Cookies do not in themselves present a threat to privacy, since they can only be used to store information that the user has volunteered or that the web server already has. Whilst it is possible that this information could be made available to specific third party websites, this is no worse than storing it in a central database.
It's not possible for a webpage to view cookies set by other sites, as this would represent a privacy and security problem.
Enforcement agencies will take action against the legal entity behind a website therefore if your website is hosted in the US but you live in the UK, action will be taken against you regardless of this.
The time of expiry of a cookie can be set when the cookie is created. By default the cookie is destroyed when the current browser window is closed, but it can be made to persist for an arbitrary length of time after that.
This cookie is one of Microsoft's Hotmail which has the filename firstname.lastname@example.org and shows the typical cookie (.txt is the standard filename extension for text files):
HMP1 1 hotmail.msn.com/ 0 1715191808 32107852 1236821008 29449527 *
These codes will only make sense to Microsoft's MSN Hotmail servers.
Each cookie is effectively a small lookup table containing pairs of (key, data) values - for example (firstname, John) (lastname, Smith). Once the cookie has been read by the code on the server or client computer, the data can be retrieved and used to customise the web page appropriately.
The cookie law came into effect in the UK on 26 May 2011. However there was a one year grace period granted by the Information Commissioners Office (ICO) meaning that many websites didn't make any changes whatsoever until 2012.
Many websites across the EU are still not compliant with the law, these website owners could be facing enforcement action by regulators.
Any business or person who owns a website that is targeted to people within the EU has to comply regardless of where the website is hosted or the country of the business/persons residency.