I'm not sure about the lagality of this, but it definitely seems insecure. This pattern is used for some should be POST request but this is a GET because of this constraint, but I'd doubt the legality of this and it just seems kind of dumb.
Can't help you more than just agreeing about it being a bad idea. What if a bot crawls the link?
There's a reason the web is built the way it is.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.