I never thought of this, I do see the potential fingerprinting but I don't think it actually works as currently the mouse position and scroll is tracked only ~200ms, so you just get some random positions, not enough to generate an accurate fingerprint. Plus it would require a lot of data and ML, which I highly doubt would be worth the effort.
> This kind of stuff needs to be opt-in As I mentioned in the other comment, you can display an opt-in dialog if you want to. Some related info: I don't know if you heard of Hotjar before (probably you did, as their ads are everywhere), but it was on like 25% of alexa top 100 sites and on over 500k sites, and probably all of them just bundle the consent with the other cookies or don't show any information at all. I think the problem is that GDPR mostly referrs to tracking and personal identifiable data, and all those movements, heatmaps and actions are not really enough to identify a person.
My current opinion about this: Although I agree it feels creepy, as I user I don't really care if my actions are tracked on the website I go on, if there's no connection made to my person or to other websites I visited. Also, tracking mouse movement feels more creepy, but tracking all the content that you see and buttons/links that you click on in order to show targeted ads is probably worse. I think the big difference is that once you go to site X, you expect the site to get some information about your usage on their site (what pages you visit, what information was useful for you, where you got stuck on the page) in order to improve your experience and for them to improve conversions, but you don't expect for another 3rd party to get all this info about you and use it for other purposes such as advertising or selling of personal information
