Prompt an AI app builder for a booking tool and it will return one: working authentication, a database, a payment flow, a deployed URL. Prompt it for nothing else and that is exactly what you get. No consent banner, no script blocking, no privacy notice that reflects what the app actually does with personal data.
That asymmetry is the vibe coding GDPR compliance gap, and it has a precise shape. What follows maps it artefact by artefact: the specific deliverables European law expects on a live product, and that no generator ships unless asked, repeatedly and precisely.
Vibe Coding Ships Products, Not Obligations
Andrej Karpathy coined the term in February 2025, and before the year was out Collins Dictionary had named vibe coding its Word of the Year. The 2025 Stack Overflow Developer Survey put the share of developers using or planning to use AI coding tools at 84%. Roughly a quarter of Y Combinator's Winter 2025 batch reported codebases that were over 90% AI-generated.
Those numbers describe production software with real users, real cookies and real third-party scripts. The ePrivacy Directive and the GDPR attach to the product, not to the production method. A consent rule written in 2002 applies to an app generated in 2026 the moment a visitor in the EU loads it.
The builders are not hiding this. Their terms of service place legal responsibility for the generated output squarely on the user. What the marketing omits is how little of that responsibility ever makes it into the code.
The Artefacts a Generator Never Produces
Audit a freshly generated app against the GDPR cookie consent requirements and the same items are missing every time. The table below lists what regulators expect to find on a live product, where each duty comes from, and what a default AI build actually contains.
| Compliance artefact | Legal basis | In a default AI build? |
|---|---|---|
| Consent banner with equal accept and reject options | Article 5(3) ePrivacy Directive; Article 7 GDPR | No |
| Blocking of analytics and marketing scripts before consent | Article 5(3) ePrivacy Directive | No |
| Privacy notice describing the actual processing | Articles 13 and 14 GDPR | Placeholder text at best |
| Cookie policy listing the cookies really set | Article 5(3) ePrivacy Directive; Article 13 GDPR | No |
| Records proving who consented to what, and when | Article 7(1) GDPR | No |
| Access, erasure and portability workflows | Articles 12 to 22 GDPR | Basic account deletion at best |
| Retention limits and automatic deletion | Article 5(1)(e) GDPR | No |
| Consent signals to advertising platforms | Google EU user consent policy | No |
The first two rows are where enforcement already lives. A generated app typically wires Google Analytics, Meta Pixel or Microsoft Clarity straight into the page head, firing _ga or _fbp on load for every visitor. That is the exact behaviour the French CNIL sanctioned in September 2025, fining Shein 150 million euros for placing advertising cookies before any interaction with the banner and for a reject option that did not stop the tracking. Google received a 325 million euro fine in a parallel decision. Both rest on Article 82 of the French Data Protection Act, the national implementation of the ePrivacy rule.
The documents fare no better. A language model cannot know the controller's identity, the processors involved, the transfer mechanisms or the retention periods, so a generated privacy policy is fiction in legal formatting. Under Article 13, a notice that misdescribes the processing is not a partial pass; it is a transparency breach in its own right.
Consent records close the loop. Article 7(1) puts the burden of proof on the operator: when a regulator asks who consented to the marketing cookies and when, "the app has a banner" is not an answer. No builder generates a consent log.
Article 25 of the GDPR makes this list hard to dismiss as polish for later. Data protection by design and by default requires these safeguards at the design stage. An app designed in one afternoon had its design stage in that afternoon.
Why Compliance Never Comes Out of the Prompt
The gap is structural, not a bug the next model release will patch.
Training data reflects the median codebase. Models learn from public repositories and tutorials, and the median public repository contains no consent logic, no retention jobs and no rights workflows. A generator reproducing typical code reproduces typical non-compliance.
Prompts describe features. Nobody demos a cookie banner. Veracode's 2025 GenAI Code Security Report, which tested more than 100 models across 80 coding tasks, found that 45% of generated samples introduced security flaws, and its authors pointed at exactly this mechanism: vibe coding means people stop specifying constraints, so the model decides. Privacy constraints get the same silence.
Correct behaviour depends on runtime facts. Whether a banner must block scripts depends on where the visitor is: prior consent in the EU and UK, opt-out handling under California law in the United States. It depends on which third-party scripts are actually present, which changes with every prompt session. A generator working from a text description cannot know any of this at generation time.
Compliance decays. Even a correctly added banner goes stale the moment the next prompt drops in a marketing pixel. The EDPB's Guidelines 2/2023, adopted in October 2024, read Article 5(3) broadly enough to cover pixels, local storage and fingerprinting, so a feature that sets no cookie can still fall inside the consent rule. Compliance is a property of the running product, not of a commit.
The Same Gap on Every Platform
Because the cause is structural, the symptom repeats across the ecosystem with local variations. Full-stack generators such as Lovable, Bolt.new, v0 by Vercel and Base44 wire analytics into Supabase or serverless stacks with nothing gating the scripts. Cloud platforms behave the same way: Replit deploys agent-built apps straight to a public URL, Firebase Studio connects Google Analytics in a few clicks, and Cloudflare VibeSDK lets companies run their own generator, inheriting the blind spot at platform scale.
a0.dev extends the pattern to mobile, where Apple's App Tracking Transparency stacks on top of European consent rules. AI-first editors such as Cursor and Windsurf sit closer to traditional development, but the code they suggest carries the defaults of the repositories they learned from. The guide to AI website builders covers the no-code end of the same spectrum.
When the Gap Becomes a Breach
The security half of the same gap has already produced casualties. In mid-2025, security researchers scanned 1,645 applications built with Lovable and found 170 of them, roughly one in ten, exposing personal data because the generated Supabase backends shipped without row-level security. Names, email addresses, phone numbers and payment details were readable by anyone holding the public API key embedded in the client. The flaw was assigned CVE-2025-48757.
Under the GDPR that is not only a security incident. It is a failure of appropriate technical measures under Article 32, and for an affected operator it likely triggers the Article 33 duty to notify a supervisory authority within 72 hours. The platform's code worked. The obligations belonged to whoever pressed deploy.
Closing the Gap Without Losing the Speed
The fix does not require abandoning the workflow. It requires treating compliance as a layer the generator will never supply.
Scan the deployed URL. A free cookie scanner shows which cookies and trackers the build actually sets. Generated apps regularly include scripts the prompt never mentioned.
Gate the scripts. Add a consent banner with equally prominent accept and reject choices, and hold back non-essential scripts until the visitor decides. Kukie.io does this through automatic script blocking via a single tag, which suits generated codebases where hand-editing every component is fragile.
Localise the behaviour. Prior consent for EU and UK visitors, opt-out handling for California. Geo-targeted rules cover both without showing every visitor the strictest banner.
Rebuild the documents from the scan. A cookie policy and privacy notice based on detected cookies, not on the model's guesswork.
Keep the receipts. Logged consent choices satisfy the Article 7(1) burden of proof.
Send the signals. Sites running Google tags for European users need Google Consent Mode v2 wired to the banner.
Re-scan after every prompt session. Each regeneration can reintroduce trackers. The walkthrough on cookie consent for vibe-coded apps covers keeping the layer intact as the app changes.
Teams shipping more than one product can apply the same process from the broader guide to cookie consent in AI-built apps.
Frequently Asked Questions
Does GDPR apply to apps built with AI tools like Lovable or Bolt.new?
Yes. GDPR and the ePrivacy rules attach to the organisation operating the app and the personal data it processes, not to how the code was written. An AI-generated app serving EU users carries the same obligations as a hand-coded one.
Why do AI app builders not add cookie banners automatically?
Models reproduce the public codebases they were trained on, which rarely contain consent logic, and prompts ask for features rather than legal plumbing. A correct banner also depends on visitor location and on the scripts actually present, which a generator cannot know at prompt time.
Can an AI-generated privacy policy be used as it is?
No. Articles 13 and 14 of the GDPR require accurate, site-specific facts: who the controller is, what is collected, which processors receive it and how long it is kept. Generated text invents or omits these details, so a usable policy has to be built from a real scan of the app and then reviewed.
Who is liable when an AI-generated app violates GDPR?
The person or company operating the app, as data controller. Builder platforms place legal responsibility on the user in their terms of service, and regulators fine the operator of the website or app, not the tool that generated it.
Do small vibe-coded projects really risk fines?
The obligations apply from the first EU visitor; neither Article 5(3) of the ePrivacy Directive nor the GDPR contains a small-project exemption. Headline fines target high-traffic sites, but national authorities also act on individual complaints, which do not check company size first.
Close the Gap Before the Next Deploy
When an AI builder produced your app, assume the compliance layer is missing until a scan proves otherwise. Kukie.io detects the cookies and trackers a build actually sets, blocks them until visitors consent, and keeps the consent records Article 7 expects, all through one script tag added to whatever the generator wrote.
