"Its really worrying when someone like that doesnt grasp GDPR, and theres no soft opt-in"
GDPR applies to "personal data". According to the GDPR FAQs personal data is "Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address." (https://www.eugdpr.org/gdpr-faqs.html)
I don't see anything in the list of what Canonical intends to collect that fits that description. The closest example in the FAQ description that could cause Canonical issues is IP addresses, which may be why they seemed to be very clear that IP addresses would not be collected.
I'm not sticking up for Canonical here, just making the point that I don't think GDPR will affect them based on the list in the article.