I see how some said some random id would be considered as personal data. But it just doesn’t fit in the definition.
https://gdpr-info.eu/art-4-gdpr/
who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Yes an online identifier, but what kind of online identifier? You can’t you identify anyone’s "physical, physiological, genetic, mental, economic, cultural or social identity" with that data. If you, however, collect other data and if they make personal data together when combined, then everything you bring to create personal data is considered personal data.
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
Examples of data not considered personal data
- a company registration number;
- an email address such as info@company.com;
- anonymised data.
Obviously, you can’t figure out if they are using their name and surname or something identifiable in their email address so you must treat all of them as personal data in my opinion. But as you can see, not even a vague email address is considered personal data here as well as a company registration number.
For me, I create some random id on my server and send it to the client. How is it a personal data for example? Also on the same page:
It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
So when we enter a meeting, a hotel, a conference for example and they give us a visitor card, would that card, alone, considered as personal data?
My suggestion would be starting your game and try to make a profile of yourself from that entry in your database. Can you figure out a where that entry (you) lives, how the entry thinks or what kind of mood the entry is in (_physiological, _mental) ? Can you track down the person? If the government tells you that person is a criminal and needs to be tracked down and you have no other choice but to comply with government, do you have the capacity to do that or give any useful information about that entry?
Information such as “The user has 3 apples in the game and its random number is sf3ounfq.” is not something you can identify a person or that persons characteristics.
By the way, my implementation will be a static popup at the beginning. If they give consent to the list I display they will be able to continue, if not, the app will be waiting for their consent. When they change their mind, there will be an option to delete their information and place them at the start of the game again. I hope that would cover all of my requirements. I am still looking into it.