Also known as the 'Cookie Directive', the instrument that defines the requirements for consent for cookies across the EU is Directive 2009/136/EC of the European Parliament and of the Council.
This is basically an amendment of earlier directive: Directive 2002/58/EC, and is broadly concerned with the protection of data and privacy on the web and in other forms of electronic communication.
The new directive came into effect on 25 May 2011. The text of the directive is about 26 pages long, but the most important paragraph about cookies can be found on page 20:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.;”
In short this means before somebody can store or retrieve any information from a computer, mobile phone or other device, the user must give informed consent to do so.
The intention is to increase the privacy of the end user and prevent organisations from obtaining information about people without them knowing about it.
The other directive mentioned in the above paragraph is an earlier EU directive on data protection.