I'm not an expert on GDPR at all so forgive me if these are dumb questions but how? I thought GDPR pertained to a user's personal info? Sending back info about the webpage the script is used on isn't the same. Also who would be in violation, the leachers or the OP? Does GDPR even apply if OP is just a random person on the internet and not a company operating in the EU?
The request would send back personally identifiable information (IP address), which if the OP stored (say in an access log), without establishing a legal basis, then it would be a GDPR violation. By OP, since the tracking is occuring on their server and not at the behest of some other data controller.
If OP has server logs, that is already happening anyway since the initial request to load the script is coming from the users' browsers, not from the site linking to it. That might be a reason in favor of disallowing the linking entirely even though it would negatively impact the users of the sites doing the hotlinking.
And just to be clear, a legal basis can be established even without user consent via Article 6.1(f) — "legitimate interests" [1]. Though it is a grey area and not well-tested in courts (AFAIK) how to balance those interests against the data subject's rights, in any particular specific context, such as the one currently being discussed.
For instance, I've seen plenty of claims that storing IPs in logs is fine for "security purposes", though I don't know of any court cases specifically affirming that.
