5 legal risks of vibe coding nobody talks about
AI-built apps ship fast. The legal review that traditional dev teams used to do at handoff — accessibility, privacy, IP — usually doesn't happen. Here are the five risks that show up the most when we scan vibe-coded apps in production.
Why vibe coding has a legal-debt problem
AI coding tools are trained on the entire public web. They've seen patterns that work, patterns that ship, patterns that the model's training data labels as "correct." What they haven't seen, especially in their default outputs, is the legal review that experienced teams used to do at the end of a project — accessibility audits, privacy review, license compliance, IP attestation.
That review doesn't disappear when AI writes the code. It just gets skipped. Below are the five legal patterns that show up most consistently when we run scans against production Lovable / Bolt / Cursor / Replit apps.
1. Form inputs without labels (ADA / WCAG)
The #1 most-cited problem in ADA demand letters. AI tools love placeholder text — "Email" floating inside the input box — and skip the actual `<label>` element above it. Screen readers can't see placeholders. The user with low vision is locked out of your checkout.
Median demand-letter settlement: $12,500. Filed-case median: $32,000. Patterns in NY / FL / CA settle higher. This single rule (WCAG 2.2 §1.3.1) appears in roughly 71% of 2025 demand letters.
Fix: every input gets a real `<label>` with `htmlFor` matching the input's `id`. Visually hidden if you don't want it on screen. ~5 minutes per form.
2. Tracking pixels that fire before consent (GDPR / ePrivacy)
Vibe-coded apps default to wiring up Meta Pixel, Google Ads, TikTok, GA4 — whatever the user mentioned in the prompt. The pixel typically loads in `<head>` and fires on page render. If your site has any EU users, that's a clear violation of GDPR Art. 6(1)(a) (lawful basis) and ePrivacy Art. 5(3) (consent before non-essential tracking).
DPA enforcement against SMBs typically starts with advisory letters (~$2K–$15K in remediation time) but escalates fast on repeat flags. For health/finance apps, fines can hit six figures. Specifically: the OCR's $7M settlement with Cerebral (2023) was exactly this pattern — Meta Pixel firing on a page mentioning medications.
Fix: gate every non-essential tag behind a consent state. Default that state to false. A free tool like Termly or Cookiebot wires this in 30 minutes; doing it manually with `useConsent()` takes ~1 hour.
3. AI-generated code that isn't legally yours (US Copyright)
The US Copyright Office's Part 2 AI Report (January 2025) made the position explicit: works without sufficient human authorship are not copyrightable, and prompts alone do not meet the originality threshold. If your codebase was generated by Cursor / Lovable / Bolt with minimal human creative direction, large parts of it may not be your copyright.
If a competitor copies your app line-for-line, you may not have legal grounds to stop them. At acquisition, this is increasingly checked — JP Morgan's 2026 founder guide lists "AI code provenance" as a diligence item. Wix's $80M acquisition of Base44 (2025) required extended IP diligence over exactly this issue.
Fix: preserve evidence of human authorship. Save prompt logs. Make meaningful edits and refactors. Document selection and arrangement decisions. The legal standard rewards work that was "materially shaped" by humans — even if AI did the initial draft.
4. Copyleft-contaminated bundles (open-source licensing)
AI coding tools sometimes reproduce near-verbatim chunks of code from their training data — including from projects with copyleft licenses (GPL, AGPL, LGPL, MPL). If that code ends up in your shipped JavaScript bundle, the license obligation comes with it. For AGPL specifically, deploying as a network service can require you to publish your source code.
Bounded by license: GPL / AGPL violations typically end in either (a) a takedown + remediation (free but embarrassing) or (b) a copyright suit if the rights-holder is litigious. The active Doe v. GitHub case is still being litigated on whether AI output can carry these obligations from training data.
Fix: scan deployed bundles against a corpus of known copyleft packages. Comply Code does this automatically. If a match fires, replace with a permissively-licensed (MIT / Apache-2.0 / BSD) equivalent.
5. Exposed API keys in client bundles (security / IP)
Vibe-coded apps frequently ship Stripe secret keys, OpenAI keys, Supabase service-role JWTs, AWS access keys in the client bundle. The AI puts them in `process.env.NEXT_PUBLIC_*` (which exposes to client) or hardcodes them. Anyone who opens dev tools can extract them in seconds.
Worst case: someone scrapes your bundle, runs up six figures in OpenAI usage, or empties your Stripe Connect balance. Best case: you rotate keys and lose nothing. This is technically a security issue (CheckVibe's bailiwick) but it's also IP exposure — your operational secrets are public.
Fix: rotate any leaked keys immediately. Move the calling code behind a server-side route. Read keys from server-only env vars. Add a CI grep for the secret pattern in future builds.
How to triage
All five risks scale with the size of your audience and your jurisdictional reach. A side-project portfolio shipping to friends doesn't need to sweat any of this. A B2C app with paying customers in NY / EU / CA does, and fast. The cheapest move is to run a scan, identify which of the five fire on your specific app, and triage from highest to lowest.
Common questions.
How many of these typically fire on a single Lovable / Bolt app?
Median scan on a commercial vibe-coded app surfaces 3–8 findings out of the five categories. Almost always includes form-label and contrast issues. Privacy violations show up if any ad pixel was wired in. IP/copyleft is rarer (~10%). Exposed secrets are alarmingly common in apps that touch payments or AI APIs.
Is the IP / copyright risk real, or just FUD?
Real, but the legal question is genuinely unsettled. USCO's position (no copyright without human authorship) is clear; how that plays out for commercial code that's been edited and refactored is what Doe v. GitHub and follow-on cases are litigating. Worth knowing about even if you don't lose sleep over it.
How do I get most of these fixed at once?
Run a scan, get the prioritised list, paste the fix prompts into your AI coding tool (Cursor / Claude / Windsurf), apply, re-scan. Most of the Top-5 fixes are 5–30 minutes each. The IP and copyleft fixes can take longer if you have to swap dependencies.