On the identity layer that replaced what the browsers thought they dismantled.

In March, Schibsted began charging Nordic readers not to be tracked. The model is pay-or-consent: accept behavioural advertising across the group’s Swedish titles (Aftonbladet, Svenska Dagbladet, Omni, Podme), or pay a monthly fee (49 SEK, 39 for subscribers) to avoid it. Paying does not give you an ad-free experience. Paying does not unlock premium content. The fee is specifically for not being profiled. Schibsted itself explains the price as the difference in advertising revenue between a profiled reader and a non-profiled one. The fee is a direct price tag on surveillance, paid by the person being surveilled.

The EDPB issued an opinion in April 2024 that platforms offering only consent-or-pay cannot produce valid consent. Sweden’s IMY has said the same. Schibsted’s position is that it sits outside the EDPB’s scope. The argument is live, and while it plays out in Brussels, the model is live too.

When I first encountered it on SvD, the online outlet for the Swedish newspaper Svenska Dagbladet, I got furious. Right in front of me there was yet another step in putting premium labels on features that were once standard. This time I couldn’t let it go; this felt like such an overstep that I started thinking about countermeasures. So I started building a browser extension to clear the worst offenders from my own browser between sessions. In doing so, I had to read what the sites were actually loading. That is where the story stopped being about cookies.

Cookies are beside the point now

When browsers started restricting third-party cookies (Safari first, Firefox next, Chrome last and least), the advertising industry did not accept the loss of cross-site tracking. It built a replacement. The replacement lives in first-party storage on the publisher’s own domain. Identity-resolution vendors (LiveRamp, ID5, IntentIQ, The Trade Desk’s UID2, Adobe ECID, LiveIntent, and thirty-plus SSPs underneath them) mint stable identifiers that the browser treats as first-party and therefore does not block. Those identifiers get synced across the graph on the server side, which the browser never sees.

LiveRamp alone maintains identity records on 700 million people worldwide (250M in the US, 45M in the UK, 25M in France), each tied to real names, real home addresses, real phone numbers, and real email addresses. The system processes sixty billion identity syncs per day. On a single UK news site I tested, nineteen identity vendors were present in the session within seconds of my clicking Accept. Permutive had already assigned me 24 audience segments by the time the page finished loading. A peer-reviewed Nature study from 2019 found that 99.98 percent of Americans can be re-identified from any dataset using just 15 demographic attributes. The word “anonymous” does not survive contact with this infrastructure.

It is a ripple, not a plan

GDPR (2018). The Transparency and Consent Framework (2019). ID5 pausing Europe after Adalytics reporting (2021). GoodRx’s $25M FTC settlement (2023). EDPB Opinion 08/2024 on consent-or-pay. Brussels Market Court upholding joint controllership in the TCF v2.0 (May 2025). Each decision was defensible on its own. None of them individually was a plan to build an identity-resolution layer running on first-party storage. That is just what emerged. Compounding compliance, not a conspiracy.

Conspiracy framing would be easier. A conspiracy can be exposed and dismantled. A ripple can only be redirected by another ripple.

Why you have not seen this

Opacity is the business model. A media buyer operates on audience segments they did not build, using graphs they have never signed a contract with. A marketing executive reads attribution dashboards fed by identity resolution they did not specify. A consent banner lists fifteen hundred partners in a TCF string the user never sees.

LiveRamp’s own website is the clearest instance of this. Their homepage sells consumer trust (GDPR, ISO 27001, SOC 2, copy about protecting the data and the trust it is built on). Their API page, one click away, sells “resolving directly identifiable personal data such as email, phone, name, and postal address at the point of authentication.” Both pages are accurate. They are written for readers who will never land on the other. The procurement officer at the advertiser reads the homepage and ticks the compliance box. The integration engineer at the same advertiser reads the API page and writes the code. Neither needs the other’s framing. That two-page arrangement is the business model written out in plain English.

The question is being answered now

On 19 November 2025, the European Commission published its Digital Omnibus package. It was the moment at which the next identity layer (the European Digital Identity Wallet, which is the genuinely privacy-preserving version, built on zero-knowledge proofs) could have been used to retire the commercial identity graph. The package did not do that. It narrows personal data definitions. It provides legitimate interest as a basis for AI model training. It streamlines cookie consent. None of those dismantle the commercial graph. The EDPB and EDPS raised concerns in a joint opinion on 11 February 2026. NOYB has been publishing opposition analyses. The package is still in Parliament and Council, and the direction is additive: a verified-identity obligation added on top of the existing surveillance layer, rather than replacing it.

The damage is stock, not flow. Future regulation can change how much new identity data gets collected. It cannot recover the graphs that already exist. Every sync in the last decade persists. The models trained on those profiles do not forget when the law changes.

The small response

Despite all this, I built the extension anyway. It is called BurnerCookie. It only works in Firefox, not by preference but by architecture: Firefox exposes contextualIdentities, storage partitioning, and per-container state isolation. Chromium does not. Mozilla’s documentation is explicit that contextual identities are not supported in any other browser. Which is worth sitting with, because Alphabet’s 2025 revenue was approximately 350 billion US dollars, roughly 260 billion of which came from advertising. Chromium is a Google project. Chrome holds about 70 percent of global browser market share. The browser most people use, owned by the company with the largest financial interest in the infrastructure the identity layer funds, is also the browser that does not give extensions the tools to defend against it. That is not conspiracy. It is structure.

Three versions

This is the executive version. There is a longer piece with the full vendor breakdown, the citations, and the regulatory timeline, and a shorter piece written for a general reader who does not work in this industry. All three versions link to each other. If you want the evidence in more detail, the longer one is there. If you want to send this to a non-specialist colleague, the shorter one is there.

If this is new to you and you work in the industry, it is not your fault. The architecture was designed to make it hard to see, and architected to make it hard to respond.

How the fuck did we miss this?