Type a prompt into Lovable, Bolt, v0, or Replit and you get a working web app in minutes. What you do not get, in any of the four, is a cookie consent banner.
That gap matters because the rule about cookies does not care which tool wrote your code. Set a non-essential cookie on a visitor in the EU or UK before they agree, and you have a problem - whether a human typed the JavaScript or an AI generated it from a sentence. This is a comparison of how the four most popular AI app builders behave on consent, what each one actually sets in a visitor's browser, and the single fix that closes the gap regardless of which one you used.
The Shared Blind Spot in AI App Builders
Lovable, Bolt, v0, and Replit are optimised for one thing: turning a description into a deployed application as fast as possible. Consent infrastructure is not part of that job, so it gets left out by default.
The legal bar is set by the ePrivacy Directive, whose Article 5(3) requires informed, prior consent before storing or reading non-essential information on a user's device. Valid consent under Article 7 of the GDPR then defines what "agreement" has to look like: a clear affirmative action, freely given, as easy to refuse as to accept. A generated app that drops an analytics tag into the page on first load satisfies none of this. The same flaw shows up across the category, which is why an audit that tested ten AI builders against GDPR criteria found that not one produced a compliant banner on its own.
None of these tools is doing anything malicious. They simply treat consent as your responsibility, and most people shipping a vibe-coded app never find out until a complaint or an audit lands.
What Each Builder Actually Ships
The four differ in stack and hosting, and those differences change which cookies appear and where consent tends to break.
Lovable
Lovable generates a React and Vite frontend with Tailwind, backed by Supabase for database, authentication, and storage, and deploys with one click to a custom domain. It is a single-page application, so navigation happens client-side without full page reloads. Supabase auth sets a session cookie when a user logs in, which is fine on its own, but any analytics or marketing tag you add fires on page load with no gate in front of it.
Bolt
Bolt.new builds React and Vite apps inside in-browser containers and installs real npm packages directly. Before Bolt Cloud arrived in mid-2025, generated frontends deployed through Netlify with no native database or authentication; Bolt Cloud added hosting, databases, and user auth. Either way, the output is a client-rendered app where any tracking script you wire in runs immediately, and the consent banner is simply not in the generated bundle.
v0 by Vercel
v0 generates production-quality React and Next.js code using shadcn/ui and Tailwind, and deploys to Vercel. It is the one partial exception on cookies, for a narrow technical reason covered below. Add a third-party tracker - and most real products do - and v0 lands in exactly the same position as the others.
Replit
Replit is the most complete environment of the four: a full browser-based IDE with terminal, package manager, database, and hosting, with the Replit Agent building apps autonomously across many languages. That maturity does not change the consent picture. A Replit-built app loads its trackers and embeds on first paint, with no banner controlling them.
Cookie Compliance Compared
The table below summarises where the four builders stand on the things that decide whether a deployed app meets the law.
| Builder | Default stack and hosting | Native analytics | Consent banner by default | Where consent typically breaks |
|---|---|---|---|---|
| Lovable | React, Vite, Supabase; one-click custom domain | None injected; you add your own | No | Added tags fire on load; SPA routing |
| Bolt.new | React, Vite; Netlify or Bolt Cloud | None by default | No | Trackers run before any banner exists |
| v0 by Vercel | React, Next.js, shadcn/ui; Vercel | Vercel Web Analytics is cookieless | No | GA4 or Pixel added later, set pre-consent |
| Replit | Full-stack, Agent-built; Replit hosting | None by default | No | Embeds and tags load on first paint |
The pattern is consistent: the consent column reads "No" four times. The differences are in how cookies arrive, not whether you are responsible for them.
Where the Cookies Come From
Most of these apps do not start truly cookie-free for long. Three sources account for nearly all of the non-essential cookies that turn up in an AI-built project.
Authentication is the first, and it is usually fine. When Lovable, Bolt Cloud, or Replit use Supabase auth, a session cookie keeps the user logged in. Strictly necessary cookies like this are exempt from prior consent, so a session cookie set after login does not need a banner.
Analytics is the second and the one that causes most trouble. The moment you add Google Analytics 4, it writes _ga and _ga_<container> cookies on the very first request. A Meta Pixel adds _fbp. Neither is necessary for the site to function, so both need consent before they run - and by default they run on load.
Embedded media is the third. A standard YouTube embed or an external map can set tracking cookies the instant the page renders, without you adding a line of tracking code yourself.
Single-page routing then makes a naive fix worse. Because React and Next.js apps change views without reloading, a banner bolted on as an afterthought can miss client-side route changes, leaving later pages uncovered while scripts keep firing in the background. A proper consent layer has to block scripts until permission is given, not just paint a notice over the top.
The v0 Exception, and Why It Is Narrow
v0 deserves a footnote the others do not. Vercel Web Analytics, the analytics product most v0 projects reach for, does not use cookies at all - it identifies visitors with a hash derived from the incoming request and discards session data after 24 hours.
A v0 app deployed to Vercel with nothing but Vercel Web Analytics enabled may therefore set no non-essential cookies, which puts it ahead of a Lovable or Replit app wired to a cookie-based tracker. That edge is thin. Vercel's own documentation states that customers using cookies on Vercel-hosted sites are solely responsible for consent, and the instant a v0 project adds GA4, a Meta Pixel, or most advertising tags, the cookie obligation applies in full. Cookieless analytics is a genuine way to reduce the banner requirement, but it is not what most teams end up shipping once marketing gets involved.
What Recent Enforcement Tells You
The risk here is not theoretical, and it is not reserved for large companies. In 2025 France's data protection authority, the CNIL, issued 83 sanctions totalling roughly EUR 486.8 million, with cookie and tracker violations accounting for the bulk of that figure.
The headline cases describe exactly the failure pattern an AI-built app produces. On 1 September 2025 the CNIL fined the SHEIN group's European operator EUR 150 million, in part because advertising cookies were placed as soon as a visitor arrived on the site, before any choice was made. A separate decision noted a company that loaded ten trackers before its cookie banner even appeared. On 27 November 2025 the CNIL fined American Express Carte France EUR 1.5 million for cookies set before any choice, cookies set despite an explicit refusal, and cookies that kept running after consent was withdrawn.
One legal detail makes smaller operators more exposed, not less. Because cookie rules sit under the ePrivacy Directive rather than the GDPR, the one-stop-shop mechanism that routes big cross-border cases to a single lead authority does not apply - any national regulator can act on cookies dropped on visitors in its territory. The technical violation that drew nine-figure fines against Google and SHEIN is identical to what a vibe-coded app does on a fraction of the traffic, and the broader pattern of which artefacts AI builders skip is documented in a review of what AI builders do not generate.
The Fix Is the Same Regardless of Builder
Because the four builders fail in the same way, the remedy does not depend on which one you chose. Four steps close the gap.
Start by auditing what the deployed app actually sets. Open the live URL, clear your cookies, and watch the storage and network tabs on first load - before you click anything. That tells you which cookies fire pre-consent and which scripts are responsible.
Install a consent management platform that blocks non-essential scripts until the visitor agrees. A single script tag or package works across React, Next.js, and Vite, so it drops into any of the four without regenerating the project. Configure it to gate analytics and marketing tags behind consent, and to respect a withdrawal by actually stopping the cookies, not merely recording a preference - the point the American Express decision turned on.
Generate matching privacy and cookie policies that list the cookies the scan found, and verify the banner in practice: refuse everything, reload, and confirm no non-essential cookies remain. Kukie.io scans a site for first-party and third-party cookies, categorises what it finds, and serves a banner that controls script execution rather than sitting on top of it. For a wider view of how these tools stack up, the broader breakdown of the vibe coding compliance gap covers the underlying reasons the category behaves this way.
Frequently Asked Questions
Do apps built with Lovable, Bolt, v0, or Replit need a cookie banner?
If the app serves visitors in the EU or UK and sets any non-essential cookie - analytics, advertising, embedded media - then yes. The legal duty sits with whoever operates the site, not with the tool that generated the code.
Does v0 by Vercel set cookies by default?
A bare v0 app deployed to Vercel with only Vercel Web Analytics enabled sets no third-party tracking cookies, because that analytics product is cookieless. The duty returns the moment you add Google Analytics, a Meta Pixel, or any other tracker.
Is the AI builder responsible if my app breaks cookie law?
No. Under the ePrivacy Directive and GDPR, the data controller is the person or business running the website. Naming the tool that wrote the code is not a defence in an enforcement decision.
Which AI app builder is best for GDPR cookie compliance?
None of the four is meaningfully better out of the box - each ships an app with no consent layer. v0 has a marginal edge only because Vercel Web Analytics avoids cookies, but that advantage disappears as soon as you add common marketing tools.
Do Supabase authentication cookies need consent?
Session cookies that keep a logged-in user authenticated are treated as strictly necessary and are exempt from prior consent. The exemption does not extend to analytics or advertising cookies the same app may load.
Can I add a cookie banner to an AI-generated app without rebuilding it?
Yes. A consent management platform loads through a single script tag or package and works across React, Next.js, and Vite apps. You do not need to regenerate the project to add one.
Scan Your AI-Built App for Cookies
If you shipped something with Lovable, Bolt, v0, or Replit and have never checked what it sets, start with a scan. Kukie.io detects the cookies your app drops, sorts them by category, and gives your visitors a real choice before anything non-essential runs.
