Most top UK websites are breaking new rules which require them to do more to protect web users' privacy.
Net users should be able to reject cookies easily if they wish
WebAbacus research found 98% do not give enough information about the text files which track user movements, or provide a single-click opt-out option.
"Companies are either not aware of the legislation, or are ignoring it," said Ian Thomas from WebAbacus.
The Privacy and Electronic Communications Regulation, effective on Thursday, also aims to control spam.
The Information Commissioner - the organisation which enforces the regulations - was "very surprised" so many websites were not doing what is required, even though these regulations have been on the horizon for a long time.
"There should be transparency. People should know what is going on with the information collected about them," Phil Jones, assistant information commissioner, told BBC News Online.
2%: Single click opt-out (compliant)
"People should recognise that the information collected is only benign - but they should be alerted to the ways that data is going to be used."
He added he hoped that the situation would improve "fairly quickly".
Only 2% were totally compliant with the rules.
Making them plain
They give websites a "memory", and are mainly used for identification purposes, or remembering registration details. Others use them to target returning visitors with relevant services and information.
Although usually benign, care needs to be taken to ensure poorly-designed websites are not able to store confidential information, like credit card numbers, on users' machines without any encryption or security, according to Mr Thomas.
The rules on cookies, set out in regulation six of the new digital privacy legislation, aim to ensure they are not misused.
What they are, their purpose and how to reject them should be explained clearly, in non-technical language, say the rules.
"Indeed, it is very difficult for websites to provide useful features and services without cookies."
But he added there was "no excuse" for sites not to provide users with a single click opt-out, because it is very simple to do.
Most of the legislation's focus is on the rules that try to curb spam, which now accounts for more than half of all e-mail traffic.
The new laws are the UK's interpretation of the requirements of the EU Directive on Privacy and Electronic Communications that demands member states do more to combat spam.
The UK law tries to create a system that lets legitimate businesses send direct e-mail to users but attempts to stop the scammers and spammers by punishing them with fines.
Companies can send unsolicited mail to customers who have agreed to receive it.
Unsolicited spam can be sent to companies, but it must have an opt-out clause inside it.
Spam to consumers is banned.
Critics say the spam regulations 'lack bite'
Research by the Direct Marketing Association and e-mail marketing firm Experian showed that 26% of marketers are confused about the new directive and do not know what impact it will have on their business.
Critics of the UK approach say the laws do not go far enough.
"The whole problem with these laws is that they are geared to spammers being honest and respecting laws," said Steve Linford, founder of anti-spam organisation The Spamhaus Project.
"And of course there are no honest spammers - the whole profession is based on deceit."
Others pointed out that they will make little difference to the amount of junk mail people receive.
Filtering firm Clearswift pointed out that the regulations only apply to firms within Europe but the majority of unwanted - and offensive - spam comes from the US.
Alyn Hockey, Clearswift's Director of Research, said it was encouraging that the authorities recognised the growing irritation with spam.
"But," he added, "what about all the mail emanating from abroad? It's hardly going to discourage the spamming hardcore from peddling their wares."
The fines that the regulations impose are also too light say critics. Junk mailers face a fine of about £5,000 for sending unwanted mail.
Anti-virus and spam fighting firm Avecho said net service providers could do much more to combat spam.
It proposes setting up a caller identification system for the net similar to that operating on fixed phone lines.
The system would allow people to be verified online allowing spammers to be traced spammers, or for their mail to be blocked if they refuse to be identified.
Nick Scales, chief executive of Avecho, said net service firms could set up a caller-ID type system very quickly and easily.
"All the infrastructure and databases are already there," he said, "they just need configuring."