Some of the UK's most visited websites could face fines unless they make it clearer that cookies are optional.
Cookies are small files websites store on your computer to collect analytic data, personalise online ads and monitor web browsing.
The Information Commissioner says some major sites are not giving users "fair choices" about their use.
It has given them 30 days to comply with the law which says it should be as easy to reject as accept all cookies.
The watchdog has not named the sites it has issued enforcement notices to.
Some cookies help websites to function properly, but others can be used to track users and serve them with advertisements based on their browsing.
Cookies can be used to record various kinds of data about users including:
- what you do on the site
- whereabouts in the world you are
- what device you are using
- where you go online afterwards
From the point of view of many websites, cookies are a vital part of selling the advertising on which they depend.
But that advertising can feel intrusive. Many people will have the experience of visiting a website, or making a purchase and then having related ads appear on all the sites they visit.
Cookie pop-ups can be annoying but they are meant to be a way for users to control cookies. However, they are often unclear - for example, closing the box without making a selection will opt you in or out depending on the website.
'Accept all'
The Information Commissioner's Office (ICO) has previously issued guidance that organisations must make it as easy for users to "reject all" advertising cookies as it is to "accept all".
Websites can still display adverts when users reject all tracking, but must not tailor these to the person's browsing.
Currently, the regulations governing cookies are split between the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulations (PECR).
The PECR has become known as the "cookie law" since its most visible effect was the implementation of cookie consent pop-ups.
But legislation currently working its way through Parliament aims to change the PECR to reduce the number of cookie pop-ups.
The data protection and digital information bill will allow websites to collect some types of information used for improving a service or for security without consent - something that has concerned some digital privacy groups.
It also gives ministers the power to add new exceptions to the cookie consent requirements.
Stephen Almond, the watchdog's executive director of regulatory risk, said their research signalled that many people were worried about companies using their personal information without their consent.
"Gambling addicts may be targeted with betting offers based on their browsing record, women may be targeted with distressing baby adverts shortly after miscarriage and someone exploring their sexuality may be presented with ads that disclose their sexual orientation," he said.
"Many of the biggest websites have got this right. We're giving companies who haven't managed that yet a clear choice: make the changes now, or face the consequences."
The ICO will provide an update on this work in January, including details of companies that have not addressed their concerns.
The action is part of its broader work to ensure that people's rights are upheld by the online advertising industry.