I'm in California and it was on by default. To comply with California rolls anyone in the US who resides in California can be covered even though it's not their billing address. So enabling anything like that by default or not prompting to have permission for cookies or selling data is in violation for anyone who does business in California. The gdpr rules also apply to anyone who's in EU citizen or resident even if they're outside of the EU so since T-Mobile does business in both they need to comply.