Firebase Studio lets you describe an app in plain language and watch Gemini generate a working full-stack project in your browser. The output usually ships with Next.js, TypeScript, Tailwind CSS, Firebase Authentication and Cloud Firestore wired together. What it does not generate is a cookie banner, a consent log, or any of the privacy plumbing that GDPR expects before an app starts tracking visitors.
That gap matters more for Firebase Studio apps than for most, because Google services collect data by default. The moment your app loads Google Analytics for Firebase or signs a user in, storage is happening in the browser, and EU law has something to say about it.
What Firebase Studio Actually Builds
Firebase Studio is Google's agentic, cloud-based development environment, accessible at firebase.studio and built on Project IDX and a Code OSS (VS Code) base, with Gemini handling code generation. You can prototype with the App Prototyping agent or work directly in the IDE.
When the agent plans an app, it tends to recommend a familiar stack: Gemini for AI features, React via Next.js for the frontend, Tailwind for styling, and Firebase services for the backend. Cloud Firestore stores data, Firebase Authentication handles sign-in, and App Hosting (or Cloud Run) serves the result. Each of those layers has its own data behaviour, and that behaviour is what determines your consent obligations.
One detail worth knowing: Google is sunsetting Firebase Studio on 22 March 2027, with new workspace creation already disabled since June 2026. Projects migrate to Google AI Studio or Google Antigravity, and apps already deployed keep running. The migration does not change anything about cookies. Whatever consent obligations apply to an app built in Firebase Studio carry over unchanged to wherever you move it, because they attach to the live app and its visitors, not to the tool that produced the code.
Why "Gemini Generated It" Is Not a Defence
A regulator does not care which tool wrote your JavaScript. Under data controller rules, the person or company that decides why and how personal data is processed carries the legal responsibility. When you deploy an app, you are the controller. Google is a processor for the infrastructure, and Firebase Studio is just the IDE that produced the code.
This catches out vibe-coders constantly. The assumption that a Google-built stack must be compliant out of the box is wrong. Google supplies the tools and, in its own terms, requires you to obtain consent. The ePrivacy Directive makes the rule explicit: Article 5(3) requires informed consent before storing or accessing information on a user's device, unless that storage is strictly necessary to provide the service the user asked for.
Google's EU User Consent Policy reinforces this. If you use Google Analytics or Firebase services to collect data from users in the European Economic Area, you are contractually required to disclose the use of cookies and obtain consent. Ignoring it puts you in breach of both the law and Google's own terms.
The Cookie Footprint of a Firebase Studio App
A freshly generated Firebase Studio app rarely looks like it sets many cookies, but the defaults add up once real features switch on. Here is what a typical deployment stores.
| Source | What it stores | Category | Consent needed? |
|---|---|---|---|
| Firebase Authentication | JWT session token (server-side session cookie) or ID token in IndexedDB | Strictly necessary | No (if used only for login) |
| Google Analytics for Firebase / GA4 | _ga, _ga_<ID> client identifiers | Analytics | Yes |
| Gemini API features | Session and request identifiers | Functional / analytics | Depends on purpose |
| App Hosting / Cloud Run | Load balancing and security cookies | Strictly necessary | No |
| Embedded Google services (Maps, AdSense) | Third-party advertising and personalisation cookies | Marketing | Yes |
The split is the important part. Firebase Authentication session cookies and the hosting layer's security cookies are exempt, because they exist to deliver the function the user requested. Analytics and any advertising identifiers are not. They need prior, informed consent, and they must stay dormant until the visitor opts in.
Where Firebase Studio Apps Fail Compliance
The most common failure is Analytics firing on page load. If the agent adds Google Analytics for Firebase and you publish without changing anything, the _ga cookie is written before the visitor has seen a banner, let alone agreed to anything. That is the exact scenario the French CNIL has fined repeatedly, including a 150 million euro penalty against Google in 2022 over cookie practices, and ongoing six-figure decisions against sites that set analytics cookies before consent.
Data location is the second trap. Firestore and Firebase data often sit in Google Cloud regions outside the EU, which pulls cross-border transfer rules into play. You need to know where your data lands and disclose it.
A third issue is the missing privacy policy. Firebase's own terms require one that names the cookies and identifiers in use, yet generated apps ship without it. A banner without a backing policy is only half a solution.
Adding a GDPR Banner to a Firebase Studio App
The fix follows the same logic regardless of which Google service you enable. Three things have to be true before your app is defensible.
First, nothing non-essential should run before consent. The Firebase Analytics SDK supports Google Consent Mode v2 directly through its ConsentSettings interface, which exposes signals such as analytics_storage, ad_storage, ad_user_data and ad_personalization. Set these to denied by default, then update them when the visitor chooses. Notice that security_storage, which covers authentication, can stay granted, since login is strictly necessary.
Second, the banner must offer a genuine choice. Accept and reject need equal prominence. Pre-ticked boxes do not count, and burying refusal behind extra clicks is a dark pattern that regulators now treat as invalid consent. Article 7 of the GDPR requires consent to be freely given, specific, informed and unambiguous.
Third, record what was agreed. A timestamped consent log is what you show a regulator if a complaint lands. This is the part hand-rolled banners almost always skip.
A consent management platform handles the mechanics so you do not have to script them inside generated code. Drop a script into the app's <head>, run a cookie scan to see what your deployment actually sets, and let the platform block tags until consent and feed the right signals into Consent Mode. The approach is identical to what compliant Bolt.new apps do, since the underlying obligations do not change between AI builders.
Firebase-Specific Points Worth Naming
Because everything in the stack is a Google product, Consent Mode v2 is not optional cleverness, it is the mechanism Google expects you to use. Wiring your banner to the consent signals keeps analytics and any advertising features aligned with what the visitor actually allowed.
Watch the migration too. If you move a project to Google AI Studio or Antigravity, re-run a scan on the new deployment. Build pipelines change, and a cookie that was dormant in one environment can wake up in another.
Frequently Asked Questions
Do Firebase Authentication cookies need consent?
No, provided they are used only to keep a logged-in user signed in. Authentication session cookies are strictly necessary under Article 5(3) of the ePrivacy Directive and are exempt from consent. Analytics and advertising cookies in the same app still require it.
Does Firebase Studio add a cookie banner automatically?
No. Firebase Studio generates app code but does not include a consent banner, a consent log, or a privacy policy. You have to add these yourself before tracking visitors in the EU or UK.
Is my app still compliant after Firebase Studio shuts down in 2027?
Your consent obligations do not change. They attach to the deployed app and its visitors, not to the IDE. When you migrate to Google AI Studio or Antigravity, the same banner and Consent Mode setup must remain in place, and you should re-scan the new deployment.
Which cookies does Google Analytics for Firebase set?
On the web it sets client identifier cookies such as _ga and _ga_<ID>. These are analytics cookies and require prior consent in the EEA and UK before they are written.
Do I need Google Consent Mode v2 for a Firebase app?
If you use Google Analytics, Ads or other Google services and serve EEA users, yes. Consent Mode v2 is how Google's tags read your visitor's choices, and the Firebase Analytics SDK supports it through its consent settings.
Am I the data controller or is Google?
You are the controller for the app you deploy, because you decide why and how visitor data is processed. Google acts as a processor for the infrastructure. That responsibility means compliance is yours, not the tool's.
Ship Firebase Studio Apps With Consent Built In
If you have shipped a Firebase Studio app and are not sure what it stores, start with a scan. Kukie.io detects first-party and third-party cookies, categorises them, blocks non-essential tags until consent, and supports Google Consent Mode v2 for the Google services your app depends on.
