I Installed Google Analytics. AI Read the Terms and I Removed It.

GA4 is free. What it costs you is buried in 9,000 words nobody reads.

Setting up Google Analytics 4 takes about ten minutes. You create an account, define your business objectives, accept the terms, and install the tracking code. The setup flow is clean, logical, and moves you efficiently toward an active property.

I clicked through, installed GA4 on contain.digital, and got on with things. What I did not do to start is what almost nobody does: read the document I had just clicked agree on. So I fed it through AI, all 9,000 words of it. What follows is what I found, what I did about it, and why the most revealing moment in the whole process required me to shrink my browser window to fifteen percent of its normal size.

You Are Not a User. You Are a Controller.

The first thing the Google Analytics Terms of Service establish is something the setup flow never mentions: the moment you install GA4 on your website, you become a data controller under GDPR. Not Google. You. [1]

A data controller is the legal entity responsible for deciding why and how personal data is collected and processed. GA4 collects IP addresses, device identifiers, browser data, location data, and behavioural data from every visitor to your site. Under GDPR, all of it qualifies as personal data. [2] You are the one collecting it. Google is processing it on your behalf.

What this means in practice: you must have a privacy policy that discloses your use of Google Analytics and cookies. You must obtain explicit, freely given consent before any tracking begins, because a cookie consent banner is not optional, it is a legal requirement under UK PECR and GDPR. You must be able to respond to data subject requests. If one of your visitors asks you to delete their data, that obligation is yours. [1]

The setup flow does not explain any of this. It guides you through business objectives and measurement goals. The legal responsibility lands quietly in the background while you are looking at dashboards.

The Data Sharing Toggle Nobody Mentions

During GA4 setup, Google presents a data sharing settings screen. One option shares your Google Analytics data with Google products and services. It is enabled by default.

When that toggle is on, a second legal agreement activates alongside the standard Analytics terms: the Google Measurement Controller-Controller Data Protection Terms. In the standard GA4 relationship, Google is your data processor, working under your instruction, restricted in what it can do with the data. When data sharing is enabled, Google becomes an independent data controller of that same data. [3]

The terms are explicit. Once Google is a controller, it “will individually determine the purposes and means of its processing of Controller Personal Data.” [3] Google can use the data however it chooses. The restrictions that apply when it acts as your processor no longer apply. You have transferred the data. You have no further say.

This is the toggle most people never notice, on a setup screen most people click past, in a terms document most people never open.

307 Regions. All On By Default.

That was not the only default worth examining.

Inside GA4’s data collection settings sits a section called Advanced settings to allow for ads personalisation. When I found it, it showed ads personalisation enabled across 307 of 307 regions. Every region Google Analytics operates in. All on. By default.

This is not what most people imagine they are signing up for when they install a free website analytics tool. The framing is measurement. The default state is a global advertising infrastructure, active from the moment you complete setup, covering every region on Google’s list.

Turning it off was not straightforward. The option to disable ads personalisation across all regions did not appear at normal browser zoom. I had to shrink the browser window to approximately fifteen percent of its standard size before the control became visible. The GA4 AI assistant, when asked for help navigating this, was not able to assist.

The exit is hard to find. The default serves Google. The friction runs in one direction only.

What Google’s Liability Is Worth

If something goes wrong under these terms, Google’s total liability to you is capped at five hundred US dollars. [4]

Not per incident. Total. That is the maximum combined liability of Google, Google LLC, and Google Ireland Limited toward you, the customer, under the controller terms.

Your liability as the GDPR data controller of your visitors’ data is not capped at anything. A serious data breach involving EU citizens can attract fines of up to four percent of annual global turnover, or twenty million euros, whichever is higher. [2]

Google processes the data. You carry the risk. Google caps its exposure at five hundred dollars. Yours is open-ended.

The Terms Update Without You

Google can amend the Analytics terms unilaterally. Material changes require reasonable advance notice, generally thirty days. [4] Your option if you disagree is to disable data sharing or stop using the service.

There is no negotiation. There is no amendment process for standard accounts. The defaults can change. The toggles you turned off today can be reset. The terms can update and the relationship continues unless you actively monitor it.

Most small business owners who install GA4 check it occasionally for traffic numbers. They do not check the data sharing settings. They do not read the amendment notices. They do not know the defaults have changed until someone tells them, if anyone does.

What I Actually Needed

After reading the terms in full, I asked a simple question: what do I actually need from an analytics tool?

The answer was: how many people visit, which pages they look at, and where the traffic comes from. That is it. GA4 provides all of that, and considerably more besides: demographics, device breakdowns, conversion funnels, audience segments, ads integration. None of which I use. None of which was worth the GDPR compliance overhead, the cookie consent banner, the privacy policy complexity, the data processing agreement, the four sets of toggles I had to find and disable, and the ongoing risk of Google changing its defaults and me needing to check again.

The decision was straightforward once the question was clear.

What Replaced It

I removed Google Analytics from contain.digital entirely. The site now runs on Cloudflare Analytics, which is built into the CDN I already use, sets no cookies, collects no personal data, and requires no consent banner. The privacy policy has been rewritten to match. One fewer piece of surveillance architecture on the stack.

The tool was free. What it was costing in legal obligation, compliance risk, and a global advertising infrastructure running by default across 307 regions was not.

configure YOUR system. contAIn the chaos. control YOUR outcome.

References

[1] Google Analytics Terms of Service: https://www.google.com/analytics/terms/default.html

[2] GDPR data controller obligations for website owners using Google Analytics: https://termly.io/resources/articles/google-analytics-gdpr/

[3] Google Measurement Controller-Controller Data Protection Terms: https://support.google.com/analytics/answer/9024351?hl=en

[4] Google Analytics Terms of Service, liability cap and amendment provisions: https://www.google.com/analytics/terms/default.html

This article was originally published on Medium.