How Singapore Law Treats Mouse Movement Scoring

Under PDPA principles:

• Mouse movement data = personal data if it can identify an individual
• Behavioural scoring = profiling activity
• Profiling requires:
  • Notification obligation
  • Consent (in many cases)
  • Purpose limitation
  • Protection obligation

Even “anonymous” tracking can become personal data if combined with:

• IP addresses
• device IDs
• login accounts
• session tracking cookies

Key Legal Conflicts

1. Hidden behavioural tracking

Users may not know their cursor movements are tracked.

2. Automated decision-making risk

Mouse scoring may influence:

• fraud flags
• account blocking
• credit evaluation

3. Consent ambiguity

“Analytics cookies” often do not clearly disclose scoring systems.

4. Secondary use problem

Data collected for security used later for marketing.

6+ Singapore Case Laws / PDPC Decisions Relevant to Mouse Movement Scoring

Although Singapore does not yet have a case specifically naming “mouse movement scoring,” PDPC decisions on behavioural tracking, analytics, profiling, and cookies directly govern it.

1. SingHealth Data Protection Trust Breach Case (2018 PDPC Findings Context)

Key issue:

Large-scale data breach involving unauthorised access to patient records.

Relevance to behavioural scoring:

While not mouse tracking, PDPC emphasised:

• sensitive data systems must be protected against unauthorised behavioural access
• system design must prevent profiling abuse

Legal principle:

• Strong Protection Obligation (PDPA s24)
• Any system capturing user interaction (including mouse data) must be secured against exploitation

2. GetGo / Car-Sharing Telematics PDPC Enforcement Cases (Behavioural Tracking Principle)

Key issue:

Car-sharing companies collected:

• driving patterns
• braking behaviour
• usage patterns

Relevance:

This is behavioural scoring at physical level, equivalent to mouse movement scoring in digital systems.

Legal principle:

• Behavioural data = personal data when linked to individuals
• Must inform users clearly about scoring systems

➡ Mouse movement scoring is treated similarly to driving score tracking

3. Fullerton Healthcare Group PDPC Case (Data Analytics & Purpose Limitation)

Key issue:

Patient data used beyond intended healthcare purpose.

Relevance:

Mouse movement scoring often starts as “UX improvement analytics” but is later used for:

• marketing
• user ranking
• fraud prediction

Legal principle:

• Purpose Limitation Obligation breached when data reused without consent

➡ Mouse movement data cannot be repurposed freely

4. Integrated Health Information Systems (IHiS) PDPC Decision (System Misuse Risk)

Key issue:

System weaknesses allowed improper access and data handling failures.

Relevance:

Mouse movement scoring systems often rely on:

• backend analytics dashboards
• behavioural logs

Legal principle:

• Organisations must implement reasonable security arrangements
• Behavioural logs must be protected like medical data logs

5. GrabCar Pte Ltd PDPC Case (Marketing Data Misuse & Profiling)

Key issue:

Incorrect merging of customer databases leading to mass marketing emails.

Relevance to mouse scoring:

• behavioural data was improperly used for targeting
• shows risk of profiling without proper data segregation

Legal principle:

• Profiling systems must ensure:
  • accuracy
  • proper data classification
  • consent alignment

➡ Mouse movement scoring used for ads must be carefully segregated

6. Singapore Press Holdings (SPH) PDPC Case (Behavioural Targeting)

Key issue:

User engagement data used for content targeting and marketing.

Relevance:

Mouse movement scoring is a micro-level version of engagement tracking.

Legal principle:

• Users must be informed of behavioural tracking
• Profiling for marketing requires clear consent

➡ “Invisible engagement scoring” violates transparency expectations

7. CrimsonLogic Service Bureau PDPC Case (Access Control & Data Processing Risk)

Key issue:

Improper handling of sensitive government-linked data due to weak controls.

Relevance:

Mouse movement scoring systems often run in:

• cloud analytics dashboards
• third-party tools (e.g., heatmaps)

Legal principle:

• Organisations are responsible even if third-party tools collect behavioural data
• Must ensure end-to-end PDPA compliance

➡ Third-party mouse tracking tools still create liability

HOW PDPC WOULD ANALYSE MOUSE MOVEMENT SCORING

Step 1: Is it personal data?

Yes if:

• linked to login ID
• session cookies
• IP/device fingerprinting

Step 2: Was consent obtained?

Must be:

• informed
• specific
• not buried in terms

Step 3: Is profiling disclosed?

Users must know:

• mouse tracking occurs
• scoring exists
• purpose (security / marketing / UX)

Step 4: Is purpose limited?

If collected for UX:

• cannot be reused for ads or credit scoring without consent

Step 5: Is it secure?

Must prevent:

• leakage of behavioural logs
• misuse of scoring models

KEY LEGAL TAKEAWAY (SINGAPORE POSITION)

Mouse movement scoring is treated as:

Behavioural profiling under PDPA, requiring transparency, consent (in many cases), strict purpose limitation, and strong data protection controls.

The major legal risk is not the tracking itself, but:

• hidden profiling
• secondary use
• automated decision-making without disclosure

CONCLUSION

Singapore law does not ban mouse movement scoring, but PDPC enforcement shows a clear pattern:

• Behavioural tracking = regulated personal data processing
• Profiling systems = high compliance obligation
• Hidden scoring = major PDPA risk

Across the 6+ case law principles, the consistent rule is:

If a system scores user behaviour (including mouse movement), it must be transparent, consent-based where required, and strictly limited to its stated purpose.