Right, but you’re talking about two distinctly different things. The ISP doesn’t own the websites you visit. They only have a record of your traffic. The individual websites that you visit can bust your privacy through 3rd party cookies, browser fingerprinting, cross-site tracking, and a bunch of other methods created to circumvent the user security features built into the browser. Nobody shares that information back to the ISP for free. The real issues are that huge companies like Google, Amazon, and Facebook have scripts running on millions of websites, so they can track you everywhere you go. But they’re still just single companies. The linchpin is that they then sell that information to Big Data brokers like Cambridge Analytica, and Informatica. Those companies combine literally everything you do online, everything you submit, all your history, all your data points, and build these fully accurate pictures of you. You need to take proactive measures to prevent this sort of data harvesting that go well beyond a VPN. But your ISP doesn’t have these systems in place. So unless the ISP is buying your profile from Big Data, and then selling it to the NSA, having a VPN is enough to thwart your ISP, and the issue identified in the article. You still have to take a bunch of other precautions to prevent the larger issue if you truly want any anonymity, and they’ll probably figure you out anyways.