From the Package Control documentation:
If installs, upgrades and removals should be logged to the reporting URL. This data will be used to power the community package listing and will be displayed in aggregate only. No user-identifiable information is sent, just the: package name, operation, package version, package control version, sublime version and sublime platform.
Personally, I have no problem with this setting and used its default for as long as I've been using Package Control. However, it's not compliant with the EU GDPR, making it technically illegal to use in the EU. In a nutshell, Package Control should ask for the user's consent before sending any data, even if fully anonymised. It should also contain a link to a page which lists the exact data being sent (like the one linked above).
Here is how GitHub is doing it in their Atom editor:
I don't intend to start a discussion how stupid or great the GDPR is, I just wanted to save @wbond from potential legal trouble.