An AI code generator can turn a one-line prompt into a working web application in minutes, complete with a sign-up form, analytics, and a third-party chat widget. What it does not produce is the consent layer that European law demands before any of those trackers run. The generated app sets cookies and calls advertising endpoints on the first page load, and under the ePrivacy Directive and GDPR, the person who deploys it, not the model that wrote the code, answers for the gap.
The tools have improved at shipping software. They have not started shipping compliance. A 2026 assessment against the specific rules of cookie law shows the same shortfall in almost every output, whichever tool produced it.
What Counts as an AI Code Generator in 2026
The label covers two related but distinct categories of tool, and the distinction matters for what ends up in the deployed code.
The first group is AI coding assistants that sit inside a developer's editor and write or suggest code while the developer stays in control. Cursor, the most widely used, passed 800,000 monthly active users in 2026, with GitHub Copilot and Windsurf in the same bracket. A developer using one still owns the architecture and can add a consent layer by hand.
The second group is AI app builders that generate a full, deployable application from a plain-English description: frontend, backend, database wiring, and hosting. This is the category that turns out finished sites for people who may never read the code. It includes Lovable, Bolt.new, v0 by Vercel, Replit, Base44, Firebase Studio, a0.dev, and Cloudflare VibeSDK, alongside hosted AI website builder services. The practice, often called vibe coding, was Collins Dictionary's word of the year for 2025.
The output is functional and increasingly production-grade. The catch: what counts as production-grade to a code generator and what counts as compliant to a regulator are not the same checklist.
What Cookie Law Actually Requires
Cookie consent in the European Union runs on the ePrivacy Directive, not on GDPR alone. Article 5(3) requires prior, informed consent before storing or accessing any information on a user's device that is not strictly necessary for the service the user asked for. Analytics, advertising, and most chat or embed widgets fall on the consent side of that line.
GDPR sets the standard for what consent has to look like. Under Article 7, it must be a freely given, specific, informed, and unambiguous affirmative action, with no pre-ticked boxes and the burden of proof on the site operator. The European Data Protection Board's Guidelines 2/2023, finalised in October 2024, confirmed that the same prior-consent rule reaches beyond cookies to tracking pixels, URL-based tracking, and device fingerprinting.
A working banner has to let a visitor refuse as easily as accept, with the reject path no harder to reach than the accept button. France's highest administrative court confirmed in March 2026 that legitimate interest is not an alternative basis for tracking that the law reserves for consent.
Sites with United States traffic face a parallel regime. The CCPA takes an opt-out approach rather than opt-in, but it still requires a clear "Do Not Sell or Share" opt-out link and the honouring of opt-out preference signals. The rubric a compliance review measures against, then, is concrete: prior consent, a real reject option, blocking until consent, a cookie policy, an opt-out path for United States visitors, and records to prove all of it.
Scoring the Generators Against the Rules
Run the output of a typical AI app builder against that rubric and the result is consistent: the code works, the consent layer is absent. The table below scores what a generated application ships by default against the law.
| Cookie-law requirement | What an AI code generator ships by default | Verdict |
|---|---|---|
| Prior consent before non-essential cookies (Article 5(3)) | Analytics and marketing scripts load on first page view, before any choice | Fail |
| Valid, affirmative consent with no pre-ticked options (Article 7 GDPR) | No banner at all, or a notice-only bar with a single accept button | Fail |
| Reject as easy as accept | No reject control is generated | Fail |
| Script blocking until consent is recorded | Tags are hard-wired into the markup and fire unconditionally | Fail |
| A cookie policy listing each cookie, purpose, and duration | No policy page is produced | Fail |
| CCPA opt-out for United States traffic | No "Do Not Sell or Share" link or signal handling | Fail |
| Consent records for the accountability burden of proof | No log of who consented to what, or when | Fail |
The pattern holds because none of these tools treats consent as part of a working application. A code generator optimises for a running product: a form that submits, a database that stores, an analytics tag that reports. Consent is a legal constraint outside that definition of done, so unless a prompt asks for it explicitly, and few do, it never enters the code. This is the heart of what an AI builder does not generate: the visible app is complete while the compliance scaffolding behind it is missing.
Who Answers When the Output Breaks the Rules
The tool's terms of service do not transfer legal responsibility, and "the AI generated it" carries no weight with a regulator. Under GDPR, liability follows the data controller: the party that decides why and how personal data is processed. Deploy an AI-generated app under a domain, point it at real visitors, and collect their data, and that controller is the deployer, not the company behind the model.
The same allocation applies to vibe-coded apps built by non-developers and to AI-built apps assembled from prompts. The model is, at most, a processor acting on instructions, and often not even that. Whoever ships the site owns the obligation to obtain consent, document it, and answer access or deletion requests.
What 2026 Enforcement Shows
Enforcement does not ask how a site was built. It asks whether trackers fired before consent and whether refusal actually worked, and on both counts the figures have grown sharply.
France's CNIL led the way. In 2025 it issued 83 sanctions totalling approximately EUR 486.8 million, with cookie and tracking violations accounting for the bulk. On a single day in September 2025 it fined Google EUR 325 million and the retailer Shein EUR 150 million, both for setting advertising cookies before valid consent and for refusal mechanisms that did not match the ease of acceptance. In November 2025 it fined American Express Carte France EUR 1.5 million for three failures regulators see constantly: cookies placed before any choice, cookies placed despite a refusal, and cookies still read after consent was withdrawn.
That last point matters for AI-generated apps in particular. Recording a preference is not enough; the code has to stop the scripts from running, and an app that wires its analytics tag straight into the page keeps firing no matter what a bolted-on banner records. That is the precise failure pattern these enforcement actions target.
None of these fines turned on novel technology. They turned on cookies set before consent, the one thing an AI code generator does by default.
Where the EU AI Act Fits In
A second regime now sits alongside the cookie rules. The EU AI Act entered into force in 2024 and becomes broadly applicable on 2 August 2026, with penalties reaching EUR 35 million or 7 percent of global annual turnover. It governs the AI system and its provider, not the cookies on the site it helped build, and it does not replace or relax the consent duties under the ePrivacy Directive and GDPR; the two frameworks apply in parallel. For a deployer, the relationship is worth reading through a side-by-side view of GDPR and the AI Act, but the takeaway is simple: building with an AI tool does not move a single cookie obligation off the deployer's plate.
Closing the Compliance Gap on AI-Generated Code
The fix does not require rebuilding the application. It requires adding the layer the generator skipped, in five steps.
Start by finding out what the app actually sets. A cookie scanner crawls the deployed site and lists every first-party and third-party cookie, pixel, and tag, from the _ga a Google Analytics tag drops to the _fbp a Meta pixel sets, including ones a generated integration pulled in silently.
Sort that inventory into cookie categories: strictly necessary, functional, analytics, and marketing. Only the strictly necessary set, such as a PHPSESSID session cookie, may run without consent; everything else waits.
Block the non-essential scripts until consent is recorded. This is the step that most often fails on AI-generated sites, because tags are hard-wired into the markup. They have to load conditionally instead, and where an analytics stack relies on Google Consent Mode v2, the consent signal has to feed it correctly.
Add a banner that offers a genuine reject option, equal in prominence to accept, and record each choice so the consent is provable. Then publish a cookie policy that lists every cookie, its purpose, and its retention period.
A consent management platform handles the scanning, blocking, banner, and logging as one layer over the existing site, and Kukie.io's free plan covers a single site at no cost. The application the generator built can stay exactly as it is; the compliance layer goes on top.
Frequently Asked Questions
Do AI-generated websites need a cookie banner?
Yes, if the site sets any non-essential cookies or trackers and has visitors in the European Union or United Kingdom. Analytics and advertising scripts require prior consent under Article 5(3) of the ePrivacy Directive, no matter which tool generated the code.
Is the AI tool or the website owner responsible for GDPR compliance?
The website owner. Whoever deploys the app and collects visitor data is the data controller and carries the legal responsibility. The terms of service of an AI code generator do not transfer that duty to the model provider.
Do AI code generators add cookie consent automatically?
Not by default. Tools such as Cursor, Bolt.new, v0, and Lovable produce working applications with analytics and tracking already wired in, but they do not generate a consent banner, script blocking, or a cookie policy unless a prompt asks for it specifically.
Can I be fined for cookies on an app I built with AI?
Yes. Regulators act against the site operator, not the code generator. In 2025 the French CNIL issued 83 sanctions totalling around EUR 486.8 million, mostly for cookies set before consent, the exact behaviour a generated app shows by default.
Does the EU AI Act cover cookie consent?
No. The EU AI Act regulates AI systems and their providers. Cookie consent stays governed by the ePrivacy Directive and GDPR, and the two frameworks apply at the same time without replacing each other.
How do I make an AI-built app GDPR compliant?
Scan the deployed app to list every cookie and tracker, block the non-essential scripts until consent is given, show a banner with an equal reject option, log each choice, and publish a cookie policy. A consent management platform can add this layer without changing the generated code.
Build AI-Generated Apps That Pass the Cookie-Law Test
If you have shipped an app built with an AI code generator, it is probably running trackers that European law expects you to gate behind consent. A scan shows exactly which cookies and tags are firing, and the consent layer takes minutes to put in place. Kukie.io detects and categorises every cookie on the site and manages the banner, blocking, and consent records as one layer over what the generator built.
