Thanks for the link.
I went with the .htaccess in my /data directory to prevent hotlinking.
(BTW: To create inherent hotlink prevention, the script would only need to add the ability to choose where you want to have the data directory. Then you simply put it "above" /public_html and it is not accessable from the web.)