Tools like Cursor, Bolt, Lovable, and v0 are making it faster than ever to build and ship websites. You can go from prompt to production in hours. The result looks professional, runs well, and might even include a cookie consent banner.
But building a website and having a banner display are different from managing consent on that website in a compliant way. AI tools, as capable as they are at the first, don’t do the second.
What consent management actually involves
When people think of consent management, they usually picture a cookie banner. That’s just the visible part. Behind it, there’s a technical system that handles what regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the EU ePrivacy Directive actually require:
- Script control: blocking analytics, advertising, and social trackers from running until the visitor makes a choice. Under the GDPR and ePrivacy Directive, no tracking cookies can fire before consent is given.
- Consent records: storing each visitor’s choice with a timestamp, so you can prove what was consented to and when. This is what you show during an audit or when a regulator asks.
- Vendor signaling: transmitting consent status to ad platforms through the IAB Transparency & Consent Framework (TCF) and Google Consent Mode, so they know whether they can serve personalized ads, run retargeting, or hold off.
- Jurisdiction adaptation: serving different consent flows based on where the visitor is. A visitor from Germany needs a GDPR-aligned experience. A visitor from California needs CCPA. The banner, the options, and the legal basis change depending on the jurisdiction.
- Preference management: giving visitors a way to revisit and change their choices after the initial interaction, not just a one-time prompt.
- Cookie scanning: identifying which cookies and trackers are active on your site, categorizing them, and keeping that inventory current as you add new tools and services.
AI coding tools don’t generate any of this. They produce a banner component: a UI element that displays a message and maybe stores a simple cookie. The infrastructure behind consent management (script blocking, record keeping, signaling, adaptation) isn’t part of what these tools build.
The technical implementation of all the legal requirements above is complex. That’s why providers called Consent Management Platforms (CMPs) exist and do just that. They specialize in and keep track of privacy rules globally and how to easily apply them on your website, providing you with the full consent setup. Website creation through AI doesn’t do that.
Why this gap matters
This goes beyond a compliance technicality. It affects your legal exposure, your ad performance, and your customers’ trust in your brand.
Compliance risk
If scripts fire before consent, you’re collecting data you aren’t authorized to use. If consent isn’t recorded with timestamps, you can’t demonstrate that your data was collected with permission. That’s a problem for audits.
Regulators don’t distinguish between “no banner” and “a banner that doesn’t block anything”; neither is compliant. If tracking scripts run before consent, that’s a violation.
And the scrutiny is growing.
Forrester reports that they “initially hypothesized for 2026 that consumers would use genAI in low-risk use cases such as translation tools or chatbots. Those who consider themselves knowledgeable about AI are aware of both the risks and the opportunities and mitigate risks by cross-referencing AI outputs, validating sources, and consulting professionals after using AI tools.”
They had predicted that by 2026, 30% of consumers would use generative AI tools for high-risk decisions such as personal finance and healthcare.
For many, building a website with AI feels like a low-risk move. But online privacy requirements don’t change based on how a site was built. The tools that make building faster can create liability in places most teams don’t think to check.
Marketing performance
Then there’s the marketing side. If you run Google Ads or programmatic advertising, your consent setup needs to send signals through TCF and Google Consent Mode. Without those signals in the EU, ad platforms restrict your campaign targeting and measurement.
You also miss out on more accurate data through conversion modeling, which recovers more than 70% of ad-click-to-conversion journeys lost to cookie refusals.
That directly affects ROI, and it’s one of the most common things teams miss when they build with AI tools and assume the banner covers it.
Trust
When visitors see a consent prompt, they assume you’re handling their data responsibly. When that assumption turns out to be wrong, it’s a brand problem that goes beyond compliance. Your reputation and customer retention take a hit if users’ privacy choices aren’t respected.
Cisco’s 2026 Data and Privacy Benchmark Study found that 93% of organizations plan to allocate more resources into privacy and data governance over the next two years. 90% report their privacy programs have expanded as a direct result of AI adoption.
A quick check for AI-built sites
If you’ve built or rebuilt your site recently with AI tools, you can check your consent setup in a few minutes:
1. Are scripts blocked before consent?
Open your site in incognito. Before interacting with any consent prompt, check your browser’s dev tools (Network tab). If analytics or ad scripts are already running, nothing is being blocked.
2. Does rejecting consent change anything?
Click “Reject” or close the prompt. Check again. If the same scripts are still running, the consent flow is cosmetic.
3. Are consent records stored?
After making a choice, check whether a timestamped record exists beyond a simple cookie. A consent management platform stores retrievable records. A UI component doesn’t.
4. Are vendor signals being sent?
If you use Google Ads, check for Consent Mode signals. If you use programmatic advertising, check for TCF strings. Without these, your ad platforms are operating blind.
What AI handles vs. what a CMP handles
| AI coding tools | Consent management platform | |
|---|---|---|
| Build and design a website | Yes | No |
| Display a consent prompt | Yes (as a UI element) | Yes (connected to infrastructure) |
| Block scripts before consent | No | Yes |
| Adapt consent flows by jurisdiction | No | Yes |
| Store consent records with timestamps | No | Yes |
| Signal ad vendors via TCF | No | Yes |
| Integrate with Google Consent Mode | No | Yes |
| Scan and categorize cookies | No | Yes |
| Let visitors change preferences later | Rarely | Yes |
| Provide audit-ready proof of consent | No | Yes |
AI tools are great at building websites. Consent management platforms are built for managing consent. They’re different categories of tool, and you need both.
What to do about it
If your site was built with AI and your consent setup is just a banner component, you don’t need to start over. You need to add the infrastructure layer.
A CMP integrates with your existing site (typically a few lines of code or a plugin) and handles the infrastructure behind the consent prompt.
iubenda’s Privacy Controls & Cookie Solution is built for this:
- It scans your site for cookies and trackers, blocks scripts until consent is given, adapts by jurisdiction, and stores audit-ready consent records.
- It sends TCF and Google Consent Mode signals to your ad platforms.
- It works with any site, including ones built with AI tools, and you can start for free.