[XCSme]

> Collecting scroll and mouse movements is enough to build a fingerprint on people.

I never thought of this, I do see the potential fingerprinting but I don't think it actually works as currently the mouse position and scroll is tracked only ~200ms, so you just get some random positions, not enough to generate an accurate fingerprint. Plus it would require a lot of data and ML, which I highly doubt would be worth the effort.

> This kind of stuff needs to be opt-in As I mentioned in the other comment, you can display an opt-in dialog if you want to. Some related info: I don't know if you heard of Hotjar before (probably you did, as their ads are everywhere), but it was on like 25% of alexa top 100 sites and on over 500k sites, and probably all of them just bundle the consent with the other cookies or don't show any information at all. I think the problem is that GDPR mostly referrs to tracking and personal identifiable data, and all those movements, heatmaps and actions are not really enough to identify a person.

My current opinion about this: Although I agree it feels creepy, as I user I don't really care if my actions are tracked on the website I go on, if there's no connection made to my person or to other websites I visited. Also, tracking mouse movement feels more creepy, but tracking all the content that you see and buttons/links that you click on in order to show targeted ads is probably worse. I think the big difference is that once you go to site X, you expect the site to get some information about your usage on their site (what pages you visit, what information was useful for you, where you got stuck on the page) in order to improve your experience and for them to improve conversions, but you don't expect for another 3rd party to get all this info about you and use it for other purposes such as advertising or selling of personal information

[kohtatsu]

I'm happy to see you're putting this much thought into it, I appreciate it a lot.

I think it is a dozen orders of magnitude better than 3rd party services considering it's self hosted, which mostly nullifies fingerprinting concerns. I firmly believe opt-in should be required for the scrolling and movements, but I understand the climate isn't there yet.

Thanks for taking time to consider privacy, making it a priority, and taking the time to respond here. I reckon you're well on the good side of the fight for privacy just by decentralizing this data.