Sending user data to a third-party AI provider without consent violates GDPR Article 6 (lawful basis for processing) and Article 7 (conditions for consent). Under CCPA §1798.100, consumers have the right to know how their data is used. When an AI API call fires unconditionally on every user message, you are processing personal data without a documented lawful basis — exposing the business to regulatory enforcement, fines up to 4% of global annual revenue under GDPR, and user trust collapse if discovered. OWASP A01 (Broken Access Control) classification applies when the missing gate allows any session to trigger AI processing regardless of consent state.
Critical because absent server-side consent gating means every user message is sent to a third-party AI provider with no legal basis, directly violating GDPR Art. 6 and exposing the operator to maximum-tier regulatory penalties.
Add a server-side consent check before every AI API call — client-side guards alone are bypassable. Gate on a flag stored in the user record or session, not a query parameter.
// app/api/chat/route.ts
export async function POST(req: Request) {
const session = await getServerSession()
if (!session?.user?.aiConsentGranted) {
return Response.json(
{ error: 'AI features require consent. Enable them in Settings.' },
{ status: 403 }
)
}
// proceed with AI call
}
Store the consent flag with a consented_at timestamp on the user record. Present AI-specific terms separately from your general ToS so the consent is specific to AI processing, as GDPR Art. 7 requires. Verify by revoking the flag for a test user and confirming the endpoint returns 403.
ID: ai-data-privacy.data-collection-consent.user-consent-before-ai-processing
Severity: critical
What to look for: Enumerate every relevant item. Examine the code path from user input to AI API call. Look for a gate that checks user consent or an opt-in flag before triggering the AI call. Signals: a boolean check on a user preference field (e.g., user.ai_consent, settings.ai_enabled, hasAgreedToAiTerms), a conditional that evaluates a consent flag before calling the AI SDK function, or a UI gate (modal or checkbox) that must be completed before the AI feature is accessible. Also look for onboarding flows that present AI-specific terms before enabling the feature.
Pass criteria: At least 1 of the following conditions is met. The AI API call is gated behind at least one programmatic consent check — either a user preference flag read from the database/auth token, a session value, or a feature flag that requires explicit user opt-in. The gate is in the server-side code path, not purely client-side. Before evaluating, extract and quote the relevant configuration or code patterns found. Report the count of items checked even on pass.
Fail criteria: AI API calls are triggered directly from user input without any conditional check on a consent or opt-in value. The call fires unconditionally whenever the user submits a message.
Do NOT pass when: The item exists only as a placeholder, stub, or TODO comment — partial implementation does not count as passing.
Skip (N/A) when: The application does not call external AI APIs — no AI SDK dependencies detected in package.json and no AI provider environment variable names found in .env.example or source code.
Cross-reference: For related security patterns, the Security Headers audit covers server-side hardening.
Detail on fail: "AI API call in [file] triggers unconditionally on user input — no consent flag or opt-in check found in the request handler or calling code"
Remediation: Processing user data through a third-party AI provider is a significant privacy act that users should opt into. Under GDPR, automated processing of personal data requires a lawful basis — explicit consent is the most appropriate for non-essential AI features.
Add a consent check to your AI handler:
// app/api/chat/route.ts
export async function POST(req: Request) {
const session = await getServerSession()
if (!session?.user?.aiConsentGranted) {
return Response.json(
{ error: 'AI features require consent. Please enable them in Settings.' },
{ status: 403 }
)
}
// proceed with AI call
}
Store the consent flag on the user record with a timestamp. Present AI terms separately from general terms of service, so users understand specifically what data will be processed by the AI provider. To verify: disable the consent flag for a test user and confirm the AI endpoint returns 403.
For a deeper analysis of overall authentication and session handling, the Security Headers & Basics Audit covers session security in detail.