I wonder what data points those are, and whether that's GDPR compliant. I assume they have a pretty solid fingerprint with that much data.
It's a valid point, however. Incentivized traffic has always been full of bots, unless you add tough verification steps (aka captcha, answer questions about the content etc) at which point you'll have to pay a lot more for people to jump through your hoops.
And that is the messy part, finding the good from the bad - and is worth solving that issue. That's the wider point, this type of, or framework of problem is going to be more and more prominent.
Height, weight, hair color and year of birth aren't PII, but if you combine them, you're getting pretty close to identifying individuals, it's a behavioral finger print - and though I have no idea if it holds true in general, I'd assume that there's even a strong transfer across devices (a power user scrolls faster on both mobile and desktop).
Is there a way to really solve it? It seems to me that all you actually can do is up the ante, make it harder to do, but with full browser control, it'll be hard to lock them out. And if I'm looking at the behavior of users on my site, I can probably build pretty good replay users that visit the site you're protecting. I remember the "attack" on IRC channels back in the day where you'd join a bunch of bot users that would then have a conversation that is replayed from another channel (possibly in a different language), so timing, interaction etc looked very real (though they may seem a bit rude for not reacting to other people).
