From 11 December, companies operating web sites or emailing marketing material will have to comply with new UK laws implementing the EC's Privacy and Communications Directive.

To deal with this development, firms should put the correct processes in place now to avoid the risk of prosecution, fines, and bad publicity, according to experts.

The DTI said the law will impose new restrictions on firms using cookies and similar internet tracking devices. Companies will have to tell users if such technologies are in place and must offer users the chance to refuse them.

A spokesman for the DTI said that firms would either have to alert visitors to the potential use of cookies on the first page of their web sites or they should direct users to another page where they can agree, or not agree, to the use of cookies. "Companies must give users the chance to opt out," he said.

However, although aspects of cookie technology have also been covered by the Data Protection Act for some time, many firms seem to be breaking the law, according to a survey carried out by data protection watchdog the Information Commission and the University of Manchester Institute of Science and Technology (Umist). In a study of 3,000 web sites where users were likely to be asked to divulge personal information, almost half placed cookies on users' computers, but only 27 percent provided information on how to question or complain about privacy matters or misuse of data.

However, organisations are becoming more aware of their responsibilities in this area. John Barker, a solicitor at law firm LCF, said he deals with many companies asking how their web sites should comply with the law, and the subject of cookies is increasingly high on the agenda. "This is an issue that my clients are aware of and that concerns them," he commented.

Barker said that as a rule whenever cookies are in use, sites should include information on their home page about the cookies and what they will be used for, or refer users to this information on another site.

He added, "The company using [cookies] must give users the opportunity to opt out, either via a box to check or on a separate web site."

Barker warned that if cookies can identify individuals, firms should comply with data protection guidelines issued by the government's Information Commission. He added, "We undertake web site reviews frequently and we advise that if personal data is collected then it is good practice to obtain consent before this is done. Any [breaches and resulting] enforcement of this will be up to the Information Commission."

Iain Bourne, strategic policy officer at the Information Commission, agreed with this advice, but noted that in many cases firms are confused about their obligations. He added, "There is a basic transparency problem - if people are putting something online and onto your machine that will profile the user then that is an invasion of computer privacy and you should have the right and the opportunity to say no and refuse it."

Barker said that failure to comply with the new law could result in legal action. "The possibility is that the Information Commission might choose to make an example of your firm," he added.

However, Barker said that compliance did not mean that warnings about cookies had to be the most prominent information on web sites, detracting from the business elements. "It would be unreasonable to have a message on the front page of the web site, but it is a good idea to have a link that explains the use of cookies. If this is clear then this implies consent."