OP
Date: October 5, 2025
Severity: Critical
Type: GDPR / DSA Compliance Breach
A new workspace banner, “Enabled AI – Auto-approved”, appeared in a Lovable project without user consent or prior notice. The platform attempted to activate AI integration automatically, labeling it “auto-approved”, meaning consent was presumed rather than requested.
The user immediately pressed STOP, preventing code modification. If the process had continued, third-party AI providers could have been connected and user data processed without explicit, informed permission.
Why This Matters
Violates GDPR Articles 5, 6 and 7, with no lawful, fair, transparent, or freely-given consent.
Violates DSA Article 26, as the design constitutes an automatic opt-in (dark pattern).
Creates legal exposure through potential unlawful data processing by default.
Erodes developer trust, since the platform acted autonomously on the user’s behalf.
Confirmed Facts
Feature appeared automatically with no opt-in dialog.
Code modification was prepared but not executed.
No prior communication or terms update from the platform.
Required Actions
1. Immediate global disable of all auto-enable logic.
2. Transparent disclosure to all affected users.
3. Implement GDPR-compliant consent flow, granular, opt-in, and reversible.
4. Independent privacy audit and public accountability statement.
This incident is not about a technical bug, it is about user autonomy, lawful consent, and trust in developer