Base44 generates working web applications from plain-language prompts, but the apps it produces still need to follow the same cookie rules as any other website. If your finished app collects analytics, embeds third-party scripts, or serves visitors in the EU, a consent banner has to load before non-essential cookies fire.
This guide covers what Base44 actually deploys behind the scenes, which cookies you are likely to encounter, and the practical steps for adding a compliant banner to a vibe-coded application.
What Base44 Builds and Why It Affects Cookie Compliance
Base44 is an AI app builder acquired by Wix in June 2025 for around $80 million in cash plus performance-based earn-outs. The platform turns natural-language prompts into full-stack React applications with built-in databases, authentication, file storage, and hosting. By Q1 2026 it had crossed 2 million users and roughly $100 million in annual recurring revenue, putting it in the same conversation as Bolt.new, Lovable, and v0 by Vercel.
The output is not a static brochure site. Base44 apps include backend infrastructure, user accounts, and integrations with services like Google Workspace, Slack, and email providers. That stack sets cookies for sessions, authentication, and any analytics tools wired in for you. Anything that stores or reads data on the visitor's device falls under Article 5(3) of the ePrivacy Directive, regardless of whether a human wrote the code or an AI did.
Cookies a Typical Base44 App Sets
The exact cookie footprint depends on what your app does, but most Base44 deployments include some combination of the following:
| Cookie or storage item | Source | Category | Consent required in EU? |
|---|---|---|---|
base44_session | Base44 SDK authentication | Necessary | No |
access_token (localStorage) | Base44 auth flow | Necessary | No |
_ga, _ga_* | Google Analytics 4 integration | Analytics | Yes |
_fbp, _fbc | Meta Pixel embed | Marketing | Yes |
intercom-id-* | Live chat integration | Functional | Yes |
| YouTube embed cookies | Embedded video | Marketing | Yes |
Authentication and session cookies are usually treated as strictly necessary under Article 5(3) because they are required for the service the user explicitly requested. Analytics cookies, marketing pixels, and third-party embeds need prior consent in the EU, the UK, and most jurisdictions following an opt-in model. Mapping each cookie to one of the standard cookie categories is the first step before any banner can do its job.
The Head Injection Problem in Base44
A standard cookie banner is added by placing one script tag in the <head> of every page, before any tracking scripts run. This is the recommended pattern for React applications and the one used by every major consent management platform.
Base44 does not yet expose direct access to the HTML <head>. A public request on the official Base44 feedback forum asked for an option to inject custom script tags directly into the head of generated apps, noting that because Base44 manages the head section internally, there is no built-in way to include a consent script that runs before anything else fires. Until that feature ships, three working options exist.
Option 1: Inject via Layout.js Using useEffect
Every Base44 app has a top-level Layout.js component that wraps every page. Any file in the code panel is editable, so you can append a script tag to document.head from inside a useEffect hook, which runs on the client after React mounts. Prompt the AI builder to add a loader at the top of Layout.js:
useEffect(() => { const s = document.createElement('script'); s.src = 'https://cdn.kukie.io/banner.js'; s.setAttribute('data-site-key', 'YOUR_SITE_KEY'); s.async = true; document.head.appendChild(s); }, []);
This works for client-side consent collection. The timing caveat: any cookie set during initial HTML parsing fires before the banner loads. Most Base44 apps do not set tracking cookies that early, but if you add Google Analytics or Meta Pixel directly in a component, switch to a consent-aware loader instead of a hard-coded script tag.
Option 2: Custom Domain With a CDN or Edge Worker
Base44 supports custom domains on the Builder plan and above. If you front the domain with a CDN such as Cloudflare, an HTML rewrite worker can inject the banner script into the head of every response. The Base44 application stays untouched, and the script reaches the browser before any other JavaScript on the page. This approach keeps consent logic separate from app logic and survives any re-prompt that would otherwise overwrite a Layout.js edit.
Option 3: Export the Code and Host It Yourself
Base44 paid plans (Builder and above) let you export the generated codebase to GitHub or as a ZIP. The exported frontend is a standard React project. Once you host it on Vercel, Netlify, or your own infrastructure, adding a banner is identical to any other React build. The Kukie.io React installation guide covers placement in public/index.html and the script attributes that activate auto-blocking. Note that the Base44 backend stays on Base44 servers behind the base44-sdk package, so this option moves hosting but not full data control.
Regulations That Apply to Base44 Apps
If your app reaches users in the European Economic Area, the UK, Switzerland, or Brazil, prior consent for non-essential cookies is a hard requirement. The relevant rules:
The GDPR governs how personal data flowing through cookies is processed once collected.
The ePrivacy Directive (Article 5(3)) is the source of the consent requirement itself, expanded for cookie-specific guidance through GDPR consent rules in Article 7.
National regulators including the CNIL in France, the ICO in the UK, and the Garante in Italy enforce both at national level.
The LGPD in Brazil and POPIA in South Africa apply similar consent and transparency rules to cookie use.
United States state laws follow a different model. Under the CCPA and the laws that followed it (CPRA, Virginia, Colorado, Connecticut, and others), the approach is opt-out rather than opt-in, with specific rules around "Do Not Sell or Share My Personal Information" links.
Recent CNIL Enforcement You Should Know About
The French data protection authority continues to issue the largest cookie fines in Europe. On 3 September 2025, the CNIL fined Google 325 million euros and Shein 150 million euros for violations under Article 82 of the French Data Protection Act, which implements Article 5(3) of the ePrivacy Directive. On 20 November 2025, the same regulator fined Condé Nast 750,000 euros over the vanityfair.fr website, after finding that new cookies were placed and existing ones continued to be read even after users clicked "Refuse all." Between December 2022 and December 2024, the CNIL issued combined fines of over 139 million euros for Article 82 breaches alone, according to Bird & Bird's enforcement tracker.
The pattern across these decisions is consistent. Regulators look at what cookies actually fire before consent, whether reject is as straightforward as accept, and whether the banner respects the user's choice afterwards. A Base44 app shipped without a banner, or one that loads tracking before the banner appears, falls into exactly the territory these decisions target. For French-facing apps in particular, the CNIL cookie guidelines are the practical reference point.
Step-by-Step: Adding Kukie.io to a Base44 App
Create a free Kukie.io account and add your Base44 app's domain.
Run a cookie scan against the deployed app. The scanner detects first-party and third-party cookies set during a normal session, including those from any integrations the AI builder wired in for you.
Categorise the detected cookies in the dashboard. Session and auth cookies belong in Necessary. Tools like Google Analytics 4 belong in Analytics. Anything used for advertising lands in Marketing. Preference and live-chat cookies fall under Functional.
Copy the site script tag from the Kukie.io dashboard.
In Base44, open
Layout.jsand prompt the AI to add a useEffect-based loader for the script, or set up a Cloudflare worker to inject it at the edge.Enable auto-blocking and Google Consent Mode v2 in the Kukie.io dashboard. Auto-blocking holds analytics and marketing scripts until consent is granted, which is the technical requirement under Article 5(3).
Verify the banner loads on the live URL, that Reject all is one click and equally prominent as Accept all, and that no analytics cookies fire before consent is captured.
What to Get Right Before Going Live
A working banner is necessary but not sufficient. Three additional items still need attention:
A cookie policy page listing every cookie, its purpose, duration, and provider. Kukie.io generates this from the latest scan results.
A privacy policy that names Base44 and Wix (as parent company) as relevant processors where applicable.
A way to withdraw consent at any time. Kukie.io adds a small "Cookie settings" element to the app that reopens the preference panel from any page.
Frequently Asked Questions
Does Base44 set cookies by default?
Yes. Base44's authentication and session handling sets at least one first-party cookie or local-storage token per logged-in user. Additional cookies depend on the integrations you have wired into the app, such as analytics, live chat, or social embeds.
Can I add a cookie banner without exporting my Base44 code?
Yes. The most common method is editing Layout.js directly in the Base44 code panel and adding a useEffect hook that appends the consent script to document.head. A second option is to front a custom domain with a Cloudflare worker that injects the script at the edge.
Do I need consent for the Base44 authentication cookies?
No. Cookies that are strictly necessary to deliver a service the user explicitly requested, such as logging in, are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive. The exemption is narrow: tracking, analytics, and marketing cookies are not covered.
What happens if my Base44 app uses Google Analytics without consent?
Under EU and UK rules, firing GA4 before consent is captured is a breach of Article 5(3). Recent CNIL decisions, including the 750,000 euro Condé Nast fine in November 2025, focused on exactly this pattern: trackers loaded before or despite the user's choice.
Does the Wix acquisition change cookie consent requirements?
No. The legal duty to obtain consent rests with the publisher of the app, not the platform that built it. Wix's ownership of Base44 affects pricing and product roadmap, but it does not shift the responsibility for consent from the app operator.
Can I use Google Consent Mode v2 with a Base44 app?
Yes. Once a consent banner is loaded via Layout.js or an edge worker, Google Consent Mode v2 can be activated through the Kukie.io dashboard. The integration sets the relevant consent signals before any Google tag fires, which is the configuration Google requires for European Economic Area traffic.
Add a Compliant Cookie Banner to Your Base44 App
If you have built an app with Base44 and serve EU visitors, a consent banner is not optional. Kukie.io scans the deployed app, detects every cookie it sets, and serves a banner that aligns with Article 5(3) of the ePrivacy Directive. The free plan covers most single-app deployments and includes auto-blocking, Google Consent Mode v2, and a hosted cookie policy generator.
