Ah gotcha, yes, you're right, except that only holds when you are not collecting any other data from the "subject" at all.
The major differentiating factor here is that that Dropbox does in fact process PII - convenient storage and distribution of their customers digital life is their raison d'ĂȘtre, after all, it's precisely what those people expect of Dropbox and pay them their monthly fee for.
In this case, where telemetry is gathered by the same desktop application that is also a primary component of their legitimate and consented-to data processing activities no less, they would at minimum be required to specify what information goes where, how it is anonymised, and for what purpose they require it.
I'm not assuming ill intent or unsanctioned data mining activities or anything of the sort, but whatever it is that they are collecting and doing is not as clear as it should be.
The major differentiating factor here is that that Dropbox does in fact process PII - convenient storage and distribution of their customers digital life is their raison d'ĂȘtre, after all, it's precisely what those people expect of Dropbox and pay them their monthly fee for.
In this case, where telemetry is gathered by the same desktop application that is also a primary component of their legitimate and consented-to data processing activities no less, they would at minimum be required to specify what information goes where, how it is anonymised, and for what purpose they require it.
I'm not assuming ill intent or unsanctioned data mining activities or anything of the sort, but whatever it is that they are collecting and doing is not as clear as it should be.