It's a Google Analytics client (using curl), so they punt on the GDPR issue to Google, who has a little "scrub client IP" checkbox in GA, which Homebrew has checked.
This is fine, because Google can be trusted to come into possession of your uniquely-identified tracking data, and then immediately delete it, without letting military intelligence log it in the process. They have no reason to share it (other than the legal compulsion that FAA 702 provides) or keep it around, as it would not profit them in any way (other than their multibilliondollar advertising business).
