On the layer underneath the one everyone is arguing about.

In March this year, the Swedish media group Schibsted, which owns Aftonbladet, Svenska Dagbladet, Omni and Podme, rolled out something called Schibsted Annonsval. The name translates to “Schibsted ad choice.” Here is what it actually is.

If you visit any of those sites now, you have two options. Accept that your browsing will be collected and shared with 39 advertising partners. Or pay 49 Swedish kronor a month, 39 if you are already a subscriber, to avoid that specific collection. The paying option still shows you ads. The paying option does not give you premium content. It is not a subscription. It is a monthly fee to not be tracked.

You could call this a paywall. It is not. A paywall charges you for content. This charges you for privacy on content that used to be free. What was once the default, free access with non-targeted ads, has quietly been removed. What is left is a choice that should not exist: be profiled, or pay not to be. Schibsted is not the first to try this. Spiegel in Germany and Le Monde in France have been running the same model for two years. What Schibsted is doing is bringing it to the Nordic region. If the regulators let it stand, the rest of the industry will follow.

The reason this matters is not really the fee itself. It is what the fee reveals.

The thing you have been told is wrong

If you follow privacy news, you know the narrative. Cookies are tracking you. Meta is tracking you. TikTok is tracking you. Google is tracking you. These are the bad actors. Regulators are chasing them. The EU has GDPR. California has CCPA. Every few months there is another fine.

All of this is true. None of it is the real story.

The big platforms get most of the regulatory attention because they are visible. They have brands you have heard of. They have lawyers who respond to investigations. They have compliance teams who will eventually, grudgingly, implement whatever the regulator demanded. It is slow and imperfect, but it happens. Meta and Google fall into line because they have no choice.

Underneath the platforms you have heard of, there is an industry you have not.

When cookies started getting restricted by browsers a few years ago, the advertising industry did not accept the loss. It built a replacement. The replacement is a set of companies whose entire business is maintaining a profile of you: your name, your real home address, your phone number, the devices you use, the sites you visit, and selling matches on that profile to advertisers. One of these companies, LiveRamp, holds identity records on roughly 700 million people worldwide. That is not cookies. That is a database with your actual identity in it, bought, built, and sold commercially. Most people have never heard of LiveRamp. Most marketers have never heard of LiveRamp. The companies underneath LiveRamp, and there are many, have even less name recognition. This is not accidental. The less you have heard of them, the less you can object to them.

The damage is probably already done

Here is the part you might not want to read.

If you are reading this on a Chrome browser, without an ad blocker, on a phone or laptop you have used for more than a few years, using an email address you have had for more than a decade, with a phone number you have kept since before smartphones went mainstream, then the infrastructure already has you. It did not need your consent. Your email has leaked from every third breach notification you ever received. Your phone number is tied to your banking, your Uber, your food delivery. Your IP address is tied to your home. Your browsing, across any site running the vendors I mentioned, has been matched up and sold in auctions you cannot see.

Almost every convenience has cost you something here. Opening apps instead of websites. Saying yes to location sharing so the map app works. Signing in with Google or Apple because making a new account is tedious. Clicking Accept all on cookie banners because the reject option is three layers deep. Staying on Chrome because that is what came with your phone. None of these choices were wrong, exactly. They were just the path of least friction. The infrastructure was built on the assumption that almost everyone would take that path.

And I am almost certain you did.

The word that used to describe all of this was “anonymous.” That word is now dishonest. A 2019 peer-reviewed study published in Nature found that 99.98 percent of Americans could be re-identified in any dataset using just 15 demographic attributes. When I ran a test on a UK news site earlier this year, a single vendor had assigned me 24 audience segments within the first few seconds of my clicking Accept. Twenty-four categorisations, placed on one person, by one company, on one visit. The systems that sit underneath the web are now sophisticated enough to tie those signals back to you as a person: named, addressed, phoned, knowable. When a vendor says your data is “pseudonymous” or “anonymous,” what they mean is that they do not print your name at the top of the file. The file is still yours.

What you can still do

Not much, but not nothing.

I could give you a list of twenty things to do to limit your exposure. I won’t, because hundreds of those lists have already been published, and almost all of them have probably caught your eye at some point. If any of them had worked on you at the scale required to matter, you would not be reading this piece. The friction from what you are used to is too great. It is not a set-and-forget fix. It requires ongoing maintenance to circumvent the platforms that are themselves continuously circumventing your attempts to not be identified. I am not patronising you. It is hard, and it is annoying, and it is designed to be.

The honest version is that slowing the accumulation is more realistic than reversing it, and the only intervention worth making is the one you will actually keep up with. One change, sustained, is worth more than ten changes abandoned after two weeks. Pick the one that costs you the least friction for the most return, and stay with it.

One more thing

This is a David and Goliath fight, and you are not going to change how any of it is set up at the scale it operates at. Neither am I. But scale is not the only thing that matters. Climate change is not solved by any individual recycling, and yet recycling still has a point, because the alternative is to treat the scale of the problem as permission to do nothing. I do not want to live inside that alternative.

So I have done two things.

The first is that I wrote this article in three versions. An in-depth version for people who work in the industry and want the citations, a shorter executive summary for people who read professionally but do not have an hour, and this one, which is for most people, written in the clearest language I could find, because I think most people deserve to understand what is happening to them online without needing a technical background to follow the argument. All three versions link to each other. If this piece sent you somewhere new, the other two go deeper.

The second is that I built a browser extension. It is called BurnerCookie. It only works in Firefox, for the architectural reason I explained a moment ago. It wipes the tracking identifiers that the vendors I have been describing leave in your browser, on the sites you choose, every time you close a tab. It does not block ads. It does not reject consent banners. It does not fix any of this. It reduces how much the infrastructure can build up about you in that one browser, on the sites you care about, between sessions. It is free, it will stay free, and the code is open, so anyone who wants to check what it does or contribute to it can.

My tin cans, thrown in the right container, are three versions of this article at different levels of technical complexity, and a small piece of technology, built out of anger at being charged in order not to be used as a product. What will yours be?