Actually, it would be against their Privacy Policy; and they would get a fine of up to (5%? 10%?) of their annual turnover fined by the EU under GDPR if they did.
How will the EU audit Apple to confirm the privacy policy is not being breeched, or how will people know about such a breech on Apple's part in order to notify the authorities?