Product Updates

Osano CMP support for 2023 US privacy laws

posted on December 15, 2022

There’s a lot of action in the world of privacy with 5 new privacy laws going into effect in the US next year. California, Colorado, Connecticut, Virginia, and Utah all have new legislation set to go live. In particular, California’s CPRA and Virginia’s VCDPA become active on January 1. With all of these changes, many of the folks we’ve been talking to have shared their struggle to keep up with the legislation and what it means for their business. Osano is here to help! 

The new features in the Osano Consent Management Platform (CMP) give you a simple way to comply with even the nuanced and complex parts of the US laws. In this post, we’ll outline some of the changes the new regulations are asking businesses to comply with. We’ll also show which Osano CMP features you can use to stay compliant and do the right thing by respecting your users’ privacy. 

In this post

Which US laws are going into effect in 2023? 

Five new laws are going into effect, each with slightly different variations in their requirements. We’ve previously written some articles that go into depth on what each law requires (so far) linked in the following  table. These US state law articles cover each of the laws broadly and generally. 

Law

Full name

Effective Date

CPRA

California Privacy Rights Act (Replacing CCPA)

Jan 1, 2023

VCDPA

Virginia Consumer Data Protection Act 

Jan 1, 2023

CTDPA

Connecticut Data Privacy Act

Jul 1, 2023

CPA

Colorado Privacy Act 

Jul 1, 2023

UCPA

Utah Consumer Privacy Act

Dec 31, 2023

You can also check out our six-month, three-month, and one-month countdown articles, which summarize some actions steps you can take to prepare for compliance. 

In this blog, we’ll dig specifically into the CPRA’s and VCDPA’s requirements for consent management that go live on January 1, along with the new and existing Osano CMP features you can use to comply. We’ll also provide the specific “customer actions” you can take to start using these new Osano features. 

What are the new CMP requirements in CPRA and VCDPA? 

In addition to previous requirements (such as notifying users of cookie use and asking for their consent), there are 4 new CMP requirements starting January 1. This table shows a summary of the requirements as well as which Osano CMP features help you comply with them. Read on for the details of each requirement as well as the corresponding Osano CMP features. 

Requirement

What does it mean? 

California (CPRA)

Virginia (VCDPA)

Osano Feature

Global Privacy Signal (GPC)

Capture an opt-out signal from the user’s browser for this session. 

Opt-out preference signal

n/a

Global Privacy Control

(Available today) - Docs

Do not sell or share

Don't sell my personal information (PI) for monetary gain. 


Don't share or process PI for advertising purposes. 

Do not sell or share my PI

 

"Share" = Opt out of cross-contextual behavioral advertising

Do not sell my PI


Opt out of targeted advertising

Updated drawer text 

(Available today) - Docs

Single, clear setting

One place to set “do not sell” and “do not share” preferences.

One option to satisfy both requirements.

n/a

Do Not Sell Modal 

(Available today) - Docs

State-level targeting

Show different content for different states. 

CA laws vs US

VA laws vs US

State-level targeting API 

(Available today) - Docs


Updated banner defaults 

(Planned for Dec 30) - Docs 

Global Privacy Control (GPC)

CPRA is now requiring the ability for users to opt out via a preference signal. While the language is a bit vague, one concrete way to meet this requirement is to capture and process GPC. The GPC setting can be enabled in a user’s browser. Once turned on, it sends a privacy signal to all of the websites visited in that browser asking them not to sell or share the user’s personal information and to opt them out of marketing/advertising cookies.

The good news is that Osano has had support for GPC for a while now. You can enable GPC in your CMP configuration settings. Once enabled, Osano will process the signal based on the user’s location. You can find full details in the Osano Global Privacy Control (GPC) documentation

Customer Action: Enable Osano CMP’s GPC functionality if you aren’t already using it. 

Do not sell or share

One of the CPRA’s biggest updates to California’s previous law (the CCPA) is the shift from “do not sell” to “do not sell or share.” This adds the right for users to not only request their personal information (PI) not be sold for monetary gain, but also for users to opt out of having businesses share or process PI for advertising purposes. Virginia’s law also requires businesses to enable users to opt out of both the sale of their PI and targeted advertising. 

Osano CMP previously supported the ability for an end-user to configure their consent preferences for both “do not sell” as well as the ability to opt out of marketing/advertising cookies via a separate setting in the preference drawer. Now, in order to more closely comply with CPRA’s language, we’ve updated the text and behavior of the CMP preference drawer. Now, selecting the “do not sell or share” toggle will also disable marketing categorized cookies as well. 

Previous preference setting

New preference setting

Customer Action: You must republish your CMP configuration in order to get the new language. Enterprise customers can also customize the verbiage as needed.

Single, clear setting

In addition to allowing users to opt out of both selling and sharing of PI, CPRA also states that businesses must “provide a clear and conspicuous link” to enact this right. Although the Osano CMP preference drawer allows users to set this preference, it also contains additional preferences. In some cases, users may need to scroll to get to the “Do not sell or share” setting. In order to satisfy this requirement for a single link, we’ve released a new “do not sell” modal.

The new modal can be activated using the Osano JavaScript API. You can now add a “Do not sell or share my personal information” link to the footer of your website that causes the modal to appear when clicked by making a call to the showDoNotSell() method.

The new modal has a single setting. Enabling the toggle has the same effect as enabling the “do not sell or share” setting in the preference drawer.

Customer Action: Add a “Do not sell or share” link to your website’s footer that shows the “do not sell” modal. 

State-level targeting — new banner defaults

One of the most powerful features of Osano CMP is that it automatically shows the correct banner to the visitor based on their location. Starting December 30, Osano will change what banners are shown as the default banner for California, Virginia, and the rest of the United States. 

You can see a full list of banner formats and the current locations in which they are served in the documentation. 

Location

Current default

(CCPA opt-out disabled)

Current default  

(CCPA opt-out enabled)

New default on Jan 1

(CCPA/CPRA opt-out disabled)

New default on Jan 1

(CCPA/CPRA opt-out enabled)

California

Banner 3

Banner 1

Banner 3

Banner 1

Virginia

Banner 3

Banner 1

Banner 3

Banner 3

Rest of US

Banner 3

Banner 1

Banner 1

Banner 1

Customer action: If you currently override any banner defaults, you will want to review your overrides before January 1 to ensure you are still compliant when the new laws take effect. If you don’t perform any overrides, then no action is needed on your part. These new banner defaults will automatically go into effect on your site starting January 1. 

State-level targeting — new API 

The Osano JavaScript API has been updated to support state-level targeting. The countryCode property has been deprecated and superseded by the jurisdiction property. The jurisdiction property returns the lowercase country and subdivision codes according to ISO 3166-1 and 3166-2 where Osano CMP geolocates a user based upon their IP address. 

countryCode — For example, returns “us” 

jurisdiction — For example, returns “us-tx

Customer Action: If you are using the JavaScript API, you should update your code to use jurisdiction instead of countryCode.

Summary

The privacy landscape is complex and continues to evolve. Osano will keep track of it for you. With these new and existing features, you can be confident you’ll be ready for CPRA and VCPDA on January 1.

Product(s) Affected

Core PlatformConsent Management

Availability

BusinessBusiness+DeveloperEnterprise


Introducing Osano Privacy Legal Templates

posted on October 24, 2022

Producing high-quality legal documents for your privacy program can be time-consuming, costly, or both. Now, with Osano Privacy Legal Templates you can get started faster by leveraging templates generated by our global team of privacy experts. And, giving your outside counsel a completed document to review, rather than starting from scratch, can save you big on legal fees.

Problems with today’s privacy document options

Whether you are a founder or leader with in-house legal counsel, or an organizational attorney who’s responsible for the full breadth of legal challenges, not just privacy specifically, the options for generating privacy documents like cookie policies, contractual clauses, and service addendums can be less than enticing. 

Document options

Challenges

Do it yourself

Spending the time to research all of the necessary laws and guidelines and then generating something you are confident in is a daunting task. 

Pay outside counsel

You can ask your outside counsel to generate these documents from scratch, but billing legal hours is the most expensive option.

Use general legal document templates

Some websites offer an array of legal templates from power of attorney and name changes to LLC and trademark filing. These sites sometimes have some privacy document templates, but not others. And, as generalists across the entire legal landscape, you can’t be confident that their privacy templates were generated by true privacy experts who are up-to-speed on all of the rapidly changing laws and rulings. 

AI Policy Generators 

Some tools can generate legal templates for you, sometimes using AI. Policy generators often produce inferior end results when compared with fill-in-the-blank document templates. Drafting legal documents requires knowledge of your specific business. AI that tries to give you a document based on it’s corpus of knowledge is often inaccurate and doesn’t fit with the specific needs of your business. 

Why use Osano Privacy Legal Templates? 

Osano now provides a library of privacy templates, created and maintained by Osano’s global team of privacy experts. The same team is continually up-to-speed on the changing privacy landscape and using that knowledge to update Osano’s compliant cookie banners and provide you with in-app regulatory guidance, is now also providing you with legal templates. You can rest assured with a high degree of confidence that you are using document templates generated by privacy experts. 

Save the time of searching the internet for inferior options. Osano Templates are available right in the Osano app and are usable in multiple formats including PDF, Word, Google Docs, and more

Save money on legal fees by sending your completed templates to your outside counsel for legal review rather than asking them to start from scratch. (NOTE: Osano Privacy Templates are not legal advice.) 

What templates are available? 

Currently, Osano features templates for

  • California Do Not Sell/Share Statement
  • California Notice of Financial Incentive
  • CCPA/ CPRA Service Provider Addendum
  • Cookie Policy
  • Data Processing Addendum
  • EU Standard Contractual Clauses 
  • GDPR Statement
  • Privacy Policy

How to use Privacy Templates

  1. Log in to your Osano accounts on my.osano.com
  2. Select Templates from the sidebar menu
  3. Click on the template to open in a new tab. 
    1. To use as a Google doc File > Make a copy. (You will need a Google account to copy as a Google Doc.) 
    2. To download in additional formats (no Google account needed) select File > Download and choose your format.
  4. Text highlighted in green should be replaced with language specific to your organization. 
  5. Text highlighted in yellow provides tips and guidance. Follow yellow highlighted instructions and remove the text from your final document.


For full details visit the Privacy Templates documentation.

Product(s) Affected

Core Platform

Availability

BusinessBusiness+Enterprise


Osano can turn off Google Analytics in France and Austria, if you want it to

posted on June 22, 2022

plate-spinning

Google Analytics has been in the privacy news recently[1]. In April, the Austrian data protection authority ruled that Google Analytics use was in violation of the EU’s GDPR. Then last week, the CNIL (France’s data privacy regulator body) issued updated guidance that the use of Google Analytics violates GDPR because it illegally transfers data from the EU to the United States[2][3].

For marketers that rely on Google Analytics for mission-critical information, this news can be disheartening. The balance between creating tailored experiences that are ultimately more enjoyable and respecting user privacy can be precarious, like Erich Brenn spinning plates to balance them atop wavering poles. As both technology and regulations rapidly evolve, Osano seeks to be an enabler to help you respect user privacy, comply with global regulations, and get the most out of your digital assets. 

In light of the latest changes in the privacy landscape, we’re updating Osano to provide you with what we believe are the best options available. Read on to learn about our new Google Analytics toggle and some of the complex nuances behind the simple new addition to Osano Consent Management Platform (CMP).

UPDATE: Italy has also been added to the block list based on recent guidance.

Implications of the CNIL ruling

For organizations that have website visitors in France and Austria, this ruling now requires some difficult choices. On the one hand, continuing to use Google Analytics opens up liability to fines and penalties. On the other hand, there aren’t many options available beyond disabling your use of Google Analytics altogether and completely losing that data for all of your users.

gdpr-hard-choice

 

At Osano, we think both of these options are tough pills to swallow, so we’ve built a feature to help our customers navigate these compliance waters. 

Introducing the block list toggle for CMP

Osano CMP works by blocking or allowing tags (cookies, scripts, and iframes) based on their classification along with the consent choices of each web visitor. If a visitor consents to analytic tags but does not consent to marketing, then Osano will allow analytics cookies and block all marketing cookies.

With the latest guidance from CNIL, Osano has now created an override block list that will always block particular tags in particular regions. These same tags follow standard classification and consent rules in other regions. Today, the toggle only blocks Google Analytics in France and Austria. However, the CNIL ruling has implications that are broader than Google Analytics alone. Language in the ruling  talks generally about “audience measurement tools.” Other legislative bodies may also create similar restrictions in the future, so it is possible additional tools and regions could be added to the block list in the future.

How we approached this problem 

We continually take the pulse of the legislative privacy landscape and adapt to rapid changes. The Google Analytics scenario in Europe is one we’ve been monitoring from the start. When the original guidance came from Austria, our legal team looked at the situation and arrived at the general recommendation that continuing to use Google Analytics would not violate GDPR for organizations as long as they enabled Google Analytics’s IP anonymization feature. 

The latest guidance from CNIL in France goes a step further to say that it is not possible to configure the Google Analytics tool so as not to transfer personal data outside the European Union.

With this updated information, we began to look for a way to help our users comply with GDPR in France and Austria. Google Analytics doesn’t have a feature that lets you disable data transfers for a subset of users by region, so this leaves most folks in a place where their only course of action is to disable Google Analytics altogether. 

A core feature of Osano CMP is to serve different content to users based on their geolocation so they get an experience tailored to comply with the specific regulations in their region. Because this is already a built-in part of the way Osano CMP works, we were able to create the block list to selectively block Google Analytics only in France and Austria.  

Should you enable the toggle for your account?

ProTip: To qualify for Osano's "No Fines, No Penalties" pledge, you must enable the block list toggle.

Our strong recommendation is for all accounts to enable the block list. However, we understand that this may not be feasible for some customers. We wanted to be sure to describe the tradeoffs so that you can make an informed decision. 

  • Enabled: Google Analytics will be blocked for France and Austria. You will be compliant with GDPR, but you will not receive any tracking information for these regions. 
  • Disabled: Google Analytics will continue to be blocked/unblocked based on your tag categorization and how individual web visitors consent. You will not be compliant with GDPR and run the risk of being penalized. As such, you will not qualify for Osano’s “No Fines, No Penalties” pledge.

Getting started 

Log into your Osano account and navigate to the Consent Management tab to get started with the block list toggle. You’ll see the toggle as an option within each configuration. 

Starting today, all newly generated configurations will have the toggle enabled by default, and it can be manually disabled.

On your existing configurations, the toggle will be disabled. In order to take advantage of the block list (and qualify for the “No Fines, No Penalties” pledge), you’ll need to manually enable it on your existing configurations and republish your configuration for it to take effect. If you have a large number of configurations to manually update, reach out to our support team for assistance.

For more information see the user documentation, or reach out to our support team with any questions by using the in-app chat. 

Sources

Product(s) Affected

Core PlatformConsent Management

Availability

BusinessBusiness+Enterprise

Resources

1 2 3 4 5
of 5
The managed data privacy platform

Get started with Osano today

Explore Osano

What's New at Osano

Introducing Osano Privacy Legal Templates

Now, with Osano Privacy Legal Templates you can get started faster by leveraging templates generated by our global team of privacy experts.

Learn more

Introducing DSAR email intake

Capture data subject rights requests with the convenience of email and the efficiency of a dedicated intake form.

Learn more

New reworked DSAR and discovery

We've reworked and redesigned Osano Subject Rights Management and Data Discovery, unifying them into a single, seamless experience and creating automation to save you time.

Learn more

Stay GDPR compliant under new French ruling

Privacy regulators at the CNIL in France recently declared that Google Analytics violates GDPR. Osano’s new block list feature can disable Google Analytics in France to keep you compliant while allowing you to use Google Analytics in regions where it is still legal.

LEARN MORE

New in May 2022: DSAR conditional fields, 28 new integrations, and more!

Customize DSAR forms with conditional fields, serve consent banners in additional languages, use 28 new integrations for Data Discovery, and more! Check out our latest product announcement blog for demos, links, and more information.

LEARN WHAT’S NEW IN MAY

View more product updates

Osano product & engineering teams have been hard at work. View the full list of all product updates.

View Product Updates