By default, none of these five AI app builders generates a compliant cookie banner. Lovable, Bolt, v0, Replit and Base44 each turn a written prompt into a working application, but none of them adds the consent layer that EU law requires before a tracking cookie is stored, and none holds back third-party scripts until a visitor agrees. The gap is close to identical across all five. The moment one of these apps serves a visitor in the EU or UK, the person who deployed it becomes the data controller, and the controller is the one a regulator writes to.

This audit scores each builder against a fixed five-point checklist for default behaviour, then explains why the result is the same regardless of which tool generated the code and how to close the gap without rebuilding the app.

What Does "Cookie Consent by Default" Actually Mean?

"By default" means the generated output as it ships, with no extra prompting and no manual configuration. A compliant cookie banner is an interface that requests informed, prior, specific consent before any non-essential cookie or tracker is set, and that makes refusing as easy as accepting. That standard comes from Article 5(3) of the ePrivacy Directive, transposed into national law such as Article 82 of the French Data Protection Act, and it applies to the website operator, not the tool that built the site.

An app generator produces a product, not the compliance obligations that come with running it. The checklist below is what a regulator effectively tests when a complaint lands, and it is the rubric used for every builder in this audit:

  • Banner on by default - does the generated app show any consent interface at all?

  • Scripts blocked first - are analytics and marketing tags held back until consent is given?

  • Reject equals accept - is refusing trackers as easy and prominent as accepting them?

  • Consent logged - is there a stored record proving what each visitor chose and when?

  • Geo-aware - does the app apply different rules to EU, UK and other visitors?

Working out which scripts trigger which obligation is the first practical step, and it maps onto the standard cookie categories: strictly necessary cookies are exempt, while analytics and marketing cookies need consent first.

How Does Each AI Builder Score by Default?

Every one of the five fails the same checklist. None ships a banner, none blocks scripts before consent, none logs consent, and none varies behaviour by region unless a developer wires that in by hand. What differs between them is where the app runs and which analytics, if any, they switch on by default, and those differences change how much work closing the gap takes.

AI builderConsent banner by defaultBlocks scripts before consentDefault analyticsWhere the app runs
LovableNoNoNone until addedYour host or Lovable
Bolt.newNoNoNone until addedYour host after export
v0 by VercelNoNoVercel Web Analytics (cookieless), if enabledVercel
ReplitNoNoNone until addedReplit hosting
Base44NoNoNone until addedBase44 / Wix cloud

Lovable

Lovable generates a React front end, usually backed by Supabase for authentication and data. A fresh project ships with no consent banner. If the prompt asks for analytics, or a developer pastes in a Google Analytics or Meta Pixel snippet, those tags load on first paint and set _ga and _fbp before the visitor has seen any choice. The code is yours to edit, which helps, but nothing in the default output gates it.

Bolt.new

Bolt.new builds full-stack apps in the browser and exports to frameworks such as Next.js or Vite. The result is the same: no banner, no script gating. A common pattern is an embedded analytics or chat widget added during a build session, which fires its own cookies the instant the page loads. Bolt is good at scaffolding a working MVP quickly, and that speed is exactly why the consent layer gets skipped.

v0 by Vercel

v0 produces Next.js components and deploys naturally to Vercel. It does not generate a consent banner either. v0 is the one partial exception in the group, but only in a narrow sense covered in the next section: an app that uses nothing but Vercel Web Analytics may have no cookies to gate. Add Google Analytics, Stripe in a tracking configuration, an embedded YouTube player or any ad pixel, and the app needs consent like every other.

Replit

Replit and its Agent generate and host full-stack apps end to end. The default deployment carries no consent banner and no script blocking. Because Replit hosts the app for you, developers often assume the platform handles compliance. It does not, and the deployer remains responsible for whatever the app sets on a visitor's device.

Base44

Base44 generates a full-stack app with its database, authentication, hosting and deployment all inside its own cloud. A generated app ships with no consent banner and no script gating. Base44 sits in a different position to the others because of who owns it, which the next section covers.

Why Is Base44 a Special Case After the Wix Acquisition?

Base44 is the only builder in this audit owned by a larger website company, and that ownership creates a specific trap. Wix acquired Base44 in June 2025 for around 80 million USD plus earn-outs, and folded it into its vibe coding line. Wix sells a mature cookie consent banner for Wix sites, so it is reasonable to assume a Base44 app inherits it. It does not. The Wix banner is part of the Wix site editor, not the Base44 app generator, and a standalone Base44 app gets none of that tooling by default.

There is a second wrinkle. Base44 keeps the backend, database and authentication inside its own managed cloud rather than exporting code the way Lovable and Bolt do. That makes for fast launches, but it concentrates personal data on infrastructure the deployer does not control, which raises real questions about data residency and the handling of access and deletion requests under GDPR. None of that removes the front-end obligation: cookies set in the visitor's browser still need consent, and configuring that is still the deployer's job, not Wix's.

Is the v0 and Vercel Analytics Exception Real?

Yes, but it is narrow and easy to lose. Vercel Web Analytics is genuinely cookieless: it identifies a visitor by a hash derived from the incoming request rather than a stored cookie, discards that hash after 24 hours, and keeps only aggregated data. An app that measures traffic with nothing but Vercel Web Analytics can legitimately run with no cookie banner, because there is no non-essential cookie to consent to.

The exception collapses the moment a second tool joins. Vercel's own cookie policy states plainly that customers who add cookies to a site hosted on Vercel are solely responsible for managing that data, obtaining consent and informing end users. A v0 app with Google Analytics 4, an advertising pixel that sets _gcl_au, an embedded map or a third-party chat widget is back in full consent territory. The cookieless default is a real advantage for simple traffic counting, not a general exemption, and most production apps outgrow it fast.

What Have Regulators Actually Fined for Cookie Defaults?

The exact failure these builders ship by default, cookies set before any banner appears, is what regulators have been fining, and the amounts have climbed. On 1 September 2025 the French CNIL fined Google 325 million EUR over invalid cookie consent and Gmail advertising, and on the same day fined SHEIN 150 million EUR, partly because advertising cookies were placed on visitors' devices the instant they arrived, before the banner was shown.

Smaller operators are not exempt. In November 2025 the CNIL fined the publisher of vanityfair.fr 750,000 EUR for placing cookies without consent. Across 2025 the CNIL issued sanctions totalling more than 486 million EUR, with cookies among the main subjects, and it sanctioned 21 separate entities for tracker breaches alone. The pattern is consistent: setting non-essential cookies before consent, hiding the reject option, and failing to record what visitors chose. A default AI-built app that fires _ga on page load reproduces the first of those failures exactly. A builder-by-builder comparison of where each cookie originates makes the same point from the cookie side.

Does the 2026 Digital Omnibus Change Any of This?

No, not for the default gap. The European Commission published its Digital Omnibus proposal on 19 November 2025 to simplify cookie rules and reduce consent fatigue. As of mid-2026 it is a proposal, not law, and the GDPR and ePrivacy Directive remain fully in force. Even if adopted as drafted, consent stays mandatory for advertising, profiling, cross-site tracking and most third-party analytics, which is precisely what these apps load by default.

The proposal would move cookie rules into the GDPR under a new Article 88a, widen the exemptions for first-party aggregated analytics, add a six-month cooldown before a refused visitor is asked again, and push toward browser-level consent signals. It also tightens banner design by requiring reject and accept to carry equal prominence. That last change makes any banner an app does show harder to get right, not easier, and it does nothing for an app that shows no banner at all. The earliest practical effect is late 2026 or 2027, with phase-in periods stretching years beyond that, so today's rules are the ones that bite. Different rules apply in the United States, where the CCPA uses an opt-out model, and consent rules in other jurisdictions vary again.

How Do You Close the Default Gap on Any of the Five?

The fix is the same whichever builder produced the app, and it does not mean rewriting the product. Three steps cover it: find every cookie the app sets, gate the non-essential ones behind a banner, and keep a record of consent. A vibe coding workflow can absorb all three without losing its speed.

Start by scanning the deployed app rather than trusting the prompt, because generated apps often pull in cookies through dependencies a developer never named. Kukie.io's scanner detects first-party and third-party cookies on a live URL and sorts them into categories. From there, a consent management platform renders the banner and, the part most setups get wrong, holds scripts back until consent is given. For a tag-managed stack that means you block Google Tag Manager from firing until the visitor agrees; for hand-rolled snippets it means you load scripts only after consent. Geo-detection then applies the right rules to EU, UK and other visitors, and a consent log stores the proof a regulator asks for. The free plan covers a single small site, which is enough to fix one vibe-coded app end to end.

Frequently Asked Questions

Do AI app builders add a cookie banner automatically?

No. Lovable, Bolt, v0, Replit and Base44 all generate working apps without any consent banner, so the banner has to be added before the app collects EU or UK visitors.

Is a Lovable or Bolt app GDPR compliant out of the box?

Not for cookies. A default project sets analytics and marketing cookies as soon as those scripts are added, with no consent step, which is the exact behaviour regulators have been fining.

Does a v0 app need a cookie banner?

Only if it uses cookies. An app running purely on cookieless Vercel Web Analytics may not need one, but adding Google Analytics, an ad pixel or most third-party widgets brings the consent requirement straight back.

Does Base44 use the Wix cookie banner?

No. The Wix consent banner belongs to the Wix site editor, not the Base44 app generator, so a standalone Base44 app ships without it and the deployer must add consent separately.

Who is responsible for cookie consent on an AI-generated app?

The person or business that deploys the app is the data controller and carries the legal responsibility, not the AI tool that wrote the code or the platform that hosts it.

Will the EU Digital Omnibus remove the need for cookie banners?

Not for tracking. As of 2026 it is a proposal, and even if passed it keeps consent mandatory for advertising and most third-party analytics while making banner design rules stricter.

How do you add cookie consent to an app you built with AI?

Scan the live app to find every cookie, add a consent banner that blocks non-essential scripts until the visitor agrees, and store a consent record. A cookie scanner and consent platform handle all three without rebuilding the app.

Audit Your AI-Built App in Minutes

If you shipped an app from Lovable, Bolt, v0, Replit or Base44, the cookies it sets are your responsibility, not the builder's. Kukie.io scans the live app, blocks non-essential scripts until visitors consent, and logs every choice across EU, UK and other regions.

Start Free - Scan Your AI-Built App