Every time that image is pulled from Gravatar, whether the user using the browser that loads the image wants it or not, the browser opens a connection to Gravatar’s server. That’s not an opt-in feature.
For further reading, look up “tracking pixel” or “1x1 pixel” and you can learn how any HTTP(S) source can track that access in various ways. I am not going to take the time to give you exact links, because what you need to understand is how tracking of HTTP requests works, not specifics about Gravatar. From a security standpoint, all cross-domain traffic is questionable, but disabling it is not really an option for using the modern web. If it were, I’d block it all and only whitelist what I had to from each domain or subdomain. That’s why companies who aggregate data love being integral to how sites operate. This is not the first time Wanikani has removed an external service it depended on for privacy reasons and I hope it won’t be the last.
For another one look here: Wanikani Fonts Update
Yes, I’m in that thread too, but since it wasn’t related to a fluffy personalization feature it didn’t get nearly as contentious as this.