[Macha]

The request would send back personally identifiable information (IP address), which if the OP stored (say in an access log), without establishing a legal basis, then it would be a GDPR violation. By OP, since the tracking is occuring on their server and not at the behest of some other data controller.

[rpeden]

If OP has server logs, that is already happening anyway since the initial request to load the script is coming from the users' browsers, not from the site linking to it. That might be a reason in favor of disallowing the linking entirely even though it would negatively impact the users of the sites doing the hotlinking.

[MonkeyMalarky]

IP addresses in your http server log are a violation? Well then you may as well fine every hardware owner and ISP middleman between me and the user!

[tantalor]

Now you are starting to catch on.

[interroboink]

And just to be clear, a legal basis can be established even without user consent via Article 6.1(f) — "legitimate interests" [1]. Though it is a grey area and not well-tested in courts (AFAIK) how to balance those interests against the data subject's rights, in any particular specific context, such as the one currently being discussed.

For instance, I've seen plenty of claims that storing IPs in logs is fine for "security purposes", though I don't know of any court cases specifically affirming that.

[1] https://gdpr.eu/article-6-how-to-process-personal-data-legal...