The Information Commissioner's Office (ICO) says "education is key" to getting firms to comply with the recently introduced "cookie law", but is threatening legal action against those who do nothing about complying now.

The law became active this spring following a directive from the European Commission on the use of cookies on websites, with the main aim of protecting website visitors and their private data.

Cookies are small files that are downloaded on to a website visitor's desktop or mobile device, and are usually designed to make it easier for the visitor to more easily navigate the site the next time they visit or to complete transactions quicker.

The European Commission felt web users should have advance warning of files being downloaded on to their machines, and to be able to stop the process if they so wished.

The ICO is now calling on more firms to move towards compliance, although many larger firms have already made the first move towards complying by at least warning users that cookies are used when they visit sites.

ICO industry strategic liaison manager Dave Evans said: "The vast majority of businesses want to operate within the law, and it is for the ICO to make sure they're aware - through education - what that means in practice."

He added: "From some initial conversations that involved having to explain what a cookie even was, we're now at a stage where businesses should know they have to respond to the law."

Recent research shows nearly two thirds of UK websites had taken steps to address the cookie law, but the majority had still only done the minimal amount to alert visitors to their use of cookies.

In the survey of 231 websites by data privacy management firm TRUSTe, only 12% were found to have implemented prominent privacy notices with "robust" cookie controls. Meanwhile, 51% had minimal privacy notices with limited cookie controls, and 37% had taken no steps to comply with the directive.

Evans said a "fair number" of firms had already started to educate their website users about the use of cookies. He said some sites had failed to engage with the ICO at all, and that they were now being set a deadline to take steps towards compliance, "with formal enforcement action likely if they fail to meet this deadline". Failure to act on an enforcement notice is a criminal offence.

However, Evans confirmed that no enforcement notices had been issued yet. "Some people will feel we're not being strict enough, but we're happy with the work we've done in the background to ensure any action taken is credible and proportionate," he said.

The ICO has so far received 380 responses from consumers through its online cookie concern reporting tool.