The European Union amended its "e-Privacy Directive" at the end of 2009 to require consent for companies that wished to use cookies and similar technologies to track users online. The directive applies to providers of publicly available electronic communication services. This term has been defined differently in different countries, from applying to all organizations that run a website, to only certain companies engaged in bringing a website – or its content (including advertising content) to the user. The amendment to the directive exempts from the consent requirement any need to get consent for cookies that are necessary to provide the services requested by the user. It would thus appear to apply to cookies used for online behavioral advertising activities. Under the EU process, member states had until May 25, 2011, to enact national laws to implement the update to the directive. As of this writing, however, most member states have not implemented the directive into national law. Some of the major states that have, such as the United Kingdom, have granted a de facto compliance extension, indicating that it will wait twelve months before actually enforcing the "Cookie Law." The UK Information Commissioner's Office issued guidelines outlining the requirements for cookies (including flash cookies and cookies on mobile phones), which include: (1) obtain the user's consent to deploy cookies and (2) tell consumers how cookies will be used. The ICO's guidelines indicate that consent may be signified by a user amending or setting controls on his or her browser, however the ICO has advised businesses to gain consent in another manner, as not every website may be visited through a browser. It is not clear that other countries will follow such a liberal theory for obtaining consent.

TIP: Companies that operate websites for the European market and that use cookies to track users for reasons other than "delivering requested services," in particular if they use cookies to serve behaviorally targeted advertisements, should consider following the U.S. self-regulatory approach of notice and choice. This may address the consent requirements in many EU countries. However, since the U.S. approach is, for the most part, an opt-out approach, as more EU countries begin to implement their national laws, some may require an opt-in approach, and as such additional procedural changes may be required.