Most websites nowadays use ‘cookies’ (as I will explain) and the European Union has passed a law which means we all have to take action. Your clients need to take action, but so do you, as your firm has a website too.

What are cookies? They are tiny files that websites place on visitors’ computers. Cookies are helpful and provide many benefits. For example, they can automatically log a user in next time they visit a website - imagine having to type in your password every time otherwise.

Even small websites tend to use cookies, combined with free tracking software (analytics), to reveal which pages users visit on the site. But cookies (including third-party cookies) are also used on commercial websites to target future advertising at users, which many users would rather avoid; hence the new law.

So what do you need to do?

The EU’s Privacy and Communication Directive came into force on 26 May 2011 and will supposedly be enforced from 26 May 2012 onwards. Sounds a bit vague? You get the picture. Put simply, the law says that before putting a cookie on anyone’s computer, that user must opt in on an informed basis.

Millions of websites suddenly switching to an opt-in approach? All with pop-ups to explain which cookies are used and why? It sounds like a pretty irritating interruption that will put a lot of people off visiting a lot of completely harmless websites, doesn’t it?

This technology site is an example of what to expect, although you’ll notice that it is opt out and not opt in.

As a publisher of websites covering law, marketing and IT among other things, we went straight to Dave Chaffey, the UK internet marketing guru who writes and lectures on matters such as cookies. Chaffey explained that the regulator, the Information Commissioner's Office in this case, is not expecting instant compliance even after 26 May 2012. Although not strictly legal, you are unlikely to be prosecuted provided that you are 'moving towards compliance'. Plus, there are exceptions (‘strictly necessary’ cookies... which even the ICO itself has).

Phew. That sounds a bit more realistic for the real world (outside Brussels) that most of us inhabit.

Although some law firms may choose to be fully compliant on day one, I expect that most of them will take a wait-and-see attitude. After all, this new EU law is not about law firm websites, is it about intrusive adverting and passing on personal data.

And what will law firms advise their clients? To spend precious time and money becoming compliant to the letter of the law? Or will they offer more ‘commercial’ advice, suggesting that clients save their money but stay out of trouble by simply moving towards compliance, at least until one sees how things turn out in the next few months?

No need to ask what all the website developers will recommend. The ICO’s stipulated website adjustments seem like a bit of a windfall for them.

Here, Blue Peter style, is an example of a website that has shown a move towards compliance for some time. Read the current Privacy Policy, Cookies section of the legal resource centre of Gregg Latchams'. We used simple online cookie audit software to establish which cookies were in use, then, as you can see, we put this into a clear, accessible explanation. The main Gregg Latchams website (hosted by Conscious Solutions) will be fully compliant by 26 May, but this element of the website is not live in the meantime.

You can find a list of cookie audit software in the guide Coping with the EU cookie laws.

And finally, as this is a blog after all, here’s my chance to predict the future. The law will work to the extent that more websites will now reveal what cookies they are using, which is a good thing.

The law will gradually make the more reputable commercial websites move to an opt-in approach, after a messy initial period when users will be confused and put off. The law will also waste lots of taxpayers’ money as thousands of public sector websites - which were never a problem in the first place - dutifully comply.

But most websites are pretty harmless in terms of cookies/privacy and will simply continue as before (perhaps with some standard cookie wording added to their privacy statement).

Which brings us to the $64m question: enforcement. I imagine that the ICO will be completely toothless when it comes to enforcing the cookie law, just as it has been 100% ineffective in enforcing the EU’s anti-spamming laws. What about all the offshore websites that sell to EU citizens, for a start?

The ICO site is compliant (see top) and is rumoured to have instantly lost tracking of over 90% of its users. Tracking is the ‘eyes and ears’ of any website and in this respect compliance comes with a pretty severe price tag for what it achieves in return.

It’s now 10 May, we’ve less than three weeks to go. I know of many websites that will switch over to a compliant version a week before 26 May. But has anyone seen examples of full compliance already being put into practice on a commercial website? I would be interested to know.

Rory MccGwire is chief executive of BHP Information Solutions