An AI coding assistant has one job: produce code that runs. Describe a booking system, a SaaS dashboard, or a landing page, and tools like Cursor, Lovable, Bolt.new or Replit will hand back a working application in minutes. What they will not hand back is a lawful one.
The gap matters because obligations under the GDPR do not switch off when a human stops typing. Consent, a privacy notice, a lawful basis, secure storage, and a way to handle data subject requests are all still required. None of them appear unless someone asks for them, and the prompt almost never does.
What Vibe Coding Actually Produces
The term "vibe coding" was coined by AI researcher Andrej Karpathy in February 2025 to describe a workflow where a developer prompts an AI model and accepts its output without reading the code line by line. Collins English Dictionary named it Word of the Year for 2025, and by the start of that year roughly a quarter of startups in Y Combinator's winter cohort had codebases that were almost entirely AI-generated.
Most popular AI app builders follow the same architectural pattern. The model generates a frontend, usually React, that talks directly to a hosted backend service such as Supabase or Firebase, with an API key baked into the client. That key is meant to be public. What protects the data behind it is a set of access rules, called row-level security in Supabase, that decide who can read and write each table.
Those rules are configuration, not something the model writes by default. A typical vibe-coded app therefore ships with a database, a sign-up form, authentication, and often an analytics script or advertising pixel, but no consent layer, no policy pages, and frequently no access controls on the data it collects.
Why GDPR Compliance Never Makes It Into the Prompt
Compliance is a set of decisions the model was never asked to make. A prompt that says "build a customer dashboard with login and Stripe payments" carries no instruction to add a valid consent mechanism, publish a privacy notice, or define a lawful basis for processing. The model cannot infer the things that decide your obligations: which countries your visitors come from, which third parties you share data with, or how long you intend to keep records.
Security researchers have measured the result. Veracode's 2025 GenAI Code Security Report tested more than 100 large language models across 80 coding tasks and found that AI-generated code introduced security vulnerabilities in 45 percent of cases. The report's author put the cause plainly: developers using AI to generate code typically do not specify security constraints, which leaves those decisions to the model itself.
The same logic applies to privacy. If the prompt does not mention data protection by design, the finished app will not have it.
Who Is Responsible When the AI Writes the Code?
Under the GDPR, the entity that decides why and how personal data is processed is the data controller, and the controller carries the legal responsibility. That is the person or company that launched the app, not the AI vendor and not the tool that generated the code.
"The AI wrote it" is not a defence a regulator will accept, in the same way "my developer built it that way" never was. If your app sets an advertising cookie before a visitor consents, the duty to fix it sits with you. The tool produced the output; you chose to deploy it.
Where AI-Generated Apps Break the Rules
The failures cluster in a handful of predictable places. The table below maps what a vibe-coded app usually ships against what the law expects.
| What the AI ships | What the law requires | The risk |
|---|---|---|
| Analytics and pixels hardcoded into the page, firing on load | Non-essential trackers must wait for prior consent, under Article 5(3) of the ePrivacy Directive | Cookies set before consent, the most heavily fined violation in Europe |
| No consent banner | A clear choice to accept or reject non-essential cookies | No lawful way to run analytics or advertising tags |
| No privacy or cookie policy | Transparent information about what data is collected and why | Breach of the transparency duty under Articles 12 to 14 |
| A database with row-level security switched off | Appropriate security of processing, under Article 32 | Personal data readable by anyone holding the public API key |
| No process for access or deletion requests | Data subject rights honoured within one month | Ignored requests escalate into formal complaints |
The security row is not hypothetical. The vulnerability tracked as CVE-2025-48757 documented Lovable-generated apps connecting to Supabase without row-level security, and a sample of 1,645 apps showcased on the platform found roughly one in ten leaking user data, including names and email addresses. A separate scan of 5,600 vibe-coded apps in October 2025 uncovered 175 instances of exposed personal data, among them medical records and bank account numbers.
In January 2026 an AI social network called Moltbook, built entirely through prompts, exposed 1.5 million API keys and 35,000 email addresses within days of launch, again because a single security setting was left off. The pattern is structural, not a run of bad luck.
What Regulators Are Actually Fining
European data protection authorities treat cookies set before consent as a priority, and the penalties are not symbolic. France's CNIL issued 83 sanctions in 2025 worth roughly 486.8 million euros, with cookie and tracker violations making up the bulk of that figure.
Two cases are worth naming. The CNIL fined Google 325 million euros in 2025 for placing advertising cookies without valid consent, and fined the retailer SHEIN 150 million euros the same year, partly because advertising cookies fired the moment a visitor arrived, before the banner appeared. That second failure is exactly what a hardcoded analytics tag in an AI-generated app produces.
Small operators are not exempt. The CNIL has fined a distance-selling company a few thousand euros for poor cookie consent, and the UK's ICO sent warning letters to high-traffic sites in 2024 with thirty days to comply. Size changes the headline figure, not the obligation. For the ceiling on penalties, see how GDPR fines are calculated.
Closing the Compliance Gap on an AI-Built App
The work is mostly bolt-on, and none of it requires rebuilding the application.
Find out what the app actually collects and sets. Run a cookie scan to list every cookie, pixel, and tag the deployed app loads, then map what personal data the sign-up forms and database hold.
Sort essential from non-essential. Authentication and load balancing are essential; Google Analytics 4, the Meta Pixel, and similar tags are not, and need consent first.
Block non-essential scripts until consent. Stop Google Tag Manager and tracking tags from firing on load, and gate them behind a banner that offers a genuine reject option.
Publish the legal pages. Add a privacy policy and a cookie policy that reflect what the app really does, not boilerplate.
Build a path for data subject requests. Decide in advance how you will handle a data subject access request or a right to erasure, since both carry a one-month deadline.
Platform-specific guidance exists for most of these tools, including v0 and Firebase Studio, and a wider walkthrough covers vibe-coded apps in general.
Frequently Asked Questions
Does GDPR apply to apps built with AI tools like Lovable or Bolt?
Yes. The GDPR applies based on whose data you process and where your users are, not on how the code was written. An app built by an AI assistant has the same obligations as one written by hand.
Is the AI platform or the person who deployed the app responsible for compliance?
The person or company that launched the app is the data controller and carries the legal responsibility. The AI tool that generated the code is not liable for how you collect or protect personal data.
Do AI app builders add a cookie consent banner automatically?
Almost never. Most generate analytics or advertising tags that fire on page load and leave consent, banners, and policy pages out entirely unless the prompt specifically asks for them.
Why do so many vibe-coded apps leak user data?
They commonly connect a public frontend to a hosted database with the access rules left off or misconfigured. Researchers found roughly one in ten sampled Lovable apps exposing user data through this exact flaw.
Can a small app built with an AI coding tool really be fined?
Yes. Regulators have fined small operators a few thousand euros for cookie consent failures, and warning letters give sites a short window to fix problems before penalties follow.
What is the fastest way to make an AI-generated app GDPR compliant?
Scan it to see what it sets, block non-essential scripts behind a consent banner with a real reject button, and publish a privacy and cookie policy that match what the app actually does.
Build AI-Generated Apps That Hold Up Legally
If your app was generated from a prompt, assume the consent layer is missing until you have checked. A scan shows you every cookie and tag the app loads, and Kukie.io can block non-essential scripts until a visitor agrees, then generate the cookie policy to match.
