On the identity layer being built on top of the one that was supposed to be dismantled.

On 13 March 2026, Schibsted, the Nordic media group that owns Aftonbladet, Svenska Dagbladet, Omni and Podme, rolled out a product called Schibsted Annonsval. The translation is “Schibsted ad choice.” What it actually is, is a pay-or-consent wall.

Readers of any of those sites now face two options. Accept that their browsing is collected and shared with 39 listed partners for behavioural advertising, or pay 49 Swedish kronor a month, 39 if they are already a subscriber, to avoid that specific processing. The paying option does not remove ads. The paying option does not unlock premium content. It is not, in any meaningful sense, a subscription. It is a monthly fee for the specific outcome of not being profiled. Schibsted itself has explained the price as the difference in advertising revenue between a profiled user and a non-profiled user. The fee is a direct price tag on surveillance, paid by the person being surveilled.

This made me furious. Not abstractly furious, specifically furious, in the way that only arrives when a pattern you have been watching for years finally does the obvious thing in plain sight. What was once standard is now premium. What you did not consent to has become the default. The third option, a free service with non-profiled ads, has been quietly removed. What remains is a binary that should not exist: be tracked, or pay not to be.

The EDPB issued a formal opinion in April 2024 concluding that platforms offering only “consent or pay” cannot produce valid consent, because personal data, in their words, cannot be considered as a tradeable commodity and the fundamental right to data protection cannot be transformed into a feature that data subjects have to pay to enjoy. Sweden’s data protection authority, IMY, has written the same principle more plainly: consent is not freely given if the user cannot use the service without consenting to processing that is not necessary for delivering it. Schibsted’s position is that its model is outside the EDPB’s scope. That argument is live.

I wanted to do something concrete. The obvious response to a pay-or-consent wall is to reduce the commercial value of being tracked, which in principle means reducing the fingerprint the infrastructure can build about you. Cookies are what the public conversation is about, what browsers are built around, what regulators regulate. I assumed, reasonably, that wiping cookies was where a small browser extension would end.

What I found, when I started reading what the sites were actually loading, is that cookies are almost beside the point now. The persistence has moved. Most of what a modern publisher stores about you does not live in a cookie anymore. It lives in localStorage, in first-party identity envelopes minted by vendors on the publisher’s own domain, and in server-side identity graphs that your browser never sees clearly. The extension project grew because the target was the wrong shape.

I opened DevTools on a major UK news site, clicked through the consent banner the normal way, and started watching the network tab. Within seconds of acceptance, roughly eighty cookies and eighty localStorage keys had been written. Nineteen distinct identity vendors were present in the session: ID5, LiveRamp ATS, IntentIQ, The Trade Desk’s UID2, LiveIntent, Prebid sharedId, Lotame, Permutive, Adobe ECID, and more than thirty supply-side platforms underneath them. The publisher had minted its own internal user identifier within the first second. Permutive had already assigned the session twenty-four audience segments.

I had clicked “Accept all.” I had, in a technical and legal sense, consented. I had no idea what I had consented to.

I checked a few more sites. An Australian university, the kind of institution that publishes ethics policies about research data, was stitching Adobe’s Experience Cloud ID to the Facebook pixel as an external identifier inline on page load, using Adobe’s own identityMap function. Two Facebook pixels. Two Google Ads accounts. TikTok, Pinterest, Snap, LinkedIn, Reddit, Bing, Spotify, Yahoo, Baidu. Adobe Launch, Alloy SDK, LiveRamp, and Trade Desk pixels stacked in the same tag manager.

Then I opened a reader-supported European newspaper, post-consent. Six cookies. Four localStorage keys. No identity resolution vendors. A useful negative control. The difference was not regulatory. Both sites are governed by the same GDPR. When a publisher’s revenue does not depend on the identity graph, the graph is not there.

I have worked in digital for fifteen years. I only just clocked this layer properly. That is the part I want to write about.

The layer underneath

The short version is that cookies were the old substrate for cross-site identification, and when browsers started dismantling third-party cookies, first Safari, then Firefox, eventually Chrome, the advertising industry did not accept the loss of the graph. It adapted. The adaptation lives in first-party storage.

An identity-resolution vendor is a company whose business is recognising the same person across different sites, browsers, and devices, and assigning that person a stable identifier that can travel. The post-cookie version works like this. The publisher runs a small library from the vendor. The library mints an identifier and stores it as a first-party cookie or in localStorage on the publisher’s own domain. To the browser, this is first-party storage. The defences that block third-party tracking do not apply. The vendor’s server reads the identifier when the ad call goes out, syncs it with its own graph, and hands out matching identifiers to every other vendor on the same contract network.

The scale is not abstract. LiveRamp, the largest of these operations, maintains identity records on 700 million people globally. 250 million in the United States, 45 million in the United Kingdom, 25 million in France. Each person is assigned a stable proprietary identifier called a RampID. RampIDs are tied, through LiveRamp’s identity graph, to real names, home addresses, previous addresses, email addresses, phone numbers, and device IDs referring to browsers, smartphones, tablets, and TVs. LiveRamp has 825 direct clients and more than 500 third parties that exchange data via RampIDs. The system processes sixty billion identity syncs per day on its own published figures. These numbers come from Pervasive identity surveillance for marketing purposes, a 61-page technical report by Wolfie Christl and Alan Toner at Cracked Labs, commissioned by Open Rights Group in February 2024. Open Rights Group filed legal complaints against LiveRamp to the ICO in the United Kingdom and CNIL in France on the back of it.

The Trade Desk’s Unified ID 2.0, the industry’s other flagship identifier, uses hashed and salted email addresses as the primary signal. Mozilla’s CTO and a distinguished engineer published a formal technical analysis in 2021 concluding that UID2 is, in their words, a regression in privacy, because it allows tracking of users who are presently protected against tracking. The same paper identifies specific security problems: decryption keys are widely distributed to every data consumer, and any consumer with the keys can mint tokens that map to any UID2 of their choice. The Trade Desk is now facing consolidated class-action lawsuits in the United States under the Video Privacy Protection Act and the California Invasion of Privacy Act.

Adobe’s Experience Cloud ID takes a different architectural route to the same destination. It sets identifiers via demdex.net as a third-party cookie, falls back to first-party cookies via CNAME cloaking when third-party cookies are blocked, and falls back again to First-Party Device IDs seeded through DNS A and AAAA records when even that is restricted. The same FPID always produces the same ECID through a deterministic algorithm. Adobe’s identityMap function then allows CRM IDs and hashed emails to be sent alongside the ECID. The Australian university I opened was using exactly this chain to stitch its ECID to Facebook’s external_id.

LiveIntent operates on hashed email addresses and has been the subject of academic research since at least 2017, when Englehardt, Han and Narayanan at Princeton documented in I Never Signed Up for This! Privacy Implications of Email Tracking that LiveIntent, Acxiom, Conversant Media and Neustar were receiving leaked email addresses from between 24 and 68 of the 902 email senders they studied. LiveIntent’s own integration documentation reveals a company that is, by design, an identity clearinghouse: their user-ID module simultaneously issues identifiers compatible with UID2, Magnite, PubMatic, OpenX, The Trade Desk, Sharethrough, Triplelift and a dozen others.

IntentIQ is the one most readers will never have heard of. They operate what the trade press calls a white-labelled backbone. Other ad-tech companies integrate IntentIQ’s infrastructure and rebrand the output as their own. The company is owned by AlmondNet, holds more than 150 patents, and their own privacy policy states they do not honour Do-Not-Track signals. They claim 90 to 97 percent match accuracy across devices using a blend of deterministic identifiers and probabilistic signals: IP, user agent, behaviour. Most of their visibility to end users is through other companies’ brands. That obscurity is not a side-effect. It is the product.

Permutive is architecturally distinct and worth naming as such. Rather than centralising data on servers, they do on-device edge computing. Personal data ostensibly stays in the browser; what leaves are cohort assignments. Used by the BBC, the Financial Times, Business Insider, Penske Media. The outcome for the user is similar, segmentation within milliseconds of arrival, cohorts piped directly into Google Ad Manager via Publisher Provided Signals, but the mechanism is different, and pretending otherwise invites pushback from readers who know the difference.

The structure is a ripple, not a plan

In 2018, GDPR arrived. Cookie banners became universal. The advertising industry built the Transparency and Consent Framework to standardise the compliance language while preserving the underlying behaviour. In 2021, Adalytics documented ID5 setting tracking cookies on users sending gdpr=0 regardless of whether those users were actually in the EU; ID5 paused its European operations and publicly confirmed the finding. In 2023, the FTC settled with GoodRx for twenty-five million dollars over privacy-policy claims that did not match the infrastructure underneath; user health interactions were being routed to Meta and Google via the Facebook pixel. In 2024, the EDPB issued Opinion 08/2024 on consent-or-pay models, concluding that large platforms offering only consent to tracking or pay a fee cannot produce valid consent. In 2025, a German court ruled that Google Tag Manager requires user consent and that legitimate interest is not a valid basis. Also in 2025, on 14 May, the Brussels Market Court upheld multiple GDPR infringements in version 2.0 of IAB Europe’s Transparency and Consent Framework, reimposed the 250,000 euro fine, and confirmed IAB Europe as joint controller for the processing of the consent strings it had designed, though it limited that responsibility to the framework itself rather than the downstream auctions the framework enables.

Each of these decisions was defensible on its own terms. Each was a correction to a specific abuse. None of them, individually, was a plan to build an identity-resolution layer that lives in first-party storage and synchronises sixty billion times a day. But that is the layer that exists.

The ripple frame matters because the alternative framings are worse. Conspiracy framing asks who did this and presumes a villain. There is no villain in the dramatic sense. There are thousands of defensible local decisions by engineers, product managers, marketers, lawyers, and regulators, each solving the problem in front of them, each leaving a compound residue. The residue is the infrastructure. Nobody planned the destination. The destination emerged from compounding compliance.

This is more unsettling than conspiracy, not less. A conspiracy can be exposed and dismantled. A ripple can only be redirected by another ripple.

The strongest version of the industry case

The piece is not honest unless the other side of the argument is stated at its strongest. The case for the infrastructure goes as follows. Identity resolution is what funds ad-supported journalism. The alternative is paywalls, and paywalls exclude everyone who cannot or will not pay. The data is pseudonymised, not directly identifying. Users have been given a choice through consent banners; most click Accept all because they do not care enough to do otherwise, and that indifference is a form of consent even if it is not an enthusiastic one. Without this infrastructure, advertising CPMs collapse, publishers fail, and the free web contracts to a handful of surviving subscription services.

I do not think this case is wholly wrong. There is a genuine economic function being performed and a genuine dilemma for anyone who cares about the open web. But the case falls on three specific points.

First, pseudonymised is a legal term that does not match the behaviour. LiveRamp’s graph is tied to real names and real home addresses. Calling the resulting identifier pseudonymous is a technicality that would not survive a conversation with a careful person about what the data actually represents. Second, the consent is fictional because opacity is structural. The details of what the choice entails are not available to the person clicking the banner, and are not even fully available to the marketers who buy the resulting audience segments. Third, if the system cannot survive informed consent, it should not exist. The point of consent is not procedural. It is meaningful choice, and the infrastructure has been specifically engineered to make meaningful choice impossible.

Why I didn’t see it

A media buyer operates on audience segments. The segments are built on graphs maintained by companies the buyer has never signed a contract with. A marketing executive operates on attribution dashboards. The dashboards are fed by identity resolution the executive has not specified. A consent banner operates on a list of vendors the user has not chosen, inside a taxonomy of purposes written by an industry body whose own framework has just been found partially non-compliant by a Belgian court. The abstraction layers in adtech are designed precisely so that the parties immediately above and below the identity layer do not need to understand it. The abstraction is the product. Not being able to see it is how it is supposed to work.

IntentIQ is the cleanest example. The company sells infrastructure white-labelled under other brands. Most marketers who have bought audience data enriched by IntentIQ technology have done so without knowing the company exists. The design of that obscurity is not accidental; it is commercially load-bearing. A product that required marketers to understand what they were buying would generate resistance the current product does not.

LiveRamp is a subtler example of the same thing. Their homepage sells consumer trust. GDPR logo, ISO 27001, SOC 2, copy about protecting the data and the trust it is built on. Their API documentation, one click away, sells “resolving directly identifiable personal data such as email, phone, name, and postal address at the point of authentication.” Both pages are accurate. They are written for readers who will never land on the other. The procurement officer at the advertiser reads the homepage and ticks the compliance box. The integration engineer at the same advertiser reads the API page and writes the code. Neither needs the other’s framing to do their job. That two-page arrangement is the business model written out in plain English.

My consent to a site is consent to that site. It is not consent to its vendors, nor to its vendors’ vendors, nor to the fifteen hundred partners in the IAB TCF string the banner quietly generates on my behalf. The banner does not disclose this, because a banner that did would not produce compliant consent at scale.

The question is being answered now

The second thing worth noting is that a new identity layer is being built on top of this one, not underneath it.

The European Digital Identity Wallet is the most coherent attempt so far to give the internet a genuinely privacy-preserving identity layer. It uses zero-knowledge proofs. A user can prove to a site that they are over eighteen without revealing their identity. The verifier does not learn who the user is. The issuer does not learn which site asked. The site does not learn anything beyond the binary answer. This is the good version. It is also the hardest version to build, and the EU is the only major bloc seriously attempting it.

The gap is that the EUDIW is being deployed alongside the commercial identity graph, not in place of it. The technical term is an additive identity layer. The architectural alternative, the one that would make the EUDIW’s privacy properties actually count, is a substitutive identity layer, which means using the good thing as a reason to switch off the bad thing.

When I started drafting this piece, I assumed the next eighteen to twenty-four months would decide the direction. That assumption was out of date. The decision has been proposed.

On 19 November 2025, the European Commission published its Digital Omnibus package. The package is the legislative moment at which the substitutive-or-additive question was always going to be answered. It has been answered. The package contains no instrument that dismantles the commercial identity graph. It narrows the definition of personal data. It provides legitimate interest as a legal basis for AI model training. It streamlines cookie consent via browser-level signals. It adds carve-outs for audience measurement and security-related tracking. None of these close the gap. The EDPB and EDPS issued a joint opinion on 11 February 2026 raising significant concerns, in particular on the narrowing of personal data. NOYB, the privacy organisation led by Max Schrems, has been publishing detailed opposition analyses since the proposal landed. The package is still in Parliament and Council. The direction is now clear, and the direction is additive.

This is not yet concluded. Parliament can reshape it. Member States can resist it. Civil society can slow it. But the default position, the one the institutional machinery has proposed, is a world in which European citizens gain a verified-identity obligation at regulatory gates while the sixty-billion-syncs-a-day commercial layer continues underneath. The genuinely good version of the verified-identity layer and the surveillance layer now share a plumbing diagram, and the plumbing diagram has been formally submitted for approval.

One more structural point, because it shapes how urgent any of this actually is. Future regulation can change the rate at which new identity data is collected. It cannot recover the graphs that already exist. Every identity sync in the last decade is already in somebody’s database. Every behavioural profile built on those syncs persists. The models trained on those profiles do not forget when the law changes. The damage is stock, not flow. Once the stock is set, the rest is harm reduction. This is why the Digital Omnibus matters more than a single piece of cookie legislation normally would. The package is the moment at which the stock question and the flow question are being decided simultaneously. If it passes in anything resembling its current form, the commercial graph is legally grandfathered while the verified layer is added on top, and the window for asking whether the two should coexist closes for a generation.

The small response

I built the extension because I wanted something concrete to do while I absorbed all of this, and because wiping a short list of vendors from my own browser between sessions felt more useful than writing a second consent-management vendor comparison. It is called BurnerCookie. It wipes vendor identity envelopes on tab close for sites I list, and on every tab close across all sites for a small set of known identity-resolution vendors. It does not block ads. It does not reject consent banners. It does not stop server-side tracking. It reduces the rate at which first-party envelope identifiers persist in my browser between sessions. That is the whole ambition. It does not solve the problem. It is one small ripple in the opposite direction.

The extension only works in Firefox, not by preference but by architecture. Firefox exposes contextualIdentities, storage partitioning, and per-container state isolation. Chromium does not. Those APIs are what make surgical per-site burning possible rather than the blunt clear-everything approach that Chromium extensions are forced into. Mozilla’s own developer documentation is explicit: contextual identities are not supported in any other browsers.

The extension came out of reading source. Pulling the JavaScript the sites actually loaded, watching the DOM, logging what fired and when. The pattern was visible in the evidence. What I did not know, until I went looking afterwards, is that there is a body of serious work already documenting this infrastructure. Adalytics on ID5. Cracked Labs on LiveRamp. The Princeton team on email tracking. Johnny Ryan at the Irish Council for Civil Liberties on real-time bidding. If this piece has made you want to read further, those are the people who have done the decade of careful work. I found them after the fact. They are the reason anyone writing about this now has citations to hand.

The internet was designed without an identity layer for architectural reasons that served it well for forty years. It is now being given one. The question was whether the verification layer and the surveillance layer would share a plumbing diagram, or whether the former would be allowed to retire the latter. The answer, as of November 2025, is that they will share the plumbing. Unless the answer changes in the legislative process, European citizens will end up with both layers rather than a substitution of one for the other.

Schibsted did not build this infrastructure. They are among the first in Scandinavia to put a fee on the way out of it. What is being sold as a privacy option is a monthly charge to opt out of a graph the reader did not consent to in the first place, dressed as choice.

There is one more thing worth sitting with. The extension only works in Firefox because Firefox is the only major browser that exposes the APIs required to surgically remove identity persistence from specific sites. Chromium does not. Alphabet’s 2025 revenue was approximately 350 billion US dollars. Roughly three-quarters of it, around 260 billion, came from advertising. Chromium is a Google project. Chrome holds around 70 percent of global browser market share. The browser most people use, owned by the company with the single largest financial interest in the advertising ecosystem the identity layer exists to fund, is also the browser that does not let extensions do what mine does. This is not conspiracy. It is a ripple, like the others in this piece. But it is the ripple that decides what response is technically possible in the browser you already have.

If you work in this industry and this is new to you, it is not your fault. The architecture was designed to make it hard for you to see. It was architected to make it hard for you to respond.

How the fuck did we miss this?