Surely the main issue is informed consent
The EU data protection regulators must make sure that any site that is recording any sort of biometrics, including behavioural ones, must make that absolutely clear and get informed consent.
Users need to know that:
i) they can be tracked and identified even if they delete cookies and even if they do not log in. Obviously that is little problem for banks -- if you don't log in you don't get service (although I might choose to look through their loan offers while not logged in so I don't get bombarded with sales calls for their loans). But if the technology works then it will be used for advertising tracking as well.
ii) all biometrics are simply passwords you can't change. So, if someone works out how to reverse the analysis and generate an apparent biometric match for you (like people have already done with fingerprint readers) then your security is lost and cannot be recovered. There is a reason why the US Secret Service destroy glasses the President has handled (for example when Obama had a pint of Guinness on his trip to Ireland).