I'd argue recording anything at all, including whether I did it, breaks the 'completely anonymous' contract.

Then we're left with...mostly anonymous. But at that point it's a black box. It could be done how you describe. Or it could be attaching my name to the survey and emailing the CEO directly. I'd never know the difference.

I mean sure. If you think someone is lying to you then it doesn't matter.

But I disagree with "getting a reminder means its not anonymous" its completely orthogonal.

Are you assuming the request to respond is broadcast to all recipients regardless of response status?

No implementation is something like email is primary key, url is per user.

going to page and submitting will do two things. the table Request will be updated and marked submitted. the table Response will be populated with only the data.

If you can derive the email at submission time then its not anonymous.

It seems like the disagreement is between what makes data anonymous.

If I write a letter and don't sign it. It's anonymous. Someone could use a corpus of my text and infer I wrote it. That doesn't mean I didn't write anonymously.

I could make 2 updates to 2 tables and then end result would be that having both tables wouldn't let you correlated the data with submitters.

Yes if you control every aspect of the process you can lie to people. Thats not the point. If you think someone is lying to you to harm you why would you interact with them?

The point is there's ways to achieve this even assuming bad actors and doing something that's obviously flawed doesn't seem helpful.

> obviously