, how your provider collects consent — a reliable provider should be able to answer this question directly. If there's any doubt about a provider's compliance, the legal risk remains attached to the business using the data, not only to the one that originally collected it.
Obligations of the lead provider
A serious lead provider must be able to demonstrate the origin of each consent collected (form, timestamp, the exact wording shown to the customer), limit the number of businesses a given piece of data is sent to, to what was disclosed to the customer (a lead marketed as "shared between 3 businesses" shouldn't be resold to ten), and at any time let an end customer exercise their right to access or object regarding their own data.
These obligations aren't mere formalities: they shape the reliability of the lead itself. Poorly collected or poorly tracked consent isn't just a legal risk — it's also often a sign of lower-quality data, collected without real engagement from the customer, and therefore statistically less likely to turn into an appointment.
Compliance best practices before you buy
Before committing to a provider, a few simple checks limit your risk: ask how consent is collected and whether this can be documented on request; check that the provider specifies the disclosed sharing level (exclusive, or shared among how many businesses); and make sure there's a clear procedure if an end customer wants to opt out of further contact.
On your own side, formalise a simple rule for your team: only keep a lead's data for as long as it takes to process the request, and delete contacts that didn't convert after a reasonable period. This discipline remains the best protection, regardless of the provider's own quality, and applies to any customer data you process, not just purchased leads.