[Xylakant]

That is a very simplifying view of the legal situation and that's not helpful at all.

First, it only applies if you collect PII - depending on what they collect, they might not be subject to the GDPR at all.

Second, informed consent is only one of the options that allows collection and storage of PII. There are various other reason that allow collection and storage of PII, among them "Legitimate interest". For example, it is considered legitimate to store webserver logs containing PII (IP Addresses) for purposes of fraud analysis, unauthorized system access etc. Whether a specific collection of data is legitimate under those clauses depends on the specifics of a case (who has access, what's the exact purpose, how long you store, ...) - ask a lawyer if you need an assessment.

Depending on what they log and how they log, they may be either in the clear or in a bad place, but it's definitely not as simple as "the law requires no logging".

[jeroenhd]

The analytics page describes them tracking information across time with a unique user identifier. They claim that identifier doesn't identify you, but it's attached to an exact Brew install so it does track your personal account on your machine at the very least; I'd classify that as PII.

Had they not submitted unique user tokens I think you mag be right. However, that's not how the analytics seem to work.

The law does allow logging for a variety of things but in this case I'd say they're in the wrong. They assume that it's okay because they don't track you across websites and that's good to know, but that's not the point.