The Legal Pack Your AI App Needs Before Real Users Show Up
Quick Answer
Your AI built the app, but it did not write the legal layer. Before real users arrive, an AI app that collects personal data needs a few things in place: a privacy policy, terms and conditions, a cookie banner that blocks trackers until people opt in, separate consent for each purpose, a way for users to get or delete their data, and a quick check of whether the EU AI Act applies to you. None of this requires a lawyer to start. It is a short pre-launch pass you run before you press Deploy.
If you shipped an app with Lovable, Bolt, Cursor, or Claude Code and it collects emails, payments, or any user data, here is the gap nobody warned you about. The AI wrote working code. It did not write a privacy policy. It did not set up real cookie consent. And it has no idea whether your app falls under new AI rules.
That gap is fine right up until the day a regulator or an angry user notices.
Why AI Builders Skip the Legal Layer
Your AI assistant is built to ship features. Privacy law is not a feature, so it rarely appears unless you ask for it by name.
The result is an app that looks finished and behaves like it is launched, but is missing the paperwork every data-collecting product legally needs. Looking launched and being legally launched are two different things.
Definition
The EU's data protection law. If your app collects any personal data from people in the EU, it applies to you, even if your company is somewhere else. It governs what you collect, why, and how people can control their own data.
What It Costs When You Skip This
The "we're too small to matter" assumption is exactly what regulators are now disproving.
GDPR fines can reach 4% of annual revenue or 20 million euros, whichever is larger (GDPR-info.eu). That is the ceiling for big cases, but the floor is rising fast for small ones. Over 2,800 fines totaling more than 6.2 billion euros have been issued since 2018, and enforcement is spreading to startups and SMEs, not just Big Tech (CookieYes). One company with just 40 employees received a preliminary assessment with penalties above 150,000 euros (Scrut).
The most expensive mistakes are boring ones: an unclear privacy notice, or cookies that fire before anyone clicks. WhatsApp was fined 225 million euros largely for failing to explain its data processing in plain terms (CookieYes).
Definition
Asking permission before your app loads non-essential trackers like analytics or ads. Under GDPR, those trackers must stay off until the user actively says yes. Pre-ticked boxes and "you agree by browsing" do not count.
There is also a clock running. The EU AI Act's high-risk obligations are operative from 2 August 2026 (Orrick). A proposal to push some deadlines to 2027 exists, but it is not law yet, so 2 August 2026 is still the date to plan around (Latham & Watkins). Most simple apps are not high-risk, but you should know for sure rather than guess.
The Pre-Launch Legal Checklist
Run these before real users show up. Each one is something you add or switch on, not a legal exam.
| # | Check | What it means |
|---|---|---|
| 1 | Privacy policy is live | A page that lists what data you collect, why, and who you share it with |
| 2 | Terms and conditions exist | The rules of using your app, posted before the first signup |
| 3 | Cookie banner blocks trackers | Non-essential cookies stay off until the user opts in |
| 4 | Consent is split by purpose | Analytics, ads, and tracking each get their own yes or no |
| 5 | Users can get their data | A clear way to request, export, or delete what you hold |
| 6 | A privacy contact is named | An email people can reach for data questions |
| 7 | EU AI Act check done | You have confirmed whether your app counts as high-risk before 2 Aug 2026 |
| 8 | Personal data is locked down | Your database does not let any visitor read everyone's records |
| 9 | Third-party tools are listed | Stripe, Resend, and analytics all appear in your policy |
| 10 | Final legal pass before Deploy | One last look before you go live |
A couple of these deserve a plain note.
Splitting consent by purpose means you cannot bundle everything behind one "Accept all." Each tracking purpose needs its own choice the user can refuse (Secure Privacy).
Letting users get their data is a real GDPR right. People can ask what you hold and tell you to delete it. You need a way to handle that, even if it is just a monitored email to start.
You Do Not Have to Draft This By Hand
Here is the honest part. Writing a privacy policy from scratch, wiring up a proper consent banner, and checking the EU AI Act is slow, and it is easy to leave a gap you cannot see.
So we built the whole pass into a drop-in skill for Claude Code. You add it to your project, run it once, and it drafts your privacy policy and terms, flags your consent setup, and walks your app against this exact checklist. Each item comes back in plain English: done, missing, or check this yourself. No legal background required.
Key Takeaways
- AI writes your code, not your legal layer. Privacy policy, terms, and consent are missing by default.
- GDPR fines can reach 4% of revenue, and enforcement now reaches small startups, not just Big Tech.
- Cookies must stay off until users opt in, and consent must be split by purpose.
- The EU AI Act's high-risk rules are operative 2 August 2026, with a proposed delay that is not yet law.
- The fix is a short pre-launch pass, and a drop-in skill can draft and audit most of it for you.
Your Next Step
Your AI built it. Now make sure it survives the internet. Run the legal pass before your next deploy, and launch knowing the paperwork is in place.
Want it drafted and audited for you? Get the Legal Compliance Pack — it builds your privacy layer and checks the gaps in plain language.
Read Next
- The 10-Step Security Check Before Your AI App Goes Live
- GDPR + AI in 2026: The 12-Point Checklist
- The Best AI Coding Assistant for Non-Developers
- Build a $10K Website Free With Claude Code
- How AI Builds Your Passive Income While You Sleep
Frequently Asked Questions
Does GDPR apply to my small AI app?
Yes, if your app collects any personal data from people in the EU, GDPR applies, no matter where you or your company are based. Personal data includes obvious things like names and emails, but also IP addresses and tracking IDs. Being small does not exempt you. Enforcement has spread well beyond Big Tech, and even a 40-person company has faced penalties above 150,000 euros. The good news is that compliance for a simple app is mostly about a few clear basics: a real privacy policy, honest cookie consent, and a way for users to control their data.
What is the cheapest way to make my AI app GDPR compliant?
Start with the basics that cost nothing but time: publish a clear privacy policy, add terms and conditions, install a cookie banner that blocks non-essential trackers until users opt in, and set up a monitored email where people can ask about or delete their data. List every third-party tool you use, such as Stripe or your analytics provider. These steps cover the most commonly fined gaps. You do not need a lawyer to begin, though a serious or high-risk app should eventually get one. A drop-in skill can draft the policy and audit the gaps to save you the slow part.
Do I need a cookie banner if I only use analytics?
In most cases, yes. Analytics cookies are usually treated as non-essential, which means they must stay off until the user actively agrees. A banner that loads analytics before anyone clicks, or that only offers an "Accept all" button, is a common reason small sites get flagged. You should let users accept or refuse analytics separately from any other purpose, with no pre-ticked boxes. If your analytics is fully anonymous and stores nothing on the user's device, the rules can be lighter, but check before you assume that exemption applies to you.
Does the EU AI Act affect a simple app I built with AI?
Often not directly, but you should confirm rather than guess. The EU AI Act focuses on high-risk uses, such as systems that affect jobs, credit, health, or legal decisions. A typical content or productivity app usually is not high-risk, so the heaviest obligations may not apply. The high-risk rules are operative from 2 August 2026, and a proposed delay to 2027 is not yet law, so plan around the 2026 date. Even if you are not high-risk, transparency basics still matter, like telling users when they are interacting with AI.
How long does a pre-launch legal check take?
For a small app, the first pass takes a few hours, mostly spent writing the privacy policy and terms and setting up consent properly. After that, keeping it current is quick. The slowest parts are drafting the policy in plain language and confirming your cookie banner actually blocks trackers before consent. If you use a drop-in skill, it drafts the documents and runs the checklist for you in minutes, then gives you a clear go or no-go before you deploy. A few hours of setup is far cheaper than a fine or a public data complaint.