Vibe coding means describing an app in plain language and shipping whatever the AI produces. The legal duties around cookies attach to the running website, not to the method used to write it. A regulator does not care that a model generated the tracking script. If the deployed app drops a marketing cookie before the visitor agrees, that is a breach of EU law, whoever or whatever typed the code.
What "Vibe Coding" Actually Ships
Andrej Karpathy coined the term in February 2025 to describe a workflow where you give in to the vibes and let an AI write the code, often without reading the diffs. Collins Dictionary named it Word of the Year for 2025. The practice runs on a specific class of tools: AI-native builders such as Lovable, Bolt, v0, Base44 and Replit that wrap an editor, a deployment pipeline and an agent into one chat window, plus IDE agents like Cursor and Windsurf.
These tools do not produce a toy. They generate real, deployable source code and push it to a real host, usually Vercel or Netlify, wired to a real database, usually Supabase or Firebase. The output behaves like any other production website. It loads third-party scripts, sets cookies, writes to storage and, increasingly, ships an analytics integration by default.
That last part is where the trouble starts. The framing of forgetting that the code exists is a poor fit for privacy law, because consent obligations are decided by what the app does, not by how much attention the builder paid to it.
Why "The AI Wrote It" Is Not a Legal Defence
Under the GDPR, the organisation or person that decides why and how personal data is processed is the data controller. Run a website, choose to load Google Analytics, and you are the controller for the data that analytics collects. The AI builder is, at most, a processor acting on your instructions, and the underlying model is just a tool, like a code editor or a compiler.
Liability sits with the controller. A regulator investigating a non-compliant banner contacts the operator named in the privacy policy, not the company behind the prompt. Nothing in the GDPR or the ePrivacy Directive shifts responsibility to whoever generated the code.
This matters because vibe coding lowers the barrier to launching so far that many operators have never read a line of what their app sends to a visitor's browser. Not knowing what the app sets is not a defence either. The controller is expected to know.
The Cookie Footprint of a Typical Vibe-Coded App
A standard vibe-coded stack, a frontend on Vercel with authentication through Supabase, sets more on the visitor's device than most builders realise. Some of it is genuinely necessary. Most of it is not.
| What the app uses | Typical storage | Consent needed? |
|---|---|---|
| Session and login (e.g. Supabase Auth) | Local storage or a first-party cookie | No, if strictly necessary for a function the user requested |
| OAuth sign-in (Google, GitHub) | Provider cookies | Necessary for the login the user chose |
| Vercel Web Analytics | Hashed request, no third-party cookie | Yes in the EU, it still tracks despite being cookieless |
| Google Analytics 4 | _ga, _ga_* | Yes, always |
| Meta Pixel | _fbp | Yes, always |
| Cloudflare bot protection | __cf_bm | Generally necessary for security |
Two points catch people out. Vercel Web Analytics sets no third-party cookie and identifies visitors through a hashed request, yet it starts collecting the moment the script loads, with no built-in consent gate. Cookieless does not mean consent-free. Supabase Auth stores its session in local storage rather than a cookie, and storage on a device falls under the same rule as cookies do, so the exemption depends on the purpose, not the technology. The Meta Pixel, by contrast, is always a marketing tracker and always needs consent.
Which Rules Apply to AI-Built Sites
The core rule is Article 5(3) of the ePrivacy Directive, often called the cookie rule. It says information may be stored on, or read from, a user's device only with consent, unless it is strictly necessary to provide a service the user explicitly requested. The European Data Protection Board confirmed in its Guidelines 2/2023, adopted in October 2024, that this rule is technology-neutral: it covers local storage, device fingerprinting, tracking pixels and unique identifiers, not only cookies.
Consent itself is defined by the GDPR. Articles 4(11) and 7 require it to be freely given, specific, informed and unambiguous, given through a clear affirmative action. The Court of Justice settled the point in the Planet49 ruling of 2019: a pre-ticked box is not valid consent. A banner that loads trackers before anyone clicks fails on the same logic.
Geography offers no shelter. The GDPR's territorial scope reaches any site that targets users in the EU, wherever the operator or the server sits. An app vibe-coded in San Francisco and hosted on a United States region still owes EU visitors a compliant consent flow.
Where Vibe-Coded Apps Fail Compliance
The failure modes repeat across thousands of these apps. The most common is scripts firing on page load. Drop-in snippets for Google Analytics, the Meta Pixel or a chat widget run as soon as the page renders, which means the cookie is set before the banner even appears.
A second pattern is the missing or buried reject option. AI builders that do generate a banner often produce an accept-only bar, or a design where refusing takes more clicks than agreeing. Regulators treat these dark patterns as a consent failure in their own right.
Then there is the storage blind spot. Auth libraries and feature flags write to local storage, and builders assume anything that is not a cookie is exempt. It is not. The exemption turns on whether the storage is strictly necessary, and an analytics identifier never is.
The scale is documented. In October 2025 a security scan of 5,600 publicly reachable vibe-coded applications found more than 2,000 high-impact vulnerabilities, over 400 exposed secrets and 175 instances of personal data exposure. The gap between an app that works and an app that is lawful is wide, and nobody is checking it by default.
Recent Enforcement Worth Knowing
France's regulator, the CNIL, runs the most active cookie enforcement programme in Europe. In 2025 it issued 83 sanctions totalling roughly 487 million euros, with trackers and advertising cookies accounting for much of that figure.
The headline cases landed in September 2025. The CNIL fined Google 325 million euros and Shein 150 million euros for setting advertising cookies and failing to obtain valid consent, both under Article 82 of the French Data Protection Act, the national transposition of Article 5(3) of the ePrivacy Directive. A year earlier, in December 2024, it had put multiple publishers on formal notice over banner designs that nudged users toward acceptance.
None of these decisions turned on company size or build method. They turned on cookies being set, or refusals being ignored, before consent. A vibe-coded app that does the same thing breaks the same rule.
Adding GDPR-Compliant Consent to a Vibe-Coded App
Retrofitting consent onto a deployed app takes five steps. None of them require rebuilding what the AI produced.
1. Scan the app for what it actually sets
Before fixing anything, find out what the live app stores. A cookie scan loads the deployed pages, triggers the scripts and lists every cookie and storage entry, including the ones the builder added silently. This is the inventory the rest of the work depends on.
2. Sort what is necessary from what is not
Split the results into categories: strictly necessary, functional, analytics and marketing. Session and authentication storage is usually necessary. Analytics, advertising pixels and most embeds are not, and they must wait for consent before they run.
3. Block non-essential scripts until consent
This is the step AI builders skip. Non-essential scripts must not run until the visitor opts in, which means wrapping them so they load conditionally rather than on page render. A consent management platform handles this by holding tags back and releasing them only for the categories a visitor accepts.
4. Show a banner with a genuine reject option
The banner needs reject and accept presented with equal weight, on the first layer, before any non-essential script fires. Granular controls for each category and an easy way to withdraw consent later complete the requirement.
5. Publish a cookie policy
List every cookie and storage entry, its purpose and its duration, in a cookie policy the banner links to. Kukie.io's scanner detects first-party and third-party cookies, categorises them and generates this policy from the scan results, which keeps the document accurate as the app changes.
Frequently Asked Questions
Who is liable if a vibe-coded app breaks GDPR?
The operator of the app is the data controller and carries the liability, not the AI tool that generated the code. A regulator pursues the business named in the privacy policy. There is no rule that transfers responsibility to the model or the platform.
Does Vercel Analytics need cookie consent in the EU?
Yes, for visitors in the EU. Vercel Web Analytics uses no third-party cookie, but it still collects data the moment it loads, so it counts as non-essential and needs prior consent. Load it conditionally rather than on every page render.
Is local storage covered by cookie consent laws?
Yes. Article 5(3) of the ePrivacy Directive covers any storage on a user's device, not just cookies, so local storage and session storage fall under the same consent rule. The exemption depends on whether the storage is strictly necessary.
Do AI app builders add a cookie banner automatically?
Rarely in a compliant form. Some builders generate an accept-only bar or no banner at all, and almost none block scripts before consent. The banner usually has to be added and configured separately.
Does GDPR apply to an app built outside the EU?
Yes, if the app targets people in the EU. The territorial scope of the GDPR follows the user, not the server, so an app hosted in the United States still needs a compliant consent flow for EU visitors.
Can I skip the banner by disabling analytics instead?
Yes, that is a valid option. An app with only strictly necessary cookies and no analytics or advertising trackers does not need a consent banner, though a clear privacy notice is still expected.
Ship Vibe-Coded Apps With Consent Built In
If you launched an app from a prompt and never checked what it sends to the browser, start with a scan. Kukie.io detects the cookies and storage your deployed app sets, sorts them by category, holds non-essential scripts until visitors agree and generates the policy to match. The build method does not change what the law expects, and it does not have to slow the launch down.
