AI website builders can put a site online in under ten minutes from a single prompt. They cannot put a working cookie consent system on it. Platforms like Wix AI, Squarespace AI, Hostinger Horizons, 10Web, Durable, Lovable, and Bolt generate the layout, copy, and theme, then leave visitors with analytics scripts firing before any banner appears.
That gap is where the legal risk sits.
Why an AI Builder Does Not Equal Compliance
AI builders are designed to ship websites quickly. Compliance is not a generation target. When the builder wires up a contact form or a chat widget, it usually loads supporting third-party scripts at the same time. Those scripts set cookies. Under Article 5(3) of the ePrivacy Directive, any cookie that is not strictly necessary needs prior consent from the visitor before it can be stored.
Most AI builders ship with a simple banner toggle. Some do not even include that. The banner that does appear is typically a single accept button with no reject option, no category breakdown, and no script-blocking logic behind it. Dark patterns like asymmetric design and pre-ticked boxes are exactly what the French CNIL has been fining heavily through 2025.
The Site Owner Is the Data Controller
Under Article 4 of the GDPR, the data controller is the person or company that decides why and how personal data is processed. When someone launches a site built with an AI tool and adds Google Analytics 4, a Meta Pixel, or Microsoft Clarity, those decisions belong to the site owner. The platform that hosts the site is, at most, a processor.
Liability does not transfer. A founder in Texas who uses Durable AI to launch a site visited by users in Berlin still falls under Article 3 of the GDPR, which sets territorial scope based on where visitors are, not where the business is registered. UK GDPR mirrors this for British visitors, and CCPA rules apply to qualifying businesses with California users.
What AI Builders Generate (and What They Miss)
The compliance output of an AI builder typically covers the visible surface and almost nothing behind it. A prompt like "add a GDPR cookie banner" returns a banner element. The scripts that should be paused behind that banner keep firing.
| What AI builders usually do | What they usually do not do |
|---|---|
| Insert a static cookie banner element | Block scripts before user consent |
| Auto-enable Google Analytics or Clarity | Implement Google Consent Mode v2 signals |
| Generate a generic privacy policy template | Maintain a cookie inventory tied to actual cookies on the site |
| Show one accept button | Provide an equal-prominence reject button |
| Store a single consent flag | Log a consent record with timestamp and choice for audit |
| Treat all cookies as one category | Separate analytics, marketing, and functional categories |
How the Major AI Builders Compare
The picture varies by platform. Some have first-party features that get part of the way. Most still leave the site owner responsible for the heavy lifting.
Wix exposes a Privacy and Cookies panel that adds a basic banner and lets visitors set preferences. Coverage is shallow: the banner does not scan for third-party trackers added through apps, and consent is not propagated to many embedded widgets. A dedicated consent solution for Wix is usually required for sites running paid ads or analytics.
Squarespace, similarly, ships a Cookie Banner module but limits granular category control and does not block scripts before consent on most plans. Sites built with Squarespace typically need an external CMP to satisfy CNIL or ICO guidelines.
Framer, Webflow, and Lovable lean on user-added embeds. Their AI features focus on design and content generation, not script governance. Cookie consent on Framer and Webflow is delegated to the site owner from day one.
Hostinger Horizons can scaffold a banner through a chat prompt and supports script wrapping for some integrations, but the resulting consent record is minimal and is not designed to stand up to a DPA audit. Tools like Bolt and Cursor generate code that compiles. Whether that code respects consent before triggering tracking depends entirely on the prompt and the developer's privacy literacy.
What 2025 Enforcement Looked Like
The CNIL had a busy year. On 1 September 2025, the regulator imposed €325 million on Google for displaying ads in Gmail without prior consent and using asymmetric Accept versus Reject interfaces during account creation, and €150 million on SHEIN's Irish entity INFINITE STYLES SERVICES CO. LIMITED for setting advertising cookies on shein.com before any user choice. On 20 November 2025, the publisher of vanityfair.fr was fined €750,000 for placing consent-required cookies as soon as a visitor arrived on the site. On 30 December 2025, a €3.5 million fine landed on a French retailer that set eleven non-essential cookies before consent and continued reading them after users had refused.
The CNIL sanctioned twenty-one separate entities in 2025 for cookie violations through its restricted committee and simplified sanction procedure. The pattern is consistent: scripts firing too early, refusal options buried or missing, and information that fails the informed test under Article 7 of the GDPR.
The UK is moving in the same direction. The Data (Use and Access) Act 2025 raises the maximum PECR fine from £500,000 to £17.5 million or 4% of global turnover, mirroring GDPR penalties. The ICO has announced audits of the top 1,000 UK sites.
Where the EU AI Act Adds Another Layer
The EU AI Act becomes fully enforceable on 2 August 2026 for high-risk systems and general-purpose AI models. The Act does not directly regulate cookies, but it applies whenever cookie-collected data feeds an AI system that profiles users or drives automated decisions. That captures Google Smart Bidding, Meta Advantage+, dynamic pricing engines, and many personalisation tools.
The interplay is governed by Article 22 of the GDPR on automated decision-making, the ePrivacy rules on tracker storage, and the transparency requirements in the AI Act. The GDPR and the AI Act work in parallel, not in place of each other. Penalties under the AI Act reach €35 million or 7% of global turnover for prohibited practices.
If an AI-built site reuses cookie-based behavioural data to train, fine-tune, or validate an AI model, the original consent collected for analytics is not valid for that new purpose. A fresh, specific consent is required.
Building a Compliant Layer on Top of an AI Site
The practical fix is to treat the AI builder output as the front-end and bolt a real consent system on top. Five steps cover most cases.
First, scan the live site. A free cookie scanner walks every public page and lists every cookie, pixel, and tracker the AI builder pulled in, including the ones hidden inside embedded widgets and ad codes.
Second, categorise the findings. Necessary cookies stay on by default. Everything else (analytics, marketing, personalisation) needs prior, explicit consent. Knowing how to find cookies on a website is the prerequisite for an accurate inventory.
Third, replace the AI-generated banner with a consent management platform that blocks scripts until consent is granted, logs every choice, and respects withdrawal. Equal-prominence accept and reject buttons on the first layer are now table stakes after the SHEIN and Conde Nast decisions.
Fourth, wire up Google Consent Mode v2 if Google Ads or GA4 are present. The signals tell Google whether to fire tags fully, in a privacy-preserving way, or not at all.
Fifth, set the banner to respect geographic rules. EU and UK visitors require opt-in; California users get a Do Not Sell or Share choice; Brazil follows opt-in under LGPD. One configuration cannot satisfy every jurisdiction.
Frequently Asked Questions
Is the cookie banner that my AI builder generates good enough for GDPR?
Almost never. A static banner with one button does not satisfy GDPR or the ePrivacy Directive. Valid consent must be informed, granular, and freely given, and scripts must be blocked until the visitor opts in.
If I use Hostinger Horizons or 10Web, is the platform responsible for compliance?
The platform is a processor at most. The site owner is the data controller and carries the regulatory liability under Article 4 of the GDPR. Reading the platform's data processing agreement clarifies the split.
Do US-based AI-built sites need a cookie banner?
If the site is visited by EU, UK, or Brazilian users, yes. Article 3 of the GDPR applies based on visitor location. California visitors also trigger CCPA notice requirements, including a Do Not Sell or Share opt-out for qualifying businesses.
What happens if I let analytics fire before consent on an AI-built site?
This is the single most common cookie violation in 2025 enforcement. CNIL fines for it have ranged from €750,000 to €325 million. A cookie scan will reveal whether scripts are firing pre-consent.
Does the EU AI Act apply to small AI-built sites?
The Act applies based on what the AI system does, not the size of the business deploying it. Profiling-based ad systems, automated decision tools, and biometric features all bring scope obligations.
Can I just ask my AI builder to write a privacy policy?
The generated text is a starting point. It needs to match the actual data flows on the live site, list real third parties by name, and be reviewed against the privacy regime that applies to the audience.
Take Control of Your Cookie Compliance
An AI builder gets the site to launch. A consent management platform keeps it lawful. Kukie.io scans every page, classifies the cookies and trackers picked up along the way, blocks non-essential scripts before consent, and logs each choice for audit. It works alongside Wix, Squarespace, Webflow, Framer, WordPress, and code-generated sites from Lovable, Bolt, or Cursor.
