Isn't the site owner in charge of GDPR for the site? Aren't they already non-compliant by hotlinking a resource from someone where there's no agreement about personal data? Wouldn't it still be the site owner's responsibility not to let a 3rd party send even more personal data over?
I'm not an expert on GDPR at all so forgive me if these are dumb questions but how? I thought GDPR pertained to a user's personal info? Sending back info about the webpage the script is used on isn't the same. Also who would be in violation, the leachers or the OP? Does GDPR even apply if OP is just a random person on the internet and not a company operating in the EU?
The request would send back personally identifiable information (IP address), which if the OP stored (say in an access log), without establishing a legal basis, then it would be a GDPR violation. By OP, since the tracking is occuring on their server and not at the behest of some other data controller.
If OP has server logs, that is already happening anyway since the initial request to load the script is coming from the users' browsers, not from the site linking to it. That might be a reason in favor of disallowing the linking entirely even though it would negatively impact the users of the sites doing the hotlinking.
And just to be clear, a legal basis can be established even without user consent via Article 6.1(f) — "legitimate interests" [1]. Though it is a grey area and not well-tested in courts (AFAIK) how to balance those interests against the data subject's rights, in any particular specific context, such as the one currently being discussed.
For instance, I've seen plenty of claims that storing IPs in logs is fine for "security purposes", though I don't know of any court cases specifically affirming that.
I might be missing something, but people who hotlink your scripts aren't your customers or users, and you shouldn't have any obligations towards them. Can people hacking your site sue for GDPR violations to get you to delete the logs of their hack?
I mean, every single tracking pixel on the web is a GDPR violation, unless they've established a legal basis to do so. As basically all of noyb's complaints being upheld by DPAs shows, most fail to do so, clinging on to legitimate interest when they fail the balancing test, or consent when the consent form is too deceptive or tipping the scale to count as freely given