If the next.js project is collecting ip addresses together with this info they are processing personal data under GDPR. They need to do so under one of the 6 bases for processing, which in their case is either consent or legitimate interest. If consent, opt-in is required and opt-out is a violation. If legitimate interest then opt-out is alright and in fact not even required, but they have a high bar for clearing that standard, especially since opt-out is offered (which somewhat disproves the claim of legitimate interest).
I assume the project is in non-compliance and one complaint to a regulatory authority away from a proceeding that may lead to a fine if they don’t switch to an opt-in model.
In this case I mainly wanted to assuage concerns that this affected production instances.
That said, I'm not sure if consent or legitimate interest are the only potentially applicable bases. Knowing when the software breaks so you can fix it seems like it might be in the data subject's interest. And if it's not PII (which I'm not sure it's not, given that an IP address can be exposed, even if not logged), those bases aren't even necessary.
I agree that it's annoying that you can't just plug any tool into your code and hope that it does not do malicious things, but alas, that's the world we live in.
If the next.js project is collecting ip addresses together with this info they are processing personal data under GDPR. They need to do so under one of the 6 bases for processing, which in their case is either consent or legitimate interest. If consent, opt-in is required and opt-out is a violation. If legitimate interest then opt-out is alright and in fact not even required, but they have a high bar for clearing that standard, especially since opt-out is offered (which somewhat disproves the claim of legitimate interest).
I assume the project is in non-compliance and one complaint to a regulatory authority away from a proceeding that may lead to a fine if they don’t switch to an opt-in model.