GDPR requires the opposite, data collection has to be opt in. I don't really see why the telemetry they capture doesn't count as peoples personal data honestly, it should given how much behavior information is available from it.
I believe it’s only opt in when it contains user identifying information. Information on did a feature work or not and how long search indexing took isn’t particularly sensitive once you strip off any device identifiers.
