While you are right that Microsoft loosened their stance with privacy, let's not conflate data collection purposes:

1. telemetry, for diagnostics and health monitoring

2. usage analysis, for program improvement and personalization

3. content analysis, for advertising and marketing purposes

Windows requires kind 1 and encourages kind 2*. Type 3 does not really apply, though, as I don't see Windows sniffing what I write in my text files so that I'm shown relevant ads later.

It's all explained here: https://privacy.microsoft.com/en-us/data-collection-windows

* Also note that the Customer Experience Improvement Program has been with us since Windows 7. Same thing, just not perceived as badly as Windows 10.

Without a law like the GDPR, nothing stops them from using data collected for 1) and 2) for 3). Which they will do once some PM realizes it's worth something.

(There's even 0), data collected for functional purposes like 2FA. Multiple companies have taken data straight from 0 to 3 once they see the possible revenue.)