An AI app builder can hand you a working, deployed product in the time it takes to describe it. What it does not hand you is a consent layer. The fonts, analytics, and embeds it wires in by default start firing the moment your first visitor loads the page, and under EU and UK law you, not the platform, are the party answerable for them.
This is the quiet problem with vibe coding. The code runs, the demo looks polished, and the compliance work a traditional agency would have scoped never gets mentioned.
Getting from a text prompt to a GDPR-ready app is mostly an exercise in finding what the generator left out and adding it back. Cookie consent sits near the top of that list.
Why AI Builders Ship Without a Consent Layer
The tools are built around a single promise: describe an app, get a deployed URL. Speed is the product, and anything that slows the first run down works against it. A consent gate, a script blocker, and a geo-detection rule would all add friction to a funnel designed to remove it.
Adoption has run well ahead of the guardrails. Roughly 92 per cent of developers now use an AI coding assistant at least once a month, and 87 per cent of Fortune 500 companies have adopted at least one vibe coding platform, with non-technical user adoption climbing far faster than enterprise use. By 2026 more than 40 per cent of new web apps at small businesses contain at least one component generated by an AI tool.
The output reflects those priorities. Security researchers at RedAccess found roughly 380,000 publicly accessible applications built on platforms such as Lovable, Base44, and Replit, of which around 5,000 were actively leaking sensitive data including medical records and customer conversations. Compliance plumbing that does not exist cannot be enforced, and consent handling is part of that plumbing.
What Actually Loads When Your AI-Built App Starts
Before you add a single tracking pixel of your own, a generated front end usually pulls in third-party resources. A typical scaffold loads web fonts from Google's content delivery network, wires in an analytics package, and drops in an embed or two for video or maps. Each of those is a request to an external server, and each one can transfer a visitor's IP address or set a cookie.
| Component | Typical default | What it sets or transfers | Prior consent needed? |
|---|---|---|---|
| Web fonts | Google Fonts via CDN | Visitor IP sent to Google servers | Yes, unless self-hosted |
| Analytics | Google Analytics 4, hosted dashboards | _ga, _gid, page-view data | Yes |
| Tag manager | Google Tag Manager | Loads downstream tags that set _gcl_au | Yes |
| Media and social embeds | YouTube, maps, share widgets | Third-party cookies, IP transfer | Yes |
| Session and login | First-party session cookie | PHPSESSID style session ID | No, strictly necessary |
| Error monitoring | Third-party logging service | Device and IP data to a third party | Usually yes |
The session cookie that keeps a user logged in is strictly necessary and needs no consent. Almost everything else on that list does. The distinction is not cosmetic, and getting the cookie categories right is the foundation everything else rests on.
The Platform Built It, but You Are the Data Controller
Vibe coding platforms generate and host code. They do not become the data controller for the app you deploy. That role, and the liability attached to it, belongs to whoever puts the site in front of visitors.
A 2022 ruling by the Regional Court of Munich made the point concrete. A website operator was found to have unlawfully transferred a visitor's IP address to Google by embedding Google Fonts through Google's CDN without consent, and was ordered to pay damages under Article 6(1)(a) GDPR, with the court warning that repeat violations would draw far larger penalties. The same reasoning applies to any third-party asset that pulls a visitor's IP off their device: external stylesheets, JavaScript CDNs, font libraries, and embedded widgets all qualify.
Two fixes exist for that specific problem. Self-host the font files so no third-party request happens, or block the external request until the visitor consents. AI builders default to the CDN version because it is faster to scaffold, which leaves the work to you.
What GDPR and the ePrivacy Directive Actually Require
The rule that catches most AI-built apps is prior consent. Article 5(3) of the ePrivacy Directive requires consent before storing or accessing information on a user's device, unless the cookie is strictly necessary for a service the user asked for. Displaying a banner while the analytics cookies have already fired does not satisfy it. The scripts have to be blocked first.
Enforcement has made this expensive. In 2025 France's CNIL fined Google EUR 325 million, in part for a cookie consent mechanism that did not give users a free and informed choice, and fined the retailer Shein EUR 150 million for placing cookies before consent. Across the year the CNIL issued 83 sanctions worth roughly EUR 486.8 million, with cookie and tracker violations making up much of that figure. The fines for cookie consent failures now sit in the same top tier as the worst data breaches, reaching EUR 20 million or 4 per cent of global turnover.
One shortcut does not work. Legitimate interest cannot be used as a legal basis for analytics or marketing cookies, so the lawful basis for those is consent, full stop.
The picture is tightening in the United Kingdom too. The Data Use and Access Act 2025 lifts the maximum fine under PECR to GBP 17.5 million or 4 per cent of global turnover once in force, bringing it in line with UK GDPR and handing the ICO much heavier penalties for cookie breaches.
From Prompt to Compliant: The Steps That Close the Gap
The work breaks into a handful of concrete tasks. None of them is large, but a generator will not do them for you.
Scan the deployed app. You cannot consent-gate cookies you do not know about. A cookie scanner crawls the live site and lists every cookie and third-party request, including the ones the AI added silently.
Categorise what you find. Sort each cookie into strictly necessary, functional, analytics, or marketing. Only the first group is exempt from consent.
Block non-essential scripts before consent. This is the step generators skip entirely. Analytics, tag managers, and embeds must be prevented from running until the visitor opts in. Conditionally loading scripts on consent is the mechanism that makes the banner mean anything.
Add a banner that offers a real choice. Reject has to be as easy as accept, nothing can be pre-ticked, and a cookie wall that blocks the site until acceptance is not a valid choice under EDPB guidance.
Self-host fonts and assets where you can. Pulling the font files onto your own server removes the third-party IP transfer and the consent question that comes with it.
Keep a consent record and publish a policy. You need to be able to show what each visitor agreed to and when, and a cookie policy has to list what runs and why.
Why You Cannot Just Prompt the Consent Layer Into Existence
It is tempting to type "add a GDPR cookie banner" into the same tool that built the app. The generator will produce a banner component, and it will look correct. What it will not reliably do is block the scripts behind the banner, detect which visitors fall in scope by region, keep consent logs for audit, or update the cookie list when you add a new integration next month.
That distance between a banner that looks compliant and a system that is compliant is exactly the GDPR compliance gap in vibe-coded apps. A static banner with no script blocking behind it can be worse than none at all, because it signals awareness of the rule while still breaching it.
This is the part a consent management platform handles end to end: it scans the app, categorises the cookies, blocks tagged scripts before consent, applies region rules, and stores the consent records. Kukie.io covers those functions for apps built on any of the major AI builders.
Platform-Specific Guides for Your AI Builder
The consent gap looks slightly different on each builder, because each ships a different default stack and deployment model. The platform-specific guides go into the cookies and integrations particular to each one.
Builders that compile a full front end, such as Bolt.new and v0, tend to lean on Google Fonts and analytics out of the box. IDE-style assistants like Cursor and Windsurf leave the integration choices to you, so the consent work depends on what you wire in. Hosted platforms including Firebase Studio, a0.dev, and Cloudflare VibeSDK bundle their own analytics and edge features that carry their own consent implications. For the broad picture across all of them, the guides on cookie consent for vibe-coded apps and on AI website builders cover the patterns that repeat regardless of which tool produced the code.
Frequently Asked Questions
Do AI-generated apps include cookie consent by default?
No. AI app builders optimise for fast deployment, not compliance, so they scaffold working code without a consent banner or script blocking. The cookies they wire in still fire on the first page load.
If an AI-built app sets cookies without consent, who is liable?
The person who deploys and runs the app is the data controller, not the platform that generated it. Liability for cookie and data-transfer breaches sits with the site owner.
Can I just ask the AI builder to add a cookie banner?
It can produce a banner that looks correct, but it will rarely block scripts before consent, apply region rules, or keep consent logs. A banner with no script blocking behind it still breaches the prior-consent rule.
Does an app built with Lovable, Bolt, or v0 need a cookie banner?
If it serves visitors in the EU or UK and sets any non-essential cookies, yes. The requirement depends on the cookies and the audience, not the tool that built the app.
Are Google Fonts a GDPR problem in AI-built apps?
They can be. Loading Google Fonts through Google's CDN transfers a visitor's IP address to a third party, which a German court ruled unlawful without consent. Self-hosting the font files removes the issue.
What happens if I deploy an AI-built app without cookie consent?
You risk complaints, cease-and-desist letters, and fines that under GDPR reach EUR 20 million or 4 per cent of global turnover. Recent enforcement shows regulators now penalise pre-consent cookie placement directly.
Add the Consent Layer Your Builder Skipped
If you shipped an app from a prompt and have never checked what it sets on a visitor's device, start with a scan. Kukie.io detects the cookies and third-party requests your AI builder added, sorts them into categories, and blocks the non-essential ones until your visitor chooses.
