Product Updates

Osano CMP support for 2023 US privacy laws

posted on December 15, 2022

There’s a lot of action in the world of privacy with 5 new privacy laws going into effect in the US next year. California, Colorado, Connecticut, Virginia, and Utah all have new legislation set to go live. In particular, California’s CPRA and Virginia’s VCDPA become active on January 1. With all of these changes, many of the folks we’ve been talking to have shared their struggle to keep up with the legislation and what it means for their business. Osano is here to help! 

The new features in the Osano Consent Management Platform (CMP) give you a simple way to comply with even the nuanced and complex parts of the US laws. In this post, we’ll outline some of the changes the new regulations are asking businesses to comply with. We’ll also show which Osano CMP features you can use to stay compliant and do the right thing by respecting your users’ privacy. 

In this post

Which US laws are going into effect in 2023? 

Five new laws are going into effect, each with slightly different variations in their requirements. We’ve previously written some articles that go into depth on what each law requires (so far) linked in the following  table. These US state law articles cover each of the laws broadly and generally. 


Full name

Effective Date


California Privacy Rights Act (Replacing CCPA)

Jan 1, 2023


Virginia Consumer Data Protection Act 

Jan 1, 2023


Connecticut Data Privacy Act

Jul 1, 2023


Colorado Privacy Act 

Jul 1, 2023


Utah Consumer Privacy Act

Dec 31, 2023

You can also check out our six-month, three-month, and one-month countdown articles, which summarize some actions steps you can take to prepare for compliance. 

In this blog, we’ll dig specifically into the CPRA’s and VCDPA’s requirements for consent management that go live on January 1, along with the new and existing Osano CMP features you can use to comply. We’ll also provide the specific “customer actions” you can take to start using these new Osano features. 

What are the new CMP requirements in CPRA and VCDPA? 

In addition to previous requirements (such as notifying users of cookie use and asking for their consent), there are 4 new CMP requirements starting January 1. This table shows a summary of the requirements as well as which Osano CMP features help you comply with them. Read on for the details of each requirement as well as the corresponding Osano CMP features. 


What does it mean? 

California (CPRA)

Virginia (VCDPA)

Osano Feature

Global Privacy Signal (GPC)

Capture an opt-out signal from the user’s browser for this session. 

Opt-out preference signal


Global Privacy Control

(Available today) - Docs

Do not sell or share

Don't sell my personal information (PI) for monetary gain. 

Don't share or process PI for advertising purposes. 

Do not sell or share my PI


"Share" = Opt out of cross-contextual behavioral advertising

Do not sell my PI

Opt out of targeted advertising

Updated drawer text 

(Available today) - Docs

Single, clear setting

One place to set “do not sell” and “do not share” preferences.

One option to satisfy both requirements.


Do Not Sell Modal 

(Available today) - Docs

State-level targeting

Show different content for different states. 

CA laws vs US

VA laws vs US

State-level targeting API 

(Available today) - Docs

Updated banner defaults 

(Planned for Dec 30) - Docs 

Global Privacy Control (GPC)

CPRA is now requiring the ability for users to opt out via a preference signal. While the language is a bit vague, one concrete way to meet this requirement is to capture and process GPC. The GPC setting can be enabled in a user’s browser. Once turned on, it sends a privacy signal to all of the websites visited in that browser asking them not to sell or share the user’s personal information and to opt them out of marketing/advertising cookies.

The good news is that Osano has had support for GPC for a while now. You can enable GPC in your CMP configuration settings. Once enabled, Osano will process the signal based on the user’s location. You can find full details in the Osano Global Privacy Control (GPC) documentation

Customer Action: Enable Osano CMP’s GPC functionality if you aren’t already using it. 

Do not sell or share

One of the CPRA’s biggest updates to California’s previous law (the CCPA) is the shift from “do not sell” to “do not sell or share.” This adds the right for users to not only request their personal information (PI) not be sold for monetary gain, but also for users to opt out of having businesses share or process PI for advertising purposes. Virginia’s law also requires businesses to enable users to opt out of both the sale of their PI and targeted advertising. 

Osano CMP previously supported the ability for an end-user to configure their consent preferences for both “do not sell” as well as the ability to opt out of marketing/advertising cookies via a separate setting in the preference drawer. Now, in order to more closely comply with CPRA’s language, we’ve updated the text and behavior of the CMP preference drawer. Now, selecting the “do not sell or share” toggle will also disable marketing categorized cookies as well. 

Previous preference setting

New preference setting

Customer Action: You must republish your CMP configuration in order to get the new language. Enterprise customers can also customize the verbiage as needed.

Single, clear setting

In addition to allowing users to opt out of both selling and sharing of PI, CPRA also states that businesses must “provide a clear and conspicuous link” to enact this right. Although the Osano CMP preference drawer allows users to set this preference, it also contains additional preferences. In some cases, users may need to scroll to get to the “Do not sell or share” setting. In order to satisfy this requirement for a single link, we’ve released a new “do not sell” modal.

The new modal can be activated using the Osano JavaScript API. You can now add a “Do not sell or share my personal information” link to the footer of your website that causes the modal to appear when clicked by making a call to the showDoNotSell() method.

The new modal has a single setting. Enabling the toggle has the same effect as enabling the “do not sell or share” setting in the preference drawer.

Customer Action: Add a “Do not sell or share” link to your website’s footer that shows the “do not sell” modal. 

State-level targeting — new banner defaults

One of the most powerful features of Osano CMP is that it automatically shows the correct banner to the visitor based on their location. Starting December 30, Osano will change what banners are shown as the default banner for California, Virginia, and the rest of the United States. 

You can see a full list of banner formats and the current locations in which they are served in the documentation. 


Current default

(CCPA opt-out disabled)

Current default  

(CCPA opt-out enabled)

New default on Jan 1

(CCPA/CPRA opt-out disabled)

New default on Jan 1

(CCPA/CPRA opt-out enabled)


Banner 3

Banner 1

Banner 3

Banner 1


Banner 3

Banner 1

Banner 3

Banner 3

Rest of US

Banner 3

Banner 1

Banner 1

Banner 1

Customer action: If you currently override any banner defaults, you will want to review your overrides before January 1 to ensure you are still compliant when the new laws take effect. If you don’t perform any overrides, then no action is needed on your part. These new banner defaults will automatically go into effect on your site starting January 1. 

State-level targeting — new API 

The Osano JavaScript API has been updated to support state-level targeting. The countryCode property has been deprecated and superseded by the jurisdiction property. The jurisdiction property returns the lowercase country and subdivision codes according to ISO 3166-1 and 3166-2 where Osano CMP geolocates a user based upon their IP address. 

countryCode — For example, returns “us” 

jurisdiction — For example, returns “us-tx

Customer Action: If you are using the JavaScript API, you should update your code to use jurisdiction instead of countryCode.


The privacy landscape is complex and continues to evolve. Osano will keep track of it for you. With these new and existing features, you can be confident you’ll be ready for CPRA and VCPDA on January 1.

Product(s) Affected

Core PlatformConsent Management



Data Discovery

posted on September 22, 2021

A significant part of compliance is knowing what data you have and where it lives. Whether you need to perform a DPIA, provide evidence as part of an audit, or enhance security measures for data sources with higher risk, this can be a slow and painful process. Why? Because most companies have hundreds — if not thousands — of SaaS and on-premise systems where personal data is collected, transferred, shared, and stored.

That's why we've released Data Discovery. It uses artificial intelligence to discover and classify personal data, automate privacy rights fulfillment and demonstrate compliance. We launched this tool to save organizations hours of expensive manual labor and pain by automating the process. 

Here's how to get started:

  1. Connect Osano Data Discovery to your cloud-based or on-premise products, platforms and databases with a few clicks. Osano Data Discovery supports both structured and unstructured data. If we don't already support your data provider, open a support ticket, and Osano engineering will create the connector quickly and at no cost. Usually in as little as 72 hours.
  2. Osano's AI, which has been trained on billions of data points, will search for and find data stored across your organization, saving you from the monotony of manual classification.
  3. As Osano's AI discovers new systems, it will automatically classify the data it finds into more than 60 categories of personal, personally identifiable (PII) and sensitive data based on hundreds of data types.
  4. Once your data has been categorized, it is then easily accessible and searchable. 

Why does this matter?

Data Discovery is the foundation of a good privacy program. You can't be a responsible data steward if you don't know your data and where it lives.

Beyond wanting to do the right thing, several privacy and security laws require you to have your data mapped. That includes responding to data subject access requests or doing a privacy impact assessment. You can't do any of that without knowing where your data lives within the organization. Without automated data discovery, companies are often left to use systems like a manually built spreadsheet to track data. That makes you vulnerable to inefficiencies, human error and pain. And even then, oftentimes, data hiding in various systems and databases gets overlooked. Human error is real.

Data Discovery:

  • Automates data identification and classification.
  • Helps you comply with privacy and security obligations. 
  • Makes an inevitable process much less painful

Product(s) Affected

Core Platform



Global Privacy Control

posted on September 16, 2021

California's Attorney General recently confirmed that companies captured under the California Consumer Privacy Act (CCPA) must honor Global Privacy Control (GPC) signals. Osano's Consent Management platform now understands and communicates GPC signals.

A coalition of tech companies, developers and privacy advocates worked together to create the GPC signal. It aims to create a global web browser setting that allows users to control their online privacy. By enabling Global Privacy Control in Osano's Consent Manager, Osano customers' end users can opt-out of the sale of their data across all websites that respect the signal. The GPC signal is either communicated by the browser's default settings (DuckDuckGo and Brave support this) or via an extension installed.

This change is optional, but Osano strongly recommends enabling the GPC toggle. Important: To implement the GPC change, you will need to do a "republish."

Why does this matter?

As one WIRED reporter put it in his story on GPC

"What do you call a privacy law that only works if users individually opt-out of every site or app they want to stop sharing their data? A piece of paper. Or you could call it the California Consumer Privacy Act." 

Here's what he meant: Under California's Consumer Privacy Act, organizations are required to offer users opt-out rights. Typically, users had to opt-out of data processing or the sale of their data at each website they visited. That was until a coalition of more than a dozen organizations began developing the GPC specification. 

GPC aims to make opting out easy. 

DuckDuckGo and Brave already incorporate GPC into their codes at the browser level. But for end-users that use other browsers, many extensions will add the functionality to any given browser. That control is up to the end-user. 

But, as mentioned above, the reason this really matters is, while the CCPA doesn't specifically mention the GPC signal, the California Attorney General gets to issue regulations indicating specific compliance requirements. In July, the office added to its CCPA FAQs that businesses selling personal information must honor GPC signals. 

To be clear: the GPC doesn't prevent data collection. It simply indicates that companies must opt users out of the selling of the data an organization has collected on them. When an end-user toggles the GPC, there's no documentation that they don't want their data sold within Osano's blockchain. That makes it auditable. It's now a permanent, traceable and timestamped record. 

With this change, your organization can:

  • Demonstrate compliance with the California Consumer Privacy Act.
  • Keep the California Attorney General happy.
  • Signal to customers and end-users you care about their privacy rights.

Product(s) Affected

Core Platform



1 2
of 2
The managed data privacy platform

Get started with Osano today

Explore Osano

What's New at Osano

Introducing Osano Privacy Legal Templates

Now, with Osano Privacy Legal Templates you can get started faster by leveraging templates generated by our global team of privacy experts.

Learn more

Introducing DSAR email intake

Capture data subject rights requests with the convenience of email and the efficiency of a dedicated intake form.

Learn more

New reworked DSAR and discovery

We've reworked and redesigned Osano Subject Rights Management and Data Discovery, unifying them into a single, seamless experience and creating automation to save you time.

Learn more

Stay GDPR compliant under new French ruling

Privacy regulators at the CNIL in France recently declared that Google Analytics violates GDPR. Osano’s new block list feature can disable Google Analytics in France to keep you compliant while allowing you to use Google Analytics in regions where it is still legal.


New in May 2022: DSAR conditional fields, 28 new integrations, and more!

Customize DSAR forms with conditional fields, serve consent banners in additional languages, use 28 new integrations for Data Discovery, and more! Check out our latest product announcement blog for demos, links, and more information.


View more product updates

Osano product & engineering teams have been hard at work. View the full list of all product updates.

View Product Updates