The story begins in the early 2000s. In 2002, the EU passed the Privacy and Electronic Communications Directive, commonly called the ePrivacy Directive. This law was intended to safeguard privacy in the digital realm – covering things like the confidentiality of communications, spam emails, and online tracking. Originally, the ePrivacy Directive said websites should give users the right to refuse or opt out of cookies, but it did not yet mandate an explicit opt-in for most cookies. However, by the end of that decade, concerns about online tracking had grown. In 2009, the EU amended the ePrivacy Directive to strengthen privacy around cookies. This 2009 amendment required websites to obtain users’ informed consent before storing or accessing information like cookies on their devices en.wikipedia.org en.wikipedia.org. In effect, the EU flipped the model from “notify and opt-out” to “ask and opt-in” for cookies and similar tracking tools.