Bolt.new generates production-ready web applications from a single prompt, often including authentication, databases, and third-party integrations within minutes. What it does not generate is a compliant cookie consent layer.
That gap matters legally. The app deployed at a custom domain is published by the person who prompted it, not by StackBlitz, and EU regulators do not recognise "the AI built it that way" as a defence under the GDPR or the ePrivacy Directive. Anyone shipping a Bolt-generated app to European or UK visitors inherits the same cookie obligations as a hand-coded site.
What Bolt.new Actually Builds Under the Hood
Bolt.new is an in-browser AI development platform from StackBlitz that turns text prompts into full-stack applications using WebContainers, a WebAssembly runtime that runs Node.js inside the browser tab. The generated stack typically includes React or another modern framework, server-side logic, and a connected database layer.
Authentication is the part most relevant to cookie compliance. Before September 2025, every Bolt project required a connected Supabase account for databases and auth. Newer projects created with Claude Agent default to a built-in Bolt Database, though Supabase remains supported. Either backend issues session tokens that the frontend stores in cookies or local storage, and Supabase Auth uses JWT-based access and refresh tokens by default rather than traditional session cookies.
Hosting adds another layer. Projects publish through Bolt Cloud by default, with Netlify available as an alternative. Both hosting providers may set their own infrastructure cookies, and any analytics, chat widgets, or marketing pixels added by prompt bring further cookies along with them.
Why "the AI Wrote It" Is Not a Legal Defence
Under GDPR Article 4(7), the data controller is the natural or legal person that determines the purposes and means of processing personal data. The person who prompts Bolt to build a website and then deploys it to real visitors is the controller. StackBlitz is, at most, a processor for the development environment itself, not for the live traffic the deployed app receives.
That allocation of responsibility tracks enforcement patterns. The French CNIL issued approximately 486.8 million euros in cookie-related fines across 83 sanctions during 2025, with the bulk falling on the publishers of the offending sites rather than on the underlying platforms or tooling. In September 2025, CNIL fined Shein 150 million euros and Google 325 million euros in separate decisions, both grounded in cookies set before consent and dark-pattern banner designs.
The Cookie Footprint of a Typical Bolt.new App
Cookie obligations depend on what categories the generated app actually sets. The table below summarises the common building blocks Bolt assembles and how each one is usually classified under the standard cookie taxonomy.
| Component | Typical cookies or storage | Category | Consent needed? |
|---|---|---|---|
| Bolt Cloud or Netlify hosting | Session, load balancing | Strictly necessary | No |
| Supabase Auth | sb-access-token, sb-refresh-token | Strictly necessary for login | No |
| Bolt Cloud Auth (V2) | Session JWTs in cookies or storage | Strictly necessary for logged-in features | No |
| Google Analytics 4 (if added) | _ga, _ga_* | Analytics | Yes (EU and UK) |
| Meta Pixel (if added) | _fbp, _fbc | Marketing | Yes |
| Hotjar or Microsoft Clarity | Session recording IDs | Analytics or marketing | Yes |
| Language or theme preferences | Various first-party | Functional | Yes under EU law |
The first three rows are usually exempt from prior consent under Article 5(3) of the ePrivacy Directive because they are strictly necessary to deliver a service the visitor explicitly requested, such as logging in. Everything below the auth line normally requires prior, informed, granular opt-in consent before the cookie or script loads.
Where Bolt.new Apps Tend to Fail Compliance
Three failure patterns appear repeatedly in apps generated by AI builders:
Analytics fires on page load. Bolt commonly scaffolds a
<script>tag for Google Analytics or Plausible in the document head when prompted to "add analytics", with no consent gating. Under CNIL guidelines this is an Article 82 violation in France and an ePrivacy violation across the rest of the EU.Marketing pixels load before consent. The same pattern applies to the Meta Pixel, LinkedIn Insight Tag, and TikTok Pixel. The Shein decision in September 2025 made clear that advertising cookies dropped on landing constitute serious breaches of Article 82 of the French Data Protection Act.
No banner, no policy, no audit trail. Most Bolt-generated apps ship without any cookie banner, without a published privacy policy, and without a cookie policy. Even a passing DPA enquiry would find no record of consent at all.
Adding GDPR-Compliant Consent to a Bolt.new App
The fix is mechanical rather than architectural. The deployed app needs four things: a cookie inventory, a consent banner, script blocking until consent is given, and published privacy and cookie policies.
1. Audit what the deployed app actually sets
Open Chrome DevTools on the deployed site, switch to the Application tab, and inspect Cookies and Local Storage under each origin. Pair this with a server-side scan using Kukie.io's free cookie scanner, which crawls the site like a browser and surfaces third-party cookies that DevTools may miss on a single page view.
2. Install a consent management platform
A consent management platform handles the banner UI, stores the visitor's choices, and serves as the gatekeeper for analytics and marketing scripts. Bolt-generated apps integrate with most CMPs via a single script tag in index.html or, for SPAs, through a small component mounted at the application root. Kukie.io provides drop-in snippets for React, Next.js, Vue, and SvelteKit, all of which Bolt produces out of the box.
3. Block non-essential scripts until consent is granted
The banner alone is not enough. Cookies must actually stop loading until the visitor clicks Accept on the relevant category. The November 2025 American Express enforcement decision made this explicit: cookies that keep firing after a visitor withdraws consent are a violation, even when the consent state is correctly recorded server-side. Use the CMP's script-blocking feature or conditional script loading tied to the consent state. For Google services, pair this with Google Consent Mode v2 so modelled conversions keep working when consent is denied.
4. Generate the legal documents
Bolt does not produce a privacy or cookie policy, and AI-generated legal text without expert review tends to be generic and incomplete. A purpose-built policy generator, including the one inside Kukie.io, populates the policy from the actual scan results so the cookie list in the document matches what the site sets.
Bolt-Specific Pitfalls Worth Naming
Several issues are specific to the Bolt workflow rather than to web apps in general. Bolt.new itself does not currently advertise GDPR, SOC 2, or HIPAA certifications at the platform level, which rules it out for processing high-sensitivity data such as health records or financial identifiers. Generated Supabase tables frequently ship without Row Level Security enabled, which is a security failure rather than a cookie failure but ends up in the same regulatory bucket if it leaks personal data. Hardcoded API keys in generated source files are another common finding, again unrelated to cookies but caught by the same DPA audits that look at consent.
The practical implication is straightforward. A Bolt-generated app should be treated like any other production deployment: audited, fitted with a consent layer, and given proper legal documents before the first real visitor lands on it.
Frequently Asked Questions
Does StackBlitz hold cookie compliance responsibility for apps built with Bolt.new?
No. StackBlitz operates the development environment, but the deployed application is published by the person who prompted Bolt. That person is the data controller under GDPR Article 4(7) and carries the cookie consent obligations.
Do Supabase authentication cookies need a consent banner?
Authentication tokens issued by Supabase to keep a visitor logged in are strictly necessary for a service the visitor explicitly requested, so they fall under the Article 5(3) ePrivacy exemption. Consent is not required, but the cookies should still be listed in the cookie policy.
Is Bolt.new itself GDPR compliant?
As of early 2026, Bolt.new does not publicly advertise GDPR, SOC 2, or HIPAA certifications at the platform level. This affects what data can safely be processed inside the Bolt environment and does not relieve users of compliance duties for the apps they deploy.
What happens if a Bolt-generated app fires Google Analytics without consent?
In the EU and UK, that constitutes a breach of the ePrivacy Directive and, where personal data is involved, the GDPR. CNIL has fined major operators six and nine-figure sums for the same pattern, most recently 150 million euros against Shein in September 2025 for cookies dropped on arrival.
Can a cookie banner be added to a Bolt.new app after deployment?
Yes. Most CMPs install through a single script tag injected into the document head or a small React component mounted at the application root. Kukie.io provides framework-specific snippets that work with the React, Next.js, Vue, and SvelteKit projects Bolt typically generates.
Does the EU AI Act apply to apps built with AI tools like Bolt.new?
The AI Act regulates AI systems based on risk classification. A standard CRUD app generated by Bolt is unlikely to be a regulated AI system, but if the deployed app itself uses AI for things like automated decision-making or biometric processing, the AI Act may apply alongside the GDPR.
Ship Bolt Apps With Consent Built In
If your Bolt-generated app is heading toward real visitors, a free cookie scan is the fastest way to see what consent obligations apply. Kukie.io detects every cookie the site sets, generates region-aware banners, and blocks non-essential scripts until visitors choose for themselves.
